A Stepwise Approach to Security Policy Enforcement

I recently posted an article, Back to Basics: Why Asset Inventories are Key to Cyber Security. In a nutshell, the article iterated the need for up-to-date, accurate inventories of companies’ digital assets—devices, user accounts, networks, applications, hardware, all of it—as the foundation of any cyber security program. By all measures of likes and shares and comments, the message resonated throughout the security community. It was fortuitous, then, that a conversation with Nathan Burke, CMO at Axonius, was scheduled shortly after the asset inventory article was published. At the same time, I wondered how Axonius’ platform might compete with other asset inventory tools.

The security vendor community is filled to the brim with competing solutions. Any one category of products might have dozens (or more) representative vendors doing similar things—one little tweak here, a slightly different feature there. But it’s also true that complementary technologies are prevalent. I fully expected the Axonius briefing to fall into the former camp, but as Nathan and I talked, it became obvious to me that Axonius, while being rooted in the “you cannot protect what you cannot see” camp (CIS Control “Basics”), moves beyond the basics. It’s the answer to, “Now what?”

The foundation of Axonius (getting back to basics, indeed) is what security practitioners know to be a present-day truth: Asset management has been around forever; the proliferation of devices and network types, shadow IT, and humans’ mobile nature has caused complications in asset management. While sage security advice says to continuously inventory all hardware and software assets as a first step, the growing number of assets not physically connected to the network increases, causing further challenges in inventorying, and opening the door to more tools deployment to compensate for any gaps. It’s a circumlocutive problem that just keeps getting bigger and bigger.

Create meaningful connections

While many companies do have a plethora of security tools deployed, few of those tools “talk” to one each other in a meaningful way. This creates a resource challenge and exposes enterprises to additional risk. And it's where Axonius comes in. “We don’t need more data,” Burke said during our call. “Security teams are overwhelmed with data! What we need are better data aggregators—something that helps teams see across technology platforms, discover security gaps, and enforce policies.” At this point in the conversation I was thinking, “Oh boy. This sounds a bit like an attempt to boil the ocean with the unicorn end-to-end, defense-in-depth security solution to save them all.”

Since my job as an analyst requires me to keep an open mind, I pushed the thought aside as Burke dove into a demo. What I saw was that Axonius isn’t trying to be an end-to-end solution for every company. What they have done, however, is build a robust network of technology partners that integrates capabilities from this plethora of deployed tools in companies’ ecosystems. Axonius terms them “Adapters,” also known more colloquially as integration partners Their list of ~150 companies includes inventory management, vulnerability scanners, IT Security Management (ITSM), endpoint/device protection, SIEM/monitoring, configuration management, policy orchestrators, and more.

The question then becomes, how does this all come together? How does Axonius aggregate data from the entirety of these tools and do something useful with it? Integration with Adapters happens through a secure API, and all a user needs to do to start discovery and data collection is supply valid login credentials. Once configured, Axonius can see all the network interfaces and assets connected to it, and then normalizes and correlates relevant data about each device: installed software, patches, agent versions, running processes, connected hardware, users, etc.

Apply insights to enforcement

It’s a lot of data to sort through, especially if an enterprise has a large number of tools deployments, but Burke said customers often start with 3 or 4 integrations, such as Active Directory or AWS, and an endpoint protection product such as Crowdstrike or Carbon Black, given the importance of the security of those types of tools.

From that point, a user can query the data to identify out-of-date patches, missing agents, vulnerabilities, and so on, then validate and enforce intended policies. Burke explained that a user can, for instance, find Windows devices in AD that are missing Crowdstrike, and in one click, deploy an agent, segment the device, add the device to a scan, enrich data with data from Shodan/Censys/HaveIBeenPwned, create a CMDB, block at the firewall, or even flag an incident.

The basic premise of Axonius is that visibility without action isn’t helpful: Finding a vulnerability but not patching it does not decrease organizational risk or mitigate a breach. Failing to adequately segment sensitive systems, data, and users does nothing to achieve compliance and prevent unauthorized access. I can get on board with that. I maintain that security teams need to start from the bottom with asset inventory and visibility—because too many organizations are missing that process—but it is also accurate to say that a stepwise, building block approach to security—identify, detect, protect, respond, recover—is how companies will keep their incidents to a minimum. Axonius proved to me that their tool can be an effective part of the cyber security lifecycle, and I recommend you gain some visibility into what they have to offer, then let us know your thoughts.