You can't secure/defend what you don’t know about. So, any security operations effort should build upon a solid foundation of Asset & Configuration Management (ACM) processes and capabilities; enabled by a Configuration Management System (CMS) capability.
This does not imply that Security Operations is responsible for building and managing ACM processes and CMS capabilities. Such “IT governance” is already the responsibility of Network Operations and should be performed routinely by organizations following some disciplined IT management framework (e.g., COBIT, ITILv4, etc.). However, Security Operations are critically dependent upon this living knowledgebase of the organization’s assets and services, if they are to be at all effective.
If your organization does not already have such ACM/CMS capabilities in place today... Start Here.
On selecting ACM/CMS capabilities, today's Network & Security Operations teams must consider coverage for the ever expanding range of assets that are deemed to be “in-scope” for their responsibilities:
Networks
- wired, wireless, physical, virtual, IP and non-IP, even cabling and radio spectrum, etc.
Network Services
- DNS, DHCP, ARP, proxies, gateways, bridges, etc.
Endpoints
- physical and virtual servers, transient containers (Docker, Kubernetes, Mesos), “cloud” assets, etc.
- workstations, virtual desktops, mobile devices, etc.
- operational technology (OT) and industrial control systems (ICS),
- and now “IoT” devices to cover literally any other device potentially connected to your networks
Applications, Services, Software, Operating Systems
- running on any and all endpoints, regardless of who installed and configured them,
And ultimately Information
- databases, files and filesystems,
- message traffic, streaming audio/video, etc.
- on any and all endpoints and networks.
This scope continues to grow, as do the expectations of availability and security.
Most Security Operations teams will already have some level of ACM/CMS capabilities in place. We start with it here because most other SOC capabilities build directly upon this knowledgebase. Disciplined ACM processes and CMS capabilities provide the critical foundation for effectively securing one’s environment.