How to integrate ITAM to Security to be DORA compliant

Strategies to give Security and Operations support in IT risk management. 

ITAM ITAM is a prerequisite for ensuring effective protections for IT assets: let's see what skills and technology underpin the success of an ITAM project and how Security and Operations teams could benefit in risk management.

As the deadline to comply with the requirements of the DORA regulationon digital operational resilience (January 2025) approaches, financial institutions have, among other obligations, the need to have un an ICT risk management framework.

The purpose of the plan is to describe in detail all the elements put in place-so ICT strategies, policies, protocols and tools-to duly and adequately protect the organization's information and IT assets..

One of the essential conditions for ensuring effective protections is to have up-to-date inventories of IT assets:: how can you identify and prioritize the most critical and sensitive assets,, apply security criteria or patches, and identify misuse without information about the assets you should be protecting?

IT Asset Management is a valuable ally in IT risk management (we discussed it in depth here) because it allows us to know:

• which assets move within the network (including shadow IT)
• where they are located
• who owns them and how they are being used
• how they are configured
• what state they are in
• what vulnerabilities they have.

ITAM: where to start

With ITAM, it is easy to try to “"boil the ocean"” when starting out. Without an army of colleagues or an endless budget, you soon find that ou struggle to keep up with everything from day one..  

Every organization has more hardware than you can physically count,and then there is also the software side of ITAM..In addition, there are cloud-based services,, such as software-as-a-service (SaaS) subscriptions and Internet of Things (IoT) devices. . Added to this there is the unchecked expansion driven by shadow IT, Bring Your Own Device (BYOD) and other trends out of IT's control.

The first step, which falls under ITAM best-practices, is l’IT asset discovery: that is, fully identifying IT assets and providing up-to-date information on their status and usage. But the data returned by automatic inventoriesalready let us know that it is a battle that we cannot win: millions and millions of rows in a cauldron that includes multiple headers, upgrades, setups, drivers.

To rise above and not fight against windmills, SAM (Software Asset Management) is what can quickly give significant results in mitigating security risks.. There is, in fact, a principle called the Pareto principle (also known as the 80/20 law) that says that 20 percent of the causes cause 80 percent of the effects.

In most cases, this is indeed what happens: 80 percent of security risks reside in just20% of one's software fleet. Therefore, focusing on the major software vendors by expense or on the most strategically important or critical (security-wise) products for the organization would allow you to make an ITAM investment that would maximize the benefits available.

Focusing on software also has an impact on the rest of one's IT assets:: discovering software also allows one to identify the hardware on which it is running and draw appropriate considerations for its use.

How to reduce complexity

As we had already anticipated, discovery and inventorying all assets within one's domain returns more complexity than we can handle.

Even if we choose to focus only on the software, the numbers are still dizzying. In a company with 5,000 computers, usually on average an automated inventory returns nearly 50K of different software titles for a total of 100K entries.

In this process it is essential to lean on technologies that, on the one hand, do discovery across the perimeter continuously to discover new installations,, but on the other hand are able to pool all the data that arrives.There is a need for normalization;: Snow Software enables this with one of the largest software recognition databases obtained through advanced ML training.

Native detection rules in Snow allow the number of entries to be reduced to a manageable catalog(100K to 800 entries) with dashboards already normalized for vendors, users, devices.. Including relatedsecurity and compliance information..

Another step forwardto better manage the catalog is related to the in-depth knowledge of the licensing rules of major software vendors, as they change very often.

How SAM serves security

Security requires that that the perimeter is controlled from a reliable database:: ISO 19770, on which ITAM best-practices are based, also insists on the principle of "garbage in, garbage out". If we do not have a single, complete, normalized database on the running software, we also have no awareness of vulnerabilities to prioritize and remediate.

WEGG has decades of experience on ITAM methodologies: it is necessary to set up the right processes that result in high-quality reports on’real-time software usage that can be easily shared with other tools.

Integration can be beneficial on several fronts:: with ITSM software to improve the service desk, with endpoint management tools, the CMDB, but especially withincident management protocols..

In fact, 99 percent of security exploits have been using vulnerabilities that have been known for more than a year, , but organizations struggle to keep up. Having a reliable ITAM database linked to national vulnerability databases such as the National Database Vulnerability (NDV), with their severity scores, also gives indications onattack vectors.

Based on the level of severity detected and the likelihood of an exploit occurring,, Security and Operations teams can set up automated processes to remediate them. .  

Let's look at other scenarios in which SAM is useful to security:

• knowledge of installations and users makes it possible to detect unauthorized software, disable unnecessary (higher-risk) accounts, but also to coordinate blocking access to infected files in the event of an incident or ransomware
• Knowledge of all installed software versions and the software lifecycle helps patch management teams set remediation plans but also support Operations in planning upgrades or migrations (in case of software near the end of support)

Smart rationalization

Compliance with DORA requirements is a priority for financial institutions. Another way to reduce the risk surface is also to operate through smart rationalization..

In fact, not all assets that reside within the perimeter are really needed.

Starting from this principle, you can cross-reference all the information available (so data on allocations, utilization etc.) to cleanup: you could have many surprises. We're talking about licenses assigned but not used, unnecessary usage plans, all elements that enlarge an already large attack surface.

Setting up processes for continuous optimization of licenses is useful to thin out useful branches and have more control over the perimeter. At WEGG we also work on the rationalization of technology for security purposes. Contact us at [email protected] if you want to set up SAM processes to have more control over the perimeter.