IT Audit Use Case
May 27, 2021
Post by Robert Hansen
I had the pleasure of talking to an IT Audit organization that had been using Bit Discovery extensively to protect themselves and audit external IT. When they mean external, they really mean companies they have either acquired or are about to acquire. We usually don’t get a lot of insight into how companies use Bit Discovery, as they tend to bring the data in-house and squirrel it away in internal business processes that we have no visibility into, so this was a unique and valuable looking glass into their operation. It was nothing short of astounding to me what they found.
They could not find the end of hazardous use cases that Bit Discovery had saved their company from in only a handful of months of use by the IT Audit team. Yes, they found the obligatory misconfigured QA box that should not be on the Internet and the innumerable unpatched services, but it was so, so much more than that.
They started describing how a partner had misconfigured things and had inadvertently left things open in a way that could have compromised all their clients. They discussed another case where a trouble ticketing system was inadvertently left open that disclosed tons of sensitive information.
In another case, they were told by the policy team that they had no Exchange servers, so there was no concern regarding the recent Exchange exploit. However, due to an acquisition and utilizing Bit Discovery, they found they actually had six!
The use cases just kept going on and on. There were dozens of ways in which Bit Discovery had found critical issues that would have been either impossible or extremely difficult to find in any other way. But Bit Discovery had allowed the team to find it relatively effortlessly.
One conversation internally came up about “what is the FTE cost” of the platform. I have two answers: the first is we do not usually get to see all the use cases a company has, and it depends wildly on how advanced/sophisticated the organization is. It could create a lot of work for many teams but save the company an enormous amount of cash in the process. So “it depends” is really the only correct answer.
But the second answer to that question is, “what is the cost if you don’t?” If you think you have no Exchange servers and you have six, that could lead to untold damages. If you do not have Bit Discovery, you need to build it yourself, build in all the search functions, make it accessible in the same ways to all the same teams, with all of the same reporting functions, etc. We’re talking years of work and a level of technical ability that will likely be difficult to impossible to find on any budget. We find that while a few companies have attempted to build it internally, no companies have succeeded, and they end up spending a year or two fighting to make something work that never will. Waste a year or two to build something that will likely never be as good at what Bit Discovery had at the time you could have bought it, ultimately to give up? Get exploited by virtue of it not being as good? And at what opportunity cost? What could you have had those engineers doing to improve the company instead of wasting time on such an undertaking? These are not easily calculated but very real business costs.
I think one of the most significant values to IT Audit is mergers and acquisitions where yes, you may be very good at understanding your environment (I do not personally believe that, but we will give the networking team the benefit of the doubt for a second that they are 100% on top of marketing’s shenanigans). Still, you will never have the same visibility into 3rd party organizations that you want to acquire or have just purchased, and to think you can is a dangerous notion. The re-platforming as you move your recently acquired company into your well-constructed environment could take years after the acquisition, and meanwhile, lots of business processes are in flux.
Are you just going to hope that nothing bad happens while you move the acquisition’s assets into your environment? Are you going to take engineering’s word for their adherence to policy and choose to ignore that people make mistakes constantly? I think the business reality is that there is less sympathy for companies who do not understand these simple premises. The board is much more aware of the importance of knowing what the actual business risk is. Without knowing what you own, there is effectively zero percent chance you will know the real business risk to your organization.
The number of use cases for IT Audit could fill a book. If you look for issues with the proper tooling, you will likely find issues, no matter the organization’s size. But if you do not look or choose to delay getting that visibility, you increase the likelihood that people who do look will find those issues for you.