Partner Perspectives  Connecting marketers to our tech communities.
9/29/2015
02:00 PM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

3 Steps To Knowing Your Network

Managing your IT assets is a daily effort requiring vigilance and persistence.

I recently stepped on the scales and was happy to discover that I weighed three pounds less than the week before. My happiness was tempered a bit by the fact that I weighed five pounds more than expected the week before.  In our day-to-day efforts to stay fit, a change in weight is a normal, easily measured and (not so easily) addressed issue. In our IT security lives, however, being surprised by things coming and going is rarely pleasant.

Most security teams lack accurate knowledge of what is on their networks. IT operations rely on configuration management databases (CMDBs) to track assets that deliver critical business services. However, tracking laptops, BYODs, services, and on-premises or SaaS applications is another story, and in this case ignorance is not bliss. In fact, this situation may present significant security risk. Unknown assets are very likely to be unmanaged, which means they likely don’t have current patches and may not comply with configuration policies that reduce their attack surface. The bottom line: If you don’t know about an asset on your network, you can’t know about its weaknesses or about what malware it may be bringing to your network.

Knowing What Is On Your Network Is Foundational

Asset discovery is like good nutrition and regular exercise. Everyone knows they’re important to good health, yet in spite of recommendations from prestigious organizations such as the American Heart Association and the United States Department of Health and Human Services, many take little or no action. Similarly, asset discovery is prescribed by a number of information security frameworks, including:

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list of Critical Security Controls, and creating an inventory of authorized and unauthorized software is the second control on the list. According to the standard, “Attackers, who can be located anywhere in the world, are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices (especially laptops), which come and go off of the enterprise’s network, and so get out of synch with patches or security updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured and patched with appropriate security updates until the following day.” Additionally, the center recommends organizations deploy an automated asset discovery tool and use it to build an asset inventory of systems connected to their public and private networks, and that organizations also deploy both active tools that scan through address ranges and passive tools that identify hosts by analyzing their traffic.
  • NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations -- SP 800-137Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST says that ISCM necessitates maintaining situational awareness of all systems across the organization.
  • NIST Framework for Improving Critical Infrastructure Cybersecurity: This framework advocates a risk-based approach in which “Identify” is a core function. Within the Identify function, asset management, including an inventory of physical devices, systems, software platforms, and applications within the organization, is the first category to be addressed.
  • ISO/IEC 27001 Information Management Security System Requirements: This standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.

As with a diet and exercise program, getting started with asset discovery is half of the battle. Here are three recommendations to get you moving:

  1. Broadly Define the Concept of Assets. When dieting, you want to know your target weight. With assets, you want to know where your targets are. Devices with an IP address are an obvious place to start, but you should also include active ports, services, applications, and users. Both on-premises and SaaS applications must be accounted for, as well as legacy applications that may not have been implemented with security in mind and may be running on unsupported and unpatched systems. Users may be storing critical data in unsanctioned SaaS applications and may be using applications in violation of acceptable use policies.
  2. Continuously Monitor for New and Retired Assets. A scale is the most important tool to help you watch pounds come and go. Transitory assets connect and disconnect from your network in a random manner that, according to the Center for Internet Security, can “get out of synch with patches or security updates.” The “scale” for your IT environment should be a combination of regular active scans and ongoing passive network monitoring to watch for new assets, whether they be computers, network devices, applications, or users. This will also allow you to see when systems are retired or decommissioned (such as when that Windows XP workstation finally is replaced by a new Windows 10 system on the same IP). Most of what you find will probably be innocuous. However, you could find an unauthorized wireless access point or an unexpected server.
  3. Automate Response Actions. Losing pounds means your plan is working; gaining pounds means you may want to skip this morning’s donuts. Unless your network is static (and whose is?), finding new assets is a common occurrence. To keep up with the volume, you will need to automate your response. For example, you could trigger a thorough scan of new systems to identify critical vulnerabilities, misconfigurations, and known malware. If the scan finds high-risk systems, you could trigger a quarantine of those systems. You could also generate a daily report of new users and send it to the person or team responsible for managing user accounts.

Just like managing your weight, managing your IT assets is a daily effort requiring vigilance and persistence.  Sometimes you’ll be surprised by new assets that represent new risk; other times you’ll be pleased to see that your inventory-management controls are working well.  In any case, you will have the assurance that -- just like stepping on a scale -- you’re doing what you need to do every day to keep your security posture fit.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11415
PUBLISHED: 2018-05-24
SAP Internet Transaction Server (ITS) 6200.X.X has Reflected Cross Site Scripting (XSS) via certain wgate URIs. NOTE: the vendor has reportedly indicated that there will not be any further releases of this product.
CVE-2018-11412
PUBLISHED: 2018-05-24
In the Linux kernel 4.13 through 4.16.11, ext4_read_inline_data() in fs/ext4/inline.c performs a memcpy with an untrusted length value in certain circumstances involving a crafted filesystem that stores the system.data extended attribute value in a dedicated inode.
CVE-2018-11413
PUBLISHED: 2018-05-24
An issue was discovered in BearAdmin 0.5. Remote attackers can download arbitrary files via /admin/databack/download.html?name= directory traversal sequences, as demonstrated by name=../application/database.php to read the MySQL credentials in the configuration.
CVE-2018-11414
PUBLISHED: 2018-05-24
An issue was discovered in BearAdmin 0.5. There is admin/admin_log/index.html?user_id= SQL injection because admin\controller\AdminLog.php constructs a MySQL query improperly.
CVE-2018-10593
PUBLISHED: 2018-05-24
A vulnerability in DB Manager version 3.0.1.0 and previous and PerformA version 3.0.0.0 and previous allows an authorized user with access to a privileged account on a BD Kiestra system (Kiestra TLA, Kiestra WCA, and InoqulA+ specimen processor) to issue SQL commands, which may result in data corrup...