I recently stepped on the scales and was happy to discover that I weighed three pounds less than the week before. My happiness was tempered a bit by the fact that I weighed five pounds more than expected the week before. In our day-to-day efforts to stay fit, a change in weight is a normal, easily measured and (not so easily) addressed issue. In our IT security lives, however, being surprised by things coming and going is rarely pleasant.
Most security teams lack accurate knowledge of what is on their networks. IT operations rely on configuration management databases (CMDBs) to track assets that deliver critical business services. However, tracking laptops, BYODs, services, and on-premises or SaaS applications is another story, and in this case ignorance is not bliss. In fact, this situation may present significant security risk. Unknown assets are very likely to be unmanaged, which means they likely don’t have current patches and may not comply with configuration policies that reduce their attack surface. The bottom line: If you don’t know about an asset on your network, you can’t know about its weaknesses or about what malware it may be bringing to your network.
Knowing What Is On Your Network Is Foundational
Asset discovery is like good nutrition and regular exercise. Everyone knows they’re important to good health, yet in spite of recommendations from prestigious organizations such as the American Heart Association and the United States Department of Health and Human Services, many take little or no action. Similarly, asset discovery is prescribed by a number of information security frameworks, including:
- Center for Internet Security’s Critical Security Controls for Effective Cyber Defense: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list of Critical Security Controls, and creating an inventory of authorized and unauthorized software is the second control on the list. According to the standard, “Attackers, who can be located anywhere in the world, are continuously scanning the address space of target organizations, waiting for new and unprotected systems to be attached to the network. Attackers also look for devices (especially laptops), which come and go off of the enterprise’s network, and so get out of synch with patches or security updates. Attacks can take advantage of new hardware that is installed on the network one evening but not configured and patched with appropriate security updates until the following day.” Additionally, the center recommends organizations deploy an automated asset discovery tool and use it to build an asset inventory of systems connected to their public and private networks, and that organizations also deploy both active tools that scan through address ranges and passive tools that identify hosts by analyzing their traffic.
- NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations -- SP 800-137: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. NIST says that ISCM necessitates maintaining situational awareness of all systems across the organization.
- NIST Framework for Improving Critical Infrastructure Cybersecurity: This framework advocates a risk-based approach in which “Identify” is a core function. Within the Identify function, asset management, including an inventory of physical devices, systems, software platforms, and applications within the organization, is the first category to be addressed.
- ISO/IEC 27001 Information Management Security System Requirements: This standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.
As with a diet and exercise program, getting started with asset discovery is half of the battle. Here are three recommendations to get you moving:
- Broadly Define the Concept of Assets. When dieting, you want to know your target weight. With assets, you want to know where your targets are. Devices with an IP address are an obvious place to start, but you should also include active ports, services, applications, and users. Both on-premises and SaaS applications must be accounted for, as well as legacy applications that may not have been implemented with security in mind and may be running on unsupported and unpatched systems. Users may be storing critical data in unsanctioned SaaS applications and may be using applications in violation of acceptable use policies.
- Continuously Monitor for New and Retired Assets. A scale is the most important tool to help you watch pounds come and go. Transitory assets connect and disconnect from your network in a random manner that, according to the Center for Internet Security, can “get out of synch with patches or security updates.” The “scale” for your IT environment should be a combination of regular active scans and ongoing passive network monitoring to watch for new assets, whether they be computers, network devices, applications, or users. This will also allow you to see when systems are retired or decommissioned (such as when that Windows XP workstation finally is replaced by a new Windows 10 system on the same IP). Most of what you find will probably be innocuous. However, you could find an unauthorized wireless access point or an unexpected server.
- Automate Response Actions. Losing pounds means your plan is working; gaining pounds means you may want to skip this morning’s donuts. Unless your network is static (and whose is?), finding new assets is a common occurrence. To keep up with the volume, you will need to automate your response. For example, you could trigger a thorough scan of new systems to identify critical vulnerabilities, misconfigurations, and known malware. If the scan finds high-risk systems, you could trigger a quarantine of those systems. You could also generate a daily report of new users and send it to the person or team responsible for managing user accounts.
Just like managing your weight, managing your IT assets is a daily effort requiring vigilance and persistence. Sometimes you’ll be surprised by new assets that represent new risk; other times you’ll be pleased to see that your inventory-management controls are working well. In any case, you will have the assurance that -- just like stepping on a scale -- you’re doing what you need to do every day to keep your security posture fit.