Vulnerability Management Fundamentals: How to Perform Asset Discovery and Classification

Vikas Phonsa

In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.

Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list. 

Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.

In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.

Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization. 

Here are six discovery questions to ask as a starting point:

  • Where are your business offices and network infrastructure sites, including failover and backup sites, located? 
  • What are the key web applications, operating systems, software packages and databases supported by the IT organization? 
  • What types of assets (IT/OT, physical, software, mobile, development) are used by the company?
  • Do you have an asset management tool or a database of all assets owned by the organization? 
  • Do you use an asset and data classification policy to enforce security and access controls?
  • Which assets, applications and data are considered critical for the organization? 
  • Not all assets are equally important...

    Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are. 

    Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.  

    Now, start digging

    Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.  

    Here are some asset discovery questions to consider when selecting a VM product: 

  • What asset attributes can it detect? Just detecting an asset at an IP address is not enough. Can it detect operating systems, application types and technology, and open ports?
  • Can it scan different types of infrastructures? Can it be integrated into your DevOps process for continuous discovery? Can it scale to handle a large number of assets? 
  • Can it passively monitor network traffic to detect assets connecting to your network that may not be officially authorized by your organization?
  • Here today, gone tomorrow.

    Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:

    • Baking discovery into the DevOps process; 
    • Leveraging software agents installed on the assets; and
    • Passively monitoring the network. 

    After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies. 

    For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership. 

    Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey. 

    In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage. 

    Read more >

    Published on Aug 8, 2019

    People also viewed

    Enterprise Territory Manager - Atlanta

    Atlanta Georgia United States Atlanta, Georgia, United States Sales Sales
    Your Role:Tenable is currently searching for an Enterprise Territory Manager. The Enterprise Territory Manager (ETM) is responsible for establishing and developing business through existing and new clients in an assigned territory.Your Opportunity...

    Business Cost Analyst - Cloud Infrastructure

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
    Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

    Security Sales Engineer

    St. Louis Missouri United States St. Louis, Missouri, United States Sales Engineering Sales
    Your Role:Tenable is seeking an experienced Security Sales Engineer to own and drive the Business and Technical aspects of strategic Enterprise selling in your assigned region. You will be partnering with Enterprise Territory Managers and a strong...

    Business Cost Analyst - Cloud Infrastructure

    San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
    Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

    Professional Services Engagement Manager

    Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
    Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

    Senior UX Designer

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
    Your Role:Are you excited about product design? Are you passionate about user interaction design and simple beautiful user experience? Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creatin...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.