In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.
Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list.
Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.
In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.
Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization.
Here are six discovery questions to ask as a starting point:
Not all assets are equally important...
Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are.
Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.
Now, start digging
Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.
Here are some asset discovery questions to consider when selecting a VM product:
Here today, gone tomorrow.
Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:
- Baking discovery into the DevOps process;
- Leveraging software agents installed on the assets; and
- Passively monitoring the network.
After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies.
For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership.
Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey.
In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage.