Episode 37
Comprehensive Asset Discovery
Comprehensive asset discovery is foundational to robust and proactive cybersecurity governance. The Cybersecurity and Infrastructure Security Agency recently issued a directive (BOD 23-01) requiring federal enterprises (civilian executive branch) to perform automated asset discovery every 7 days. Among other things, the directive also requires federal enterprises to initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. Huxley Barbee, Security Evangelist at runZero and former Cybersecurity Practice Lead at Cisco, discusses the various methods of comprehensive asset discovery and provides guidance in selecting an appropriate asset discovery tool.
Time Stamps
01:33 -- Please share with the listeners some highlights of your professional journey.
03:13 -- Share some stories and anecdotes of the consequences of poorly managed asset inventory.
09:37 -- Why didn't organizations engage in comprehensive asset discovery? What were the hurdles, if any? Now that there is a CISA directive, what's the guarantee that organizations will be in a position to follow through with the orders?
13:12 -- Let's discuss some solutions, recommendations, and approaches to better managing asset discovery.
22:00 -- It seems that the unauthenticated scan is the best approach. Can you please clarify?
26:16 -- It is equally important for organizations to report on the actions taken in response to the discoveries. Is there a CISA directive to that effect? Can you shed some light on that, please?
33:32 -- Please summarize some of the key takeaways from our chat this morning
35:42 -- How about providing listeners with some selection criteria when they're evaluating different products in the market, asset discovery products? What should they be aware of? What are the kinds of questions they should be asking? So it helps them make good selections.
Memorable Huxley Barbee Quotes/Statements
"The unfortunate reality is that asset inventory is still an unsolved problem for so many organizations. They might have some tooling for dealing with asset discovery, but usually, they end up with spreadsheets."
"There is greater recognition, especially from government agencies, of the need for asset discovery."
"Asset Inventory isn't just a list of devices that you have on your network. It's also what is on those devices, what services are on those devices, what ports are those devices listening to, and who owns those devices."
"There are many hurdles associated with asset inventory management. The one that looms the largest is unmanaged devices, unmanaged assets, that is the achilles heel of any asset inventory program."
"Why would the adversary go for a well-managed up to date patched machine when they can just go ahead and attack something that's out of date and unpatched, with numerous exploits that they might be able to download from the Internet."
"Unmanaged devices are why customers end up using spreadsheets where the existing tooling just isn't performing as they want. And so they have to end up using spreadsheets instead."
"With unauthenticated scanning, you have the best of many worlds, right, you have the ability to go out and find all the assets on the network, even if they're unmanaged. But you don't have the problems of credential spraying. And depending on how the unauthenticated scanner is implemented, you can even talk to OT devices without the fear of crashing, some sort of mission-critical function.
"Effectively, BOD 2301 is suggesting the use of unauthenticated scans for the asset discovery portion of this particular directive."
"A customer told me that having a comprehensive asset discovery allowed his organization to move from a reactive security program to a proactive security program."
"Oftentimes, the adversary knows more about your network than you do. And, of course, to combat that, you need a comprehensive asset inventory."
"Oftentimes, asset inventory is not called out as a specific line item in security budgets."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Introducer:the book Cybersecurity Readiness: A Holistic and
Introducer:High-Performance Approach, a SAGE publication. He has been
Introducer:studying cybersecurity for over a decade, authored and edited
Introducer:scholarly papers, delivered talks, conducted webinars and
Introducer:workshops, consulted with companies and served on a
Introducer:cybersecurity SWAT team with Chief Information Security
Introducer:officers. Dr. Chatterjee is Associate Professor of
Introducer:Management Information Systems at the Terry College of
Introducer:Business, the University of Georgia. As a Duke University
Introducer:Visiting Scholar, Dr. Chatterjee has taught in the Master of
Introducer:Engineering in Cybersecurity program at the Pratt School of
Introducer:Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast series. Our discussion today will focus on asset
Dr. Dave Chatterjee:discovery. We'll talk about the consequences of poorly managed
Dr. Dave Chatterjee:asset inventory, challenges of asset discovery, various methods
Dr. Dave Chatterjee:and approaches to asset discovery, and more. I'm
Dr. Dave Chatterjee:delighted to have as my guest Huxley Barbee, Security
Dr. Dave Chatterjee:Evangelist at runZero, and former Cybersecurity Practice
Dr. Dave Chatterjee:Lead at Cisco, who will share his thoughts and perspectives.
Dr. Dave Chatterjee:Welcome, Huxley.
Huxley Barbee:Thank you very much, Dr. Chatterjee for having
Huxley Barbee:me.
Dr. Dave Chatterjee:So before we get into the details, Huxley,
Dr. Dave Chatterjee:please share with the listeners some highlights of your
Dr. Dave Chatterjee:professional journey.
Huxley Barbee:Absolutely. Thank you. So I've been working in
Huxley Barbee:security for over 20 years at companies like Datadog, Cisco
Huxley Barbee:Systems, and a number of security startups. And over the
Huxley Barbee:years, I've focused on parts of cybersecurity like secure
Huxley Barbee:messaging, secure web gateway, cloud security. And then of
Huxley Barbee:course, finally orchestrating security workflows. And one
Huxley Barbee:problem that I saw again, and again, with my customers, and
Huxley Barbee:these are, these are really large customers, Fortune 500
Huxley Barbee:customers as well as really small customers. They all had
Huxley Barbee:this problem where they had no idea what is on their network.
Huxley Barbee:And it's actually a really old problem. I remember, over 20
Huxley Barbee:years ago, when I first ran a SATAN system, I think System
Huxley Barbee:Administrators Tool for Analyzing Network Satan. And I
Huxley Barbee:use that to discover what's on my own companies network. And
Huxley Barbee:the unfortunate reality is that asset inventory is still an
Huxley Barbee:unsolved problem for so many organizations. And they might
Huxley Barbee:have some tooling for doing dealing with asset discovery,
Huxley Barbee:but usually they end up with with spreadsheets. And fast
Huxley Barbee:forward to about a year ago, I found runZero by by complete
Huxley Barbee:accident, I was talking to the CEO about the company, and I
Huxley Barbee:realized that runZero, was actually solving this, this age
Huxley Barbee:old problem. And so I eventually joined them as a security evangelist.
Dr. Dave Chatterjee:fantastic. There is no disagreement that
Dr. Dave Chatterjee:managing assets is a huge part of cybersecurity governance,
Dr. Dave Chatterjee:because unless you know what you need to protect, you really
Dr. Dave Chatterjee:cannot implement appropriate defense measures.
Huxley Barbee:That's right.
Dr. Dave Chatterjee:And the more digitized we get, the more
Dr. Dave Chatterjee:expansive our network, especially in today's day and
Dr. Dave Chatterjee:age where organizations are operating in a very remote kind
Dr. Dave Chatterjee:of a way, it makes it all the more challenging, because
Dr. Dave Chatterjee:employees and other stakeholders are using all kinds of devices.
Dr. Dave Chatterjee:And then we have IoT devices. So keeping track of all these
Dr. Dave Chatterjee:different devices, located in all parts of the world, let's
Dr. Dave Chatterjee:say, is a huge undertaking. But though it's a huge challenge,
Dr. Dave Chatterjee:it's not something that we can ignore considering the
Dr. Dave Chatterjee:consequences of poorly managed asset inventory. I think you are
Dr. Dave Chatterjee:an excellent person to talk about, share some stories, some
Dr. Dave Chatterjee:anecdotes, of the consequences of poorly managed asset
Dr. Dave Chatterjee:inventory.
Huxley Barbee:Yes. So absolutely. I'll talk about one
Huxley Barbee:example. That was, it's an anonymized because it's
Huxley Barbee:something that we, we know about personally, but I'll also talk
Huxley Barbee:about a more public example, just to highlight the
Huxley Barbee:consequences of poor asset inventory or lack of asset
Huxley Barbee:inventory. So in the example that's a little bit closer to
Huxley Barbee:home, there was a medical production company that was
Huxley Barbee:breached. And this is a medical production company, in the midst
Huxley Barbee:of the pandemic. So very critical, not just to the the
Huxley Barbee:company itself, but maybe society at large, and law
Huxley Barbee:enforcement had to get involved in in terms of dealing with the
Huxley Barbee:breach remediation, and so on, so forth. And a primary
Huxley Barbee:recommendation from law enforcement that came out of
Huxley Barbee:that that post mortem, was that this company needed to implement
Huxley Barbee:a comprehensive asset inventory. And most recently, I think just
Huxley Barbee:a week ago, we see once again that the government has made
Huxley Barbee:this sort of recommendation. And in a very big way, so CISA, the
Huxley Barbee:Cybersecurity Infrastructure Security Agency, and it's just a
Huxley Barbee:department of the department, a sub department of the Department
Huxley Barbee:of Homeland Security, just released BoD 2301. BOD stands
Huxley Barbee:for Binding Operational Directive. And the directive has
Huxley Barbee:told, all civilian federal agencies that they need to have
Huxley Barbee:a solution for asset inventory and vulnerability, enumeration,
Huxley Barbee:both of those, not only do they need to have this, they need to
Huxley Barbee:be able to cover their entire ipv4 address base, basically
Huxley Barbee:covering all of their assets. And they need to be able to do
Huxley Barbee:this, they need to be able to do this automated discovery every
Huxley Barbee:seven days, which, you know, especially if you don't already
Huxley Barbee:have an asset inventory, that's a very tall order. And not only
Huxley Barbee:do you need to be able to have this done every seven days, if
Huxley Barbee:CISA demands that you produce a report for a specific set of
Huxley Barbee:assets, for specific set of vulnerabilities, you need to be
Huxley Barbee:able to return a report, you need to be able to run that that
Huxley Barbee:scan within 72 hours and return a report within seven days. So
Huxley Barbee:there's a lot going on here. There's a lot of recognition
Huxley Barbee:more and more, especially from government agencies of the need
Huxley Barbee:for for asset discovery. And whereas in the past, people
Huxley Barbee:would say, oh, good asset inventory, a comprehensive asset
Huxley Barbee:inventory is foundational because it is part of CIS
Huxley Barbee:benchmarks Control Number one, the more and more we're starting
Huxley Barbee:to see that there's a requirement this is compulsory
Huxley Barbee:nature to asset discovery. But to go back to your earlier
Huxley Barbee:question, so I promised to talk a little bit more about a more
Huxley Barbee:public example of what happens when you don't have good acid
Huxley Barbee:inventory, Equifax, right back in 2017, we're all familiar with
Huxley Barbee:Equifax, how the adversary was able to breach Equifax through
Huxley Barbee:systems that had an unpatched version of Apache Struts. That
Huxley Barbee:particular incident, in large part, I would argue, came from
Huxley Barbee:not having good asset inventory. So let me give you a little bit
Huxley Barbee:more background about what I mean by asset inventory. Asset
Huxley Barbee:inventory isn't just a list of devices that you have on your
Huxley Barbee:network. It's also what is on those devices, what are the
Huxley Barbee:services that are on those devices, what are the ports
Huxley Barbee:those those devices are listening to, but additionally,
Huxley Barbee:who owns those devices. And there could be many different
Huxley Barbee:types of ownership, like the person that's logged into it,
Huxley Barbee:the business unit that owns it, who's or the IT group that that
Huxley Barbee:is in charge of it. But this sense of ownership of assets is
Huxley Barbee:also extremely important. And that is something that needs to
Huxley Barbee:go into the asset inventory as well. So going back to Equifax,
Huxley Barbee:the company did send out an email to a bunch of folks in IT
Huxley Barbee:system administrators about affected systems. It just so
Huxley Barbee:happens that the systems that were breached are the ones that
Huxley Barbee:had this unpatched version of Apache Struts, they didn't know
Huxley Barbee:the owner for that, or, or maybe the the owner that was assigned
Huxley Barbee:to those machines wasn't at the company anymore, something like
Huxley Barbee:that, whatever the case might have been, there wasn't proper
Huxley Barbee:ownership correlated with those assets. So even though the
Huxley Barbee:company sent out this email, hey, everybody, let's go and
Huxley Barbee:patch Apache Struts, the people who needed to know for these
Huxley Barbee:particular assets did not find out. And that is a consequence
Huxley Barbee:of poor asset inventory in this case. A second ramification here
Huxley Barbee:is the fact that these particular systems had outdated
Huxley Barbee:certificates. So you know whether or not you have
Huxley Barbee:certificates that are expired, that is also part of your asset
Huxley Barbee:inventory. And Equifax had this security detection tool that
Huxley Barbee:would analyze traffic, but it could only do so in the cases
Huxley Barbee:where there were where there's certificates that were current.
Huxley Barbee:And because they were not current, the detection tool was
Huxley Barbee:not actually was not actually scanning or inspecting that
Huxley Barbee:traffic, like it needed to, like it needed to. A third
Huxley Barbee:ramification is asset inventory also tells you about where your
Huxley Barbee:assets are on the network and whether or not they can talk to
Huxley Barbee:each other. And a third, a third issue that we saw at Equifax was
Huxley Barbee:lack lack of segmentation amongst those assets. And again,
Huxley Barbee:this just goes back to the idea of them not having a good enough
Huxley Barbee:asset inventory that would allow them to handle this type of
Huxley Barbee:situation on multiple levels.
Dr. Dave Chatterjee:Wow. That is quite a revelation. The fact
Dr. Dave Chatterjee:that systems that need to be patched, are staying unpatched
Dr. Dave Chatterjee:because they are not discoverable. That is very
Dr. Dave Chatterjee:concerning. Now, backing up a little bit here, there is the
Dr. Dave Chatterjee:ideal and then there's the practical. Like you said, it's a
Dr. Dave Chatterjee:very complex undertaking to be able to list all the devices
Dr. Dave Chatterjee:that's there, the services that they offer, the ports to connect
Dr. Dave Chatterjee:to, the owners. Having all these details in as comprehensive a
Dr. Dave Chatterjee:manner as possible is definitely a challenge. There are tools out
Dr. Dave Chatterjee:there, you talked about using automated scanning tools.
Dr. Dave Chatterjee:However, the question that comes to mind, why didn't
Dr. Dave Chatterjee:organizations engage in comprehensive asset discovery?
Dr. Dave Chatterjee:What were the hurdles, if any? Now that there is a CISA
Dr. Dave Chatterjee:directive, what's the guarantee that organizations will be in a
Dr. Dave Chatterjee:position to follow through with the orders?
Huxley Barbee:Yeah, yeah. So first, maybe we should talk
Huxley Barbee:about the biggest hurdle with asset inventory. There are many,
Huxley Barbee:of course, but the one that looms largest is unmanaged
Huxley Barbee:devices, unmanaged assets, that is the achilles heel of any
Huxley Barbee:asset inventory program, I think there was a recent Deloitte
Huxley Barbee:research report that mentioned that 32% of organizations
Huxley Barbee:believe that shadow IT assets are probably the biggest
Huxley Barbee:challenge for asset management. And these unmanaged devices pose
Huxley Barbee:a number of problems, like, for example, the you cannot, you
Huxley Barbee:cannot be really confident about audits or audit violations,
Huxley Barbee:because of these unmanaged assets that you don't know
Huxley Barbee:about. These unmanaged assets cannot be patched because
Huxley Barbee:there's no ownership of them. They cannot be upgraded, you
Huxley Barbee:can't automate them, or include them in some sort of automated
Huxley Barbee:workflow. And then oftentimes, you cannot turn them off, right,
Huxley Barbee:because they're unmanaged. And they just be sort of sitting out
Huxley Barbee:there. You might not be sure, if this particular unmanaged asset
Huxley Barbee:is important, it might be running some sort of mission
Huxley Barbee:critical function for your organization. But you see, if
Huxley Barbee:you're not sure, you can't really turn it off. Or there's
Huxley Barbee:some cases where I've heard from customers where they know a
Huxley Barbee:particular asset, that's unmanaged asset is, is is
Huxley Barbee:important, but it's been unmanaged for so long that the
Huxley Barbee:nobody wants to touch it. Nobody's even even willing to
Huxley Barbee:stand near it and breathe near it. And these unmanaged assets,
Huxley Barbee:of course, have a very palpable security ramification, many of
Huxley Barbee:our customers tell us that they know what's going on with their
Huxley Barbee:standard issued workstations, their standard issued laptops,
Huxley Barbee:the biggest problem are those unknown unknown because because
Huxley Barbee:these unmanaged devices are unpatched, they're there, they
Huxley Barbee:have not been upgraded in some time. These are probably the
Huxley Barbee:easiest targets for the adversary. Why would the
Huxley Barbee:adversary go for a well-managed up to date patched machine when
Huxley Barbee:they can just go ahead and attack something that's out of
Huxley Barbee:date and unpatched, with numerous exploits that then
Huxley Barbee:might be able to download from the Internet, or are going to
Huxley Barbee:just work. So that is the security ramification and this
Huxley Barbee:is why unmanaged assets looms largest in terms of hurdles, for
Huxley Barbee:comprehensive asset inventory. And then finally, unmanaged
Huxley Barbee:devices are the reason why customers end up using
Huxley Barbee:spreadsheets where the existing tooling just isn't performing
Huxley Barbee:the way they want. And so they have to end up using
Huxley Barbee:spreadsheets instead.
Dr. Dave Chatterjee:Wow. And when you're talking about using
Dr. Dave Chatterjee:spreadsheets, that immediately brings to mind the importance
Dr. Dave Chatterjee:of, of constantly updating it, which is another arduous task,
Dr. Dave Chatterjee:it never happens. It brings back thoughts of access management,
Dr. Dave Chatterjee:using spreadsheets and regain access management using
Dr. Dave Chatterjee:spreadsheets. And I know, in know, in several companies, and
Dr. Dave Chatterjee:it was absolutely bewildering, to learn, to see, that they're
Dr. Dave Chatterjee:using spreadsheets to keep track of everyone's permission levels,
Dr. Dave Chatterjee:authorization levels, and then again, go back to the
Dr. Dave Chatterjee:spreadsheets to make the changes as the professional roles
Dr. Dave Chatterjee:change, the professional roles evolve. And obviously, that's
Dr. Dave Chatterjee:not the ideal solution. So there was discussion of developing AI
Dr. Dave Chatterjee:tools to automate the process. So I can totally understand why
Dr. Dave Chatterjee:Excel spreadsheets is really not the answer. But like you
Dr. Dave Chatterjee:explained, that there are reasons why organizations are
Dr. Dave Chatterjee:forced to go to spreadsheets. So yeah. So moving along. Let's get
Dr. Dave Chatterjee:to some solutions, some recommendations, some approaches
Dr. Dave Chatterjee:to better managing asset discovery.
Huxley Barbee:Sure. So there are a number of approaches out
Huxley Barbee:there for handling the situation. So the first one that
Huxley Barbee:comes to mind is the use of agents. This is a very popular
Huxley Barbee:way of doing asset discovery asset inventory. And
Huxley Barbee:essentially, when I say agency, I mean endpoint agents, meaning
Huxley Barbee:that you put software on every single device. Now, this works
Huxley Barbee:to a certain extent, but mostly for managed IT assets. It
Huxley Barbee:doesn't work very well for unmanaged devices. The reason
Huxley Barbee:being If you can put an agent on something, that means you
Huxley Barbee:already know about it, that means it's probably probably
Huxley Barbee:already managed. So what is not going to capture are those
Huxley Barbee:unmanaged devices, unmanaged IT devices, OT (operational
Huxley Barbee:technology) devices, IoT devices, and so on, and so
Huxley Barbee:forth. So that's a popular technique, but it actually
Huxley Barbee:doesn't handle the the achilles heel of asset inventory. Another
Huxley Barbee:approach is authenticated scans. This is where you have a piece
Huxley Barbee:of software that's sitting somewhere on your network,
Huxley Barbee:potentially on multiple locations throughout your
Huxley Barbee:network. And what you would do is you would then go through an
Huxley Barbee:IP range and attempt to log in to every single one of the
Huxley Barbee:endpoints that responds. And again, this works rather well
Huxley Barbee:for managed IT assets. Because if you know the credentials to
Huxley Barbee:log into these endpoints, then you probably already manage it,
Huxley Barbee:you probably probably already know about. So again, it tends
Huxley Barbee:to miss those unmanaged IT devices, OT, IoT, and so on and
Huxley Barbee:so forth. Authenticated scans also has secondary negative
Huxley Barbee:security ramifications. So something known as credential
Huxley Barbee:spraying. So let's say let's say you, right, the hacker, Dr. Dave
Huxley Barbee:Chatterjee, you, you somehow were able to get onto the
Huxley Barbee:network, and you were able to own a particular Linux box. So
Huxley Barbee:you own this Linux box. And you can see, you can replace the SSH
Huxley Barbee:server with your own with your own SSH server that's really
Huxley Barbee:just logging passwords. And now I have my authenticated scanner
Huxley Barbee:on the network. And I'm just logging into every single
Huxley Barbee:endpoint that I can get to, and you your endpoint, the one that
Huxley Barbee:you owned, is now responding to my authenticated scan as like,
Huxley Barbee:oh, there's a machine here, I'm gonna log into this, this
Huxley Barbee:machine, I think it's just a regular Linux box. So I send the
Huxley Barbee:username and password. But you actually own this machine now.
Huxley Barbee:And so now, you have credentials, you have credential
Huxley Barbee:I have provided to you my my authenticator scanner has
Huxley Barbee:provided this to you. And now you have credentials, that
Huxley Barbee:allows you to laterally move to other devices on the network.
Huxley Barbee:That's, that's the ramification of authenticated scans, that's
Huxley Barbee:often not discussed. But it's very important for folks to be
Huxley Barbee:aware of. So I've mentioned two methods so far, two approaches
Huxley Barbee:so far, agents and authenticated scans, which we've said works
Huxley Barbee:well for managed IT, but not so much some of the other stuff.
Huxley Barbee:Well, there's a third approach called passive network
Huxley Barbee:monitoring. Still, in this approach, you would have a
Huxley Barbee:collector, a network traffic collector, oftentimes, these
Huxley Barbee:come in the form of hardware appliances, because of the
Huxley Barbee:amount of compute power that you need to ingest all the network
Huxley Barbee:traffic that's going on in network there are of course
Huxley Barbee:virtual appliances these days for some of this stuff. But
Huxley Barbee:oftentimes, especially in larger networks, you still end up
Huxley Barbee:having to use a hardware appliance. And what you would do
Huxley Barbee:is you would reconfigure all of your switches, or all the
Huxley Barbee:switches that have a choke point on the network, to essentially
Huxley Barbee:mirror traffic or scan traffic or copy traffic from the switch
Huxley Barbee:over to your collector. There are other ways to do this, you
Huxley Barbee:can set up a tap in the in strategic places throughout a
Huxley Barbee:network to get that sort of information. But in any case,
Huxley Barbee:what you're doing is you're just basically collecting all the
Huxley Barbee:network traffic on the network. And the great thing about this
Huxley Barbee:is you end up seeing everything that's on the network, as long
Huxley Barbee:as those devices are talking. If they're not talking the network,
Huxley Barbee:obviously, you're gonna you're going to miss it. This is also
Huxley Barbee:very popular, especially in the OT space, because well, agents
Huxley Barbee:you usually cannot install on OT devices. And with authenticated
Huxley Barbee:scans often used, you have this consequence where because OT
Huxley Barbee:devices are designed to work in a very specific way. And
Huxley Barbee:oftentimes, they're very old, many of them are running on like
Huxley Barbee:Windows XP, for example, that authenticated scans can actually
Huxley Barbee:crash these IoT devices, which may be performing some sort of
Huxley Barbee:mission critical function within the organization. So passive
Huxley Barbee:network monitors are very popular in the OT space simply
Huxley Barbee:because there's no interrogation of these devices, and so
Huxley Barbee:therefore, it's very safe. The major challenge though, with
Huxley Barbee:passive network monitors is what if the device only talks once a
Huxley Barbee:year, like once a year, I once worked on a project when I was
Huxley Barbee:doing security orchestration workflows, where a customer said
Huxley Barbee:we have some some devices that only talk on the network once a
Huxley Barbee:year. So you need to, you need to collect traffic for 13 months
Huxley Barbee:to make sure you're not missing anything. Right. The other the
Huxley Barbee:other issue with passive network monitors is the only information
Huxley Barbee:that you have to fingerprint devices, to identify those
Huxley Barbee:devices, is based on what is being spoken on the wire. So
Huxley Barbee:this might be a very terse information that you get from
Huxley Barbee:the network. And so oftentimes, passive network monitors have
Huxley Barbee:challenges in correctly identifying devices on the
Huxley Barbee:network. So there's a fourth approach, which has become more
Huxley Barbee:popular recently, which is to not do any discovery at all, but
Huxley Barbee:instead ingest asset inventory information from other other
Huxley Barbee:solutions, other tools within the existing IT and security
Huxley Barbee:toolkit. So the obvious problem with this is there are
Huxley Barbee:limitations. If the data sources from which you ingest that
Huxley Barbee:information, don't know about these unmanaged devices, then
Huxley Barbee:then your collector, collecting data via API system is not gonna
Huxley Barbee:know about them either. So there are limitations there as well in
Huxley Barbee:terms of unmanaged assets. So one final approach is called
Huxley Barbee:unauthenticated scanning. So similar to authenticated scans,
Huxley Barbee:you have software that's deployed in strategic areas
Huxley Barbee:within the network, and it just goes through the IP range
Huxley Barbee:through the goes through the IP space, and then talks to every
Huxley Barbee:single endpoint that responds and gathers information. The key
Huxley Barbee:difference between authenticated scans and unauthenticated scans,
Huxley Barbee:of course, is that unauthenticated scans do not try
Huxley Barbee:to log in to those endpoints. Instead, what they do is rely on
Huxley Barbee:information that's being reported over the wire without
Huxley Barbee:authentication in order to make a determination as to what the
Huxley Barbee:devices in order to do the fingerprinting. And what's
Huxley Barbee:interesting is, this is the exact same approach that
Huxley Barbee:somebody in offensive security would take, right? People who
Huxley Barbee:are the adversary, people doing pentesting, they use this exact
Huxley Barbee:same approach. But oftentimes, they don't use the words asset
Huxley Barbee:discovery, they tend to call this recon. So with
Huxley Barbee:unauthenticated scanning, what you're doing is you're using a
Huxley Barbee:security research based approach, to make a
Huxley Barbee:determination as to what are all the devices that are on the
Huxley Barbee:network, and what those devices are, what are the services that
Huxley Barbee:they have available, available on them, and so on, and so
Huxley Barbee:forth. So those would be the five approaches. And with
Huxley Barbee:unauthenticated scanning, you have best of many worlds, you
Huxley Barbee:have the ability to go out and find all the assets on the
Huxley Barbee:network, even if they're unmanaged. But you don't have
Huxley Barbee:the problems of of credential spraying. And depending on how
Huxley Barbee:that unauthenticated scanner is implemented, you can even talk
Huxley Barbee:to OT devices without the fear of of crashing, some sort of
Huxley Barbee:mission critical function.
Dr. Dave Chatterjee:Well, thank you. Thank you for that very in
Dr. Dave Chatterjee:depth insight on the different approaches to asset discovery.
Dr. Dave Chatterjee:So Huxley in light of the new CISA guidelines, as
Dr. Dave Chatterjee:organizations prepare to deliver on the expectations, given that
Dr. Dave Chatterjee:you shared the different approaches, and I'm sure
Dr. Dave Chatterjee:companies are following through with some of them, if not all of
Dr. Dave Chatterjee:them. And again, I'm not in the know of exactly what the
Dr. Dave Chatterjee:guidelines are from CISA. But just at a general level, I often
Dr. Dave Chatterjee:feel that maybe it's good to provide them with more than
Dr. Dave Chatterjee:less. So would it makes sense to provide them with the results
Dr. Dave Chatterjee:from using more than one approach, or based on what I
Dr. Dave Chatterjee:what I heard, it seems that the unauthenticated scan seems to be
Dr. Dave Chatterjee:the best approach. Can you please clarify?
Huxley Barbee:Yes. So So BOD 2301, the binding operational
Huxley Barbee:directive 2301, which was just published, I think a week go and
Huxley Barbee:what it's saying is you need to do two things asset discovery
Huxley Barbee:and vulnerability enumeration. Alright, so let's focus on the
Huxley Barbee:asset discovery part here. I'm going to read you a quote from
Huxley Barbee:from the directive. That says "asset discovery is a building
Huxley Barbee:block of operational visibility and it is defined as an activity
Huxley Barbee:through which an organization identifies what network
Huxley Barbee:addressable IP assets reside on their networks, and identifies
Huxley Barbee:the associated IP address or hosts as a distributed non
Huxley Barbee:intrusive and usually does not require special logical access
Huxley Barbee:privileges." That second sentence is is so key, it needs
Huxley Barbee:to be non-intrusive, and does not require special logical
Huxley Barbee:privileges. Non-intrusive means no agents, no authenticated
Huxley Barbee:scans, you potentially could do passive network monitor, but as
Huxley Barbee:we discussed earlier, with a passive network monitor that the
Huxley Barbee:fingerprinting is often lacking. So effectively, effectively, BOD
Huxley Barbee:2301 is suggesting that use unauthenticated scans for the
Huxley Barbee:asset discovery portion of this particular directive. The second
Huxley Barbee:part of this is vulnerability enumeration, and depending on
Huxley Barbee:the asset discovery tool that you have, you could satisfy some
Huxley Barbee:of this. Oftentimes, you don't necessarily need to do a full
Huxley Barbee:Vuln (vulnerability) check to understand if assets are
Huxley Barbee:potentially vulnerable. So for example, let's let's let's take
Huxley Barbee:an analogy here. Let's say let's say you and I see somebody on
Huxley Barbee:the street and we see that this person is wearing glasses, not
Huxley Barbee:sunglasses, so like glasses, like like you're you're wearing
Huxley Barbee:right now, would it be fair for us to say to to assume that this
Huxley Barbee:person probably has some sort of need for corrective vision?
Huxley Barbee:Maybe they're nearsighted or farsighted? More often than not,
Huxley Barbee:we're going to be right. But you and I are not well, I don't
Huxley Barbee:think you are, you and I are not optometrists, we didn't actually
Huxley Barbee:do an eye exam on this person. We didn't we didn't have them.
Huxley Barbee:go through and recognize very small letters up on the wall we
Huxley Barbee:didn't do an eye exam, so how can we be sure? Well, even even
Huxley Barbee:though we didn't do an eye exam, more often than not, we're going
Huxley Barbee:to be right, this person has the need for corrective vision. Very
Huxley Barbee:similarly, with vulnerability scanning, the right thing to do
Huxley Barbee:is, of course, to do a full vuln check, right, but oftentimes,
Huxley Barbee:just by knowing that, hey, this vulnerability affects the
Huxley Barbee:services. So for example, going back to Equifax, just by knowing
Huxley Barbee:the version of Apache struts that's running on a device, you
Huxley Barbee:could probably tell, hey, this has this is affected by this
Huxley Barbee:vulnerability. So very similarly, just by just by
Huxley Barbee:having a good asset inventory, you can say, oh, because this
Huxley Barbee:device has these services on it, there is high potential, we have
Huxley Barbee:reasonable confidence to believe that there's this vulnerability
Huxley Barbee:is present on that particular asset. This is not to say you
Huxley Barbee:don't need to do a vuln check, we always recommend that you do
Huxley Barbee:a full vuln check anyway. Always go to the optometrist and check
Huxley Barbee:your vision. But the having good asset discovery and good asset
Huxley Barbee:inventory actually takes you quite um, quite a ways towards
Huxley Barbee:satisfying that need for vulnerability enumeration, not
Huxley Barbee:necessarily full compliance with DoD 2301. But certainly good
Huxley Barbee:asset discovery takes care of the asset discovery part of the
Huxley Barbee:directive and can take you part of the way through the
Huxley Barbee:vulnerability enumeration part of the directive.
Dr. Dave Chatterjee:Very interesting. In fact, as you
Dr. Dave Chatterjee:were describing the expectations, a thought crossed
Dr. Dave Chatterjee:my mind, is there going to be a directive, unless there is one
Dr. Dave Chatterjee:that require organizations to promptly respond to
Dr. Dave Chatterjee:vulnerability discoveries and document the actions taken. In
Dr. Dave Chatterjee:other words, it is one thing to have vulnerability enumeration,
Dr. Dave Chatterjee:to have comprehensive asset discovery. It's fundamental.
Dr. Dave Chatterjee:It's at the foundation of everything. But it is equally
Dr. Dave Chatterjee:important for organizations to report on the actions taken in
Dr. Dave Chatterjee:response to the discoveries. Is there a CISA directive to that
Dr. Dave Chatterjee:effect? Can you shed some light on that, please?
Huxley Barbee:So there's not there's not anything like that,
Huxley Barbee:as far as I know, that comes from a government directive
Huxley Barbee:similar to this BOD 2301, which, which to be fair, is it's been
Huxley Barbee:published, but it's not enforced yet. The deadline for this is
Huxley Barbee:April 23rd, of 2023. So civilian federal agencies have time to be
Huxley Barbee:compliant. But in terms of directives that require folks to
Huxley Barbee:remediate within a certain amount of time. I have not seen
Huxley Barbee:that yet. However, however, I do think it's relevant to mention
Huxley Barbee:that in the private sector, the driver could come from from
Huxley Barbee:insurance in some cases. Now, obviously, there are many
Huxley Barbee:private organizations that take CISA's directives to heart and
Huxley Barbee:they'll they'll voluntarily follow the directors like this,
Huxley Barbee:even though they're not a civilian federal agency, but
Huxley Barbee:just it's just good practice. There are many things that the
Huxley Barbee:prudent person principle, right, when applied correctly, would
Huxley Barbee:mean would would effectively mean that these private
Huxley Barbee:organizations take on CISA directives, CIS benchmarks and
Huxley Barbee:what have you and follow those. But we've noticed recently that
Huxley Barbee:there are cybersecurity insurance policies that require
Huxley Barbee:that require organizations to have a certain percentage of
Huxley Barbee:coverage of security controls on their assets. So what do I mean
Huxley Barbee:by that? So let's say it this is just an example I'm quoting a
Huxley Barbee:specific cybersecurity insurance policy here, but a policy might
Huxley Barbee:say that an organization must have 95% coverage of endpoint
Huxley Barbee:detection and remediation on all their assets. And this might
Huxley Barbee:affect whether or not they qualify for the insurance in the
Huxley Barbee:first place. Or maybe it might affect what they have to pay in
Huxley Barbee:terms of premiums or something like that. But think about how
Huxley Barbee:you would answer that question where we're certified that 95%
Huxley Barbee:of your assets are covered by a point detection remediation.
Huxley Barbee:Well, 95% of what well, 94% of your entire asset inventory. So
Huxley Barbee:without having a comprehensive asset inventory, you can't
Huxley Barbee:really answer the question of whether or not I have 95%
Huxley Barbee:coverage of for EDR on all my assets. So whether it be a
Huxley Barbee:government issued directive or a financial requirement that comes
Huxley Barbee:from that arises from cybersecurity insurance, one way
Huxley Barbee:or another in the future, we might see organizations having
Huxley Barbee:to come up with some sort of SLAs for remediation,
Huxley Barbee:remediation of of these vulnerabilities or at least
Huxley Barbee:being proactive about being security on those assets
Dr. Dave Chatterjee:Very true! That makes a lot of sense. At
Dr. Dave Chatterjee:the end of the day, there needs to be a recognition that
Dr. Dave Chatterjee:comprehensive asset discovery is extremely important for a
Dr. Dave Chatterjee:variety of reasons. And unless the organization is willing to
Dr. Dave Chatterjee:have a good plan in place, a good procedure in place to
Dr. Dave Chatterjee:engage in that exercise, they are going to be hurt more than
Dr. Dave Chatterjee:anything else. So one is compliance, the other is a
Dr. Dave Chatterjee:substantive buy-in where an organization might decide to go
Dr. Dave Chatterjee:beyond the compliance expectations. Of course, there
Dr. Dave Chatterjee:is the time factor, there's the cost factor, there are other
Dr. Dave Chatterjee:factors to be taken into consideration. But based on what
Dr. Dave Chatterjee:I learned from our discussion, today, it's a no brainer that at
Dr. Dave Chatterjee:the heart of the security program is the identification of
Dr. Dave Chatterjee:all the sensitive assets, where all they reside, even before you
Dr. Dave Chatterjee:can start classifying them, categorizing them. So this is
Dr. Dave Chatterjee:such such an important discussion or such an important
Dr. Dave Chatterjee:area of cyber governance,
Huxley Barbee:I want to I want to double down on what you're
Huxley Barbee:saying here, please, please add to this right there. And this is
Huxley Barbee:not me, this actually came from a customer. He told me that
Huxley Barbee:having comprehensive asset inventory allowed for his
Huxley Barbee:company, his organization, to move from a reactive security
Huxley Barbee:program to a proactive security program. So, think about it this
Huxley Barbee:way, if you don't know what you have, right, and the adversary
Huxley Barbee:is coming through into your network laterally, moving
Huxley Barbee:through your unknown unknowns, you're always going to be on the
Huxley Barbee:backfoot, you're always finding about things that you didn't
Huxley Barbee:know about and having to react and try and figure out what it
Huxley Barbee:is and, and deal with it with very little information.
Huxley Barbee:Oftentimes, like I said, before, you know, the adversary does
Huxley Barbee:recon, they do recon. And so therefore, oftentimes the
Huxley Barbee:adversary knows more about your network than you do. And of
Huxley Barbee:course, to combat that you need comprehensive asset inventory.
Huxley Barbee:But by by moving ahead with comprehensive asset inventory,
Huxley Barbee:they were able, because they knew about all the assets, they
Huxley Barbee:were able to start becoming proactive about the security
Huxley Barbee:program. Oh, here, all these assets are there, like we didn't
Huxley Barbee:know about, let's go ahead and get security controls on them,
Huxley Barbee:like install EDR, where that's possible, do a vuln scan of them
Huxley Barbee:where possible, right. By having that asset inventory,
Huxley Barbee:comprehensive asset inventory, they were able to move from a
Huxley Barbee:reactive security program to a proactive security program. And
Huxley Barbee:this is not to say that's the only ingredient that needs to go
Huxley Barbee:into making that transformation. But this particular customer
Huxley Barbee:credited this one improvement for for that, that journey that
Huxley Barbee:they were able to go on.
Dr. Dave Chatterjee:Absolutely. And thanks for sharing. That
Dr. Dave Chatterjee:means I couldn't emphasize enough the importance of being
Dr. Dave Chatterjee:proactive and not reactive, I can't emphasize enough the
Dr. Dave Chatterjee:importance of engaging in comprehensive asset discovery
Dr. Dave Chatterjee:without any kind of influence. Doing it on your own, because
Dr. Dave Chatterjee:you, means the organization, because you recognize this, as
Dr. Dave Chatterjee:such an important part of good cyber discipline. And frankly,
Dr. Dave Chatterjee:if at any point, an organization is in a court of law having to
Dr. Dave Chatterjee:make their case about whether they were negligent or not, if
Dr. Dave Chatterjee:they can provide evidence that they have engaged in
Dr. Dave Chatterjee:comprehensive asset discovery on a regular basis, and they have
Dr. Dave Chatterjee:addressed the issues that have come up as a result of the
Dr. Dave Chatterjee:discovery. And if there is a record of sustained such
Dr. Dave Chatterjee:activity, proactive activity, that could only favor the
Dr. Dave Chatterjee:organization that could beef up the defense of the organization.
Dr. Dave Chatterjee:So I can only see positives of taking this proactive approach.
Huxley Barbee:100%.
Dr. Dave Chatterjee:Fantastic. So we are kind of coming to the
Dr. Dave Chatterjee:end of our discussion today. I'd like to give you the opportunity
Dr. Dave Chatterjee:to fill in the gaps, if any. And also if you wanted to summarize
Dr. Dave Chatterjee:some of the key takeaways from our from our chat this morning.
Huxley Barbee:Sure, absolutely. I think one one thing that we
Huxley Barbee:haven't touched on here is that oftentimes asset inventory is
Huxley Barbee:not called out in security budgets, you'll you'll you'll
Huxley Barbee:see in security budgets, they need to spend x amount of
Huxley Barbee:dollars on EDR on vulnerability management and so on so forth,
Huxley Barbee:oftentimes asset inventory is not called out as a specific
Huxley Barbee:line item. And I would encourage all the folks who who can
Huxley Barbee:security managers, security directors, even even security
Huxley Barbee:practitioners, to lobby with their leadership all the way up
Huxley Barbee:to the board of directors and say, Hey, listen, this is
Huxley Barbee:foundational to our ability to execute our security program in
Huxley Barbee:an effective way. We need to have specific budget for asset
Huxley Barbee:inventory. So that is one thing. I think the second thing I think
Huxley Barbee:we we already talked about it but just want to reemphasize how
Huxley Barbee:important it is, how important asset discovery is to having a
Huxley Barbee:proactive security program. Without it, you couldn't do it.
Huxley Barbee:Right. I'm not saying it's sufficient, but it's certainly
Huxley Barbee:required. Can I can also plug runZero.
Dr. Dave Chatterjee:Please do that.
Huxley Barbee:Yeah. Yeah. So So runZero is a cybersecurity asset
Huxley Barbee:management solution that leverages both unauthenticated
Huxley Barbee:scans as well as API ingests, that allows you to have a full
Huxley Barbee:asset inventory comprehensive asset inventory faster than
Huxley Barbee:anybody else. And, and is it able to help you with your
Huxley Barbee:security programs by identifying security controls coverage gaps,
Huxley Barbee:improving your vulnerable vulnerability management program
Huxley Barbee:and identifying risky assets. So you can be as proactive as you
Huxley Barbee:can with your security program. And if you would like to try
Huxley Barbee:runZero, just go to the website, www.run Zero.com, you can go
Huxley Barbee:ahead and download our solution. And you can get a full asset
Huxley Barbee:inventory, starting in less than 60 minutes.
Dr. Dave Chatterjee:Awesome! In that spirit of making people
Dr. Dave Chatterjee:aware of resources that they can check out, how about providing
Dr. Dave Chatterjee:listeners with some selection criteria, when they are
Dr. Dave Chatterjee:evaluating different products in the market, asset discovery
Dr. Dave Chatterjee:products? What what should they be aware of? What are the kinds
Dr. Dave Chatterjee:of questions they should be asking? So it helps them in
Dr. Dave Chatterjee:making good selections?
Huxley Barbee:Yeah, so one, one important thing to understand
Huxley Barbee:the methodology, the solution approaches? Are you using an
Huxley Barbee:agent based approach? Are you using an authenticated scan
Huxley Barbee:approach, passive network monitor, unauthenticated scan,
Huxley Barbee:and so on, so forth? The other one would, would be how long
Huxley Barbee:does it take? What does the deployment look like? Do I need
Huxley Barbee:professional services in order to get this done? Do I need to
Huxley Barbee:install hardware? Or is this just something that I can self
Huxley Barbee:service download without a credit card? And and get started
Huxley Barbee:with in less than 60 minutes? And I think the third thing that
Huxley Barbee:you want to look at is what is the level of detail that I'm
Huxley Barbee:able to gather from this asset inventory. So as I mentioned
Huxley Barbee:before, it's not just about whether you have a list of
Huxley Barbee:devices, it's also about what's running on them, what ports are
Huxley Barbee:they listening on? What services do they have? And who is the
Huxley Barbee:owner of these assets? And then I think the fourth thing is,
Huxley Barbee:what else can this asset inventory do for me? Can it help
Huxley Barbee:me out with identifying security controls, coverage gaps, can
Huxley Barbee:help helped me out with improving the vulnerability
Huxley Barbee:management program and so on. So
Dr. Dave Chatterjee:Well, thank you so much Huxley. This has
Dr. Dave Chatterjee:been a pleasure. Appreciate your time and insights. And I'm sure
Dr. Dave Chatterjee:we will have many more discussions in the future. Thank
Dr. Dave Chatterjee:you again.
Huxley Barbee:Thank you, Dr. Chatterjee, this has been fun.
Huxley Barbee:Thank you.
Dr. Dave Chatterjee:A special thanks to Huxley Barbee, for his
Dr. Dave Chatterjee:time and insights. If you liked what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
