Episode 37

Comprehensive Asset Discovery

Comprehensive asset discovery is foundational to robust and proactive cybersecurity governance. The Cybersecurity and Infrastructure Security Agency recently issued a directive (BOD 23-01) requiring federal enterprises (civilian executive branch) to perform automated asset discovery every 7 days. Among other things, the directive also requires federal enterprises to initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. Huxley Barbee, Security Evangelist at runZero and former Cybersecurity Practice Lead at Cisco, discusses the various methods of comprehensive asset discovery and provides guidance in selecting an appropriate asset discovery tool.

Time Stamps

01:33 -- Please share with the listeners some highlights of your professional journey.

03:13 -- Share some stories and anecdotes of the consequences of poorly managed asset inventory.

09:37 -- Why didn't organizations engage in comprehensive asset discovery? What were the hurdles, if any? Now that there is a CISA directive, what's the guarantee that organizations will be in a position to follow through with the orders?

13:12 -- Let's discuss some solutions, recommendations, and approaches to better managing asset discovery.

22:00 -- It seems that the unauthenticated scan is the best approach. Can you please clarify?

26:16 -- It is equally important for organizations to report on the actions taken in response to the discoveries. Is there a CISA directive to that effect? Can you shed some light on that, please?

33:32 -- Please summarize some of the key takeaways from our chat this morning

35:42 -- How about providing listeners with some selection criteria when they're evaluating different products in the market, asset discovery products? What should they be aware of? What are the kinds of questions they should be asking? So it helps them make good selections.


Memorable Huxley Barbee Quotes/Statements

"The unfortunate reality is that asset inventory is still an unsolved problem for so many organizations. They might have some tooling for dealing with asset discovery, but usually, they end up with spreadsheets."

"There is greater recognition, especially from government agencies, of the need for asset discovery."

"Asset Inventory isn't just a list of devices that you have on your network. It's also what is on those devices, what services are on those devices, what ports are those devices listening to, and who owns those devices."

"There are many hurdles associated with asset inventory management. The one that looms the largest is unmanaged devices, unmanaged assets, that is the achilles heel of any asset inventory program."

"Why would the adversary go for a well-managed up to date patched machine when they can just go ahead and attack something that's out of date and unpatched, with numerous exploits that they might be able to download from the Internet."

"Unmanaged devices are why customers end up using spreadsheets where the existing tooling just isn't performing as they want. And so they have to end up using spreadsheets instead."

"With unauthenticated scanning, you have the best of many worlds, right, you have the ability to go out and find all the assets on the network, even if they're unmanaged. But you don't have the problems of credential spraying. And depending on how the unauthenticated scanner is implemented, you can even talk to OT devices without the fear of crashing, some sort of mission-critical function.

"Effectively, BOD 2301 is suggesting the use of unauthenticated scans for the asset discovery portion of this particular directive."

"A customer told me that having a comprehensive asset discovery allowed his organization to move from a reactive security program to a proactive security program."

"Oftentimes, the adversary knows more about your network than you do. And, of course, to combat that, you need a comprehensive asset inventory."

"Oftentimes, asset inventory is not called out as a specific line item in security budgets."


Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Transcript
Introducer:

Welcome to the Cybersecurity Readiness Podcast

Introducer:

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

Introducer:

the book Cybersecurity Readiness: A Holistic and

Introducer:

High-Performance Approach, a SAGE publication. He has been

Introducer:

studying cybersecurity for over a decade, authored and edited

Introducer:

scholarly papers, delivered talks, conducted webinars and

Introducer:

workshops, consulted with companies and served on a

Introducer:

cybersecurity SWAT team with Chief Information Security

Introducer:

officers. Dr. Chatterjee is Associate Professor of

Introducer:

Management Information Systems at the Terry College of

Introducer:

Business, the University of Georgia. As a Duke University

Introducer:

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Introducer:

Engineering in Cybersecurity program at the Pratt School of

Introducer:

Engineering.

Dr. Dave Chatterjee:

Hello, everyone, I'm delighted to

Dr. Dave Chatterjee:

welcome you to this episode of the Cybersecurity Readiness

Dr. Dave Chatterjee:

Podcast series. Our discussion today will focus on asset

Dr. Dave Chatterjee:

discovery. We'll talk about the consequences of poorly managed

Dr. Dave Chatterjee:

asset inventory, challenges of asset discovery, various methods

Dr. Dave Chatterjee:

and approaches to asset discovery, and more. I'm

Dr. Dave Chatterjee:

delighted to have as my guest Huxley Barbee, Security

Dr. Dave Chatterjee:

Evangelist at runZero, and former Cybersecurity Practice

Dr. Dave Chatterjee:

Lead at Cisco, who will share his thoughts and perspectives.

Dr. Dave Chatterjee:

Welcome, Huxley.

Huxley Barbee:

Thank you very much, Dr. Chatterjee for having

Huxley Barbee:

me.

Dr. Dave Chatterjee:

So before we get into the details, Huxley,

Dr. Dave Chatterjee:

please share with the listeners some highlights of your

Dr. Dave Chatterjee:

professional journey.

Huxley Barbee:

Absolutely. Thank you. So I've been working in

Huxley Barbee:

security for over 20 years at companies like Datadog, Cisco

Huxley Barbee:

Systems, and a number of security startups. And over the

Huxley Barbee:

years, I've focused on parts of cybersecurity like secure

Huxley Barbee:

messaging, secure web gateway, cloud security. And then of

Huxley Barbee:

course, finally orchestrating security workflows. And one

Huxley Barbee:

problem that I saw again, and again, with my customers, and

Huxley Barbee:

these are, these are really large customers, Fortune 500

Huxley Barbee:

customers as well as really small customers. They all had

Huxley Barbee:

this problem where they had no idea what is on their network.

Huxley Barbee:

And it's actually a really old problem. I remember, over 20

Huxley Barbee:

years ago, when I first ran a SATAN system, I think System

Huxley Barbee:

Administrators Tool for Analyzing Network Satan. And I

Huxley Barbee:

use that to discover what's on my own companies network. And

Huxley Barbee:

the unfortunate reality is that asset inventory is still an

Huxley Barbee:

unsolved problem for so many organizations. And they might

Huxley Barbee:

have some tooling for doing dealing with asset discovery,

Huxley Barbee:

but usually they end up with with spreadsheets. And fast

Huxley Barbee:

forward to about a year ago, I found runZero by by complete

Huxley Barbee:

accident, I was talking to the CEO about the company, and I

Huxley Barbee:

realized that runZero, was actually solving this, this age

Huxley Barbee:

old problem. And so I eventually joined them as a security evangelist.

Dr. Dave Chatterjee:

fantastic. There is no disagreement that

Dr. Dave Chatterjee:

managing assets is a huge part of cybersecurity governance,

Dr. Dave Chatterjee:

because unless you know what you need to protect, you really

Dr. Dave Chatterjee:

cannot implement appropriate defense measures.

Huxley Barbee:

That's right.

Dr. Dave Chatterjee:

And the more digitized we get, the more

Dr. Dave Chatterjee:

expansive our network, especially in today's day and

Dr. Dave Chatterjee:

age where organizations are operating in a very remote kind

Dr. Dave Chatterjee:

of a way, it makes it all the more challenging, because

Dr. Dave Chatterjee:

employees and other stakeholders are using all kinds of devices.

Dr. Dave Chatterjee:

And then we have IoT devices. So keeping track of all these

Dr. Dave Chatterjee:

different devices, located in all parts of the world, let's

Dr. Dave Chatterjee:

say, is a huge undertaking. But though it's a huge challenge,

Dr. Dave Chatterjee:

it's not something that we can ignore considering the

Dr. Dave Chatterjee:

consequences of poorly managed asset inventory. I think you are

Dr. Dave Chatterjee:

an excellent person to talk about, share some stories, some

Dr. Dave Chatterjee:

anecdotes, of the consequences of poorly managed asset

Dr. Dave Chatterjee:

inventory.

Huxley Barbee:

Yes. So absolutely. I'll talk about one

Huxley Barbee:

example. That was, it's an anonymized because it's

Huxley Barbee:

something that we, we know about personally, but I'll also talk

Huxley Barbee:

about a more public example, just to highlight the

Huxley Barbee:

consequences of poor asset inventory or lack of asset

Huxley Barbee:

inventory. So in the example that's a little bit closer to

Huxley Barbee:

home, there was a medical production company that was

Huxley Barbee:

breached. And this is a medical production company, in the midst

Huxley Barbee:

of the pandemic. So very critical, not just to the the

Huxley Barbee:

company itself, but maybe society at large, and law

Huxley Barbee:

enforcement had to get involved in in terms of dealing with the

Huxley Barbee:

breach remediation, and so on, so forth. And a primary

Huxley Barbee:

recommendation from law enforcement that came out of

Huxley Barbee:

that that post mortem, was that this company needed to implement

Huxley Barbee:

a comprehensive asset inventory. And most recently, I think just

Huxley Barbee:

a week ago, we see once again that the government has made

Huxley Barbee:

this sort of recommendation. And in a very big way, so CISA, the

Huxley Barbee:

Cybersecurity Infrastructure Security Agency, and it's just a

Huxley Barbee:

department of the department, a sub department of the Department

Huxley Barbee:

of Homeland Security, just released BoD 2301. BOD stands

Huxley Barbee:

for Binding Operational Directive. And the directive has

Huxley Barbee:

told, all civilian federal agencies that they need to have

Huxley Barbee:

a solution for asset inventory and vulnerability, enumeration,

Huxley Barbee:

both of those, not only do they need to have this, they need to

Huxley Barbee:

be able to cover their entire ipv4 address base, basically

Huxley Barbee:

covering all of their assets. And they need to be able to do

Huxley Barbee:

this, they need to be able to do this automated discovery every

Huxley Barbee:

seven days, which, you know, especially if you don't already

Huxley Barbee:

have an asset inventory, that's a very tall order. And not only

Huxley Barbee:

do you need to be able to have this done every seven days, if

Huxley Barbee:

CISA demands that you produce a report for a specific set of

Huxley Barbee:

assets, for specific set of vulnerabilities, you need to be

Huxley Barbee:

able to return a report, you need to be able to run that that

Huxley Barbee:

scan within 72 hours and return a report within seven days. So

Huxley Barbee:

there's a lot going on here. There's a lot of recognition

Huxley Barbee:

more and more, especially from government agencies of the need

Huxley Barbee:

for for asset discovery. And whereas in the past, people

Huxley Barbee:

would say, oh, good asset inventory, a comprehensive asset

Huxley Barbee:

inventory is foundational because it is part of CIS

Huxley Barbee:

benchmarks Control Number one, the more and more we're starting

Huxley Barbee:

to see that there's a requirement this is compulsory

Huxley Barbee:

nature to asset discovery. But to go back to your earlier

Huxley Barbee:

question, so I promised to talk a little bit more about a more

Huxley Barbee:

public example of what happens when you don't have good acid

Huxley Barbee:

inventory, Equifax, right back in 2017, we're all familiar with

Huxley Barbee:

Equifax, how the adversary was able to breach Equifax through

Huxley Barbee:

systems that had an unpatched version of Apache Struts. That

Huxley Barbee:

particular incident, in large part, I would argue, came from

Huxley Barbee:

not having good asset inventory. So let me give you a little bit

Huxley Barbee:

more background about what I mean by asset inventory. Asset

Huxley Barbee:

inventory isn't just a list of devices that you have on your

Huxley Barbee:

network. It's also what is on those devices, what are the

Huxley Barbee:

services that are on those devices, what are the ports

Huxley Barbee:

those those devices are listening to, but additionally,

Huxley Barbee:

who owns those devices. And there could be many different

Huxley Barbee:

types of ownership, like the person that's logged into it,

Huxley Barbee:

the business unit that owns it, who's or the IT group that that

Huxley Barbee:

is in charge of it. But this sense of ownership of assets is

Huxley Barbee:

also extremely important. And that is something that needs to

Huxley Barbee:

go into the asset inventory as well. So going back to Equifax,

Huxley Barbee:

the company did send out an email to a bunch of folks in IT

Huxley Barbee:

system administrators about affected systems. It just so

Huxley Barbee:

happens that the systems that were breached are the ones that

Huxley Barbee:

had this unpatched version of Apache Struts, they didn't know

Huxley Barbee:

the owner for that, or, or maybe the the owner that was assigned

Huxley Barbee:

to those machines wasn't at the company anymore, something like

Huxley Barbee:

that, whatever the case might have been, there wasn't proper

Huxley Barbee:

ownership correlated with those assets. So even though the

Huxley Barbee:

company sent out this email, hey, everybody, let's go and

Huxley Barbee:

patch Apache Struts, the people who needed to know for these

Huxley Barbee:

particular assets did not find out. And that is a consequence

Huxley Barbee:

of poor asset inventory in this case. A second ramification here

Huxley Barbee:

is the fact that these particular systems had outdated

Huxley Barbee:

certificates. So you know whether or not you have

Huxley Barbee:

certificates that are expired, that is also part of your asset

Huxley Barbee:

inventory. And Equifax had this security detection tool that

Huxley Barbee:

would analyze traffic, but it could only do so in the cases

Huxley Barbee:

where there were where there's certificates that were current.

Huxley Barbee:

And because they were not current, the detection tool was

Huxley Barbee:

not actually was not actually scanning or inspecting that

Huxley Barbee:

traffic, like it needed to, like it needed to. A third

Huxley Barbee:

ramification is asset inventory also tells you about where your

Huxley Barbee:

assets are on the network and whether or not they can talk to

Huxley Barbee:

each other. And a third, a third issue that we saw at Equifax was

Huxley Barbee:

lack lack of segmentation amongst those assets. And again,

Huxley Barbee:

this just goes back to the idea of them not having a good enough

Huxley Barbee:

asset inventory that would allow them to handle this type of

Huxley Barbee:

situation on multiple levels.

Dr. Dave Chatterjee:

Wow. That is quite a revelation. The fact

Dr. Dave Chatterjee:

that systems that need to be patched, are staying unpatched

Dr. Dave Chatterjee:

because they are not discoverable. That is very

Dr. Dave Chatterjee:

concerning. Now, backing up a little bit here, there is the

Dr. Dave Chatterjee:

ideal and then there's the practical. Like you said, it's a

Dr. Dave Chatterjee:

very complex undertaking to be able to list all the devices

Dr. Dave Chatterjee:

that's there, the services that they offer, the ports to connect

Dr. Dave Chatterjee:

to, the owners. Having all these details in as comprehensive a

Dr. Dave Chatterjee:

manner as possible is definitely a challenge. There are tools out

Dr. Dave Chatterjee:

there, you talked about using automated scanning tools.

Dr. Dave Chatterjee:

However, the question that comes to mind, why didn't

Dr. Dave Chatterjee:

organizations engage in comprehensive asset discovery?

Dr. Dave Chatterjee:

What were the hurdles, if any? Now that there is a CISA

Dr. Dave Chatterjee:

directive, what's the guarantee that organizations will be in a

Dr. Dave Chatterjee:

position to follow through with the orders?

Huxley Barbee:

Yeah, yeah. So first, maybe we should talk

Huxley Barbee:

about the biggest hurdle with asset inventory. There are many,

Huxley Barbee:

of course, but the one that looms largest is unmanaged

Huxley Barbee:

devices, unmanaged assets, that is the achilles heel of any

Huxley Barbee:

asset inventory program, I think there was a recent Deloitte

Huxley Barbee:

research report that mentioned that 32% of organizations

Huxley Barbee:

believe that shadow IT assets are probably the biggest

Huxley Barbee:

challenge for asset management. And these unmanaged devices pose

Huxley Barbee:

a number of problems, like, for example, the you cannot, you

Huxley Barbee:

cannot be really confident about audits or audit violations,

Huxley Barbee:

because of these unmanaged assets that you don't know

Huxley Barbee:

about. These unmanaged assets cannot be patched because

Huxley Barbee:

there's no ownership of them. They cannot be upgraded, you

Huxley Barbee:

can't automate them, or include them in some sort of automated

Huxley Barbee:

workflow. And then oftentimes, you cannot turn them off, right,

Huxley Barbee:

because they're unmanaged. And they just be sort of sitting out

Huxley Barbee:

there. You might not be sure, if this particular unmanaged asset

Huxley Barbee:

is important, it might be running some sort of mission

Huxley Barbee:

critical function for your organization. But you see, if

Huxley Barbee:

you're not sure, you can't really turn it off. Or there's

Huxley Barbee:

some cases where I've heard from customers where they know a

Huxley Barbee:

particular asset, that's unmanaged asset is, is is

Huxley Barbee:

important, but it's been unmanaged for so long that the

Huxley Barbee:

nobody wants to touch it. Nobody's even even willing to

Huxley Barbee:

stand near it and breathe near it. And these unmanaged assets,

Huxley Barbee:

of course, have a very palpable security ramification, many of

Huxley Barbee:

our customers tell us that they know what's going on with their

Huxley Barbee:

standard issued workstations, their standard issued laptops,

Huxley Barbee:

the biggest problem are those unknown unknown because because

Huxley Barbee:

these unmanaged devices are unpatched, they're there, they

Huxley Barbee:

have not been upgraded in some time. These are probably the

Huxley Barbee:

easiest targets for the adversary. Why would the

Huxley Barbee:

adversary go for a well-managed up to date patched machine when

Huxley Barbee:

they can just go ahead and attack something that's out of

Huxley Barbee:

date and unpatched, with numerous exploits that then

Huxley Barbee:

might be able to download from the Internet, or are going to

Huxley Barbee:

just work. So that is the security ramification and this

Huxley Barbee:

is why unmanaged assets looms largest in terms of hurdles, for

Huxley Barbee:

comprehensive asset inventory. And then finally, unmanaged

Huxley Barbee:

devices are the reason why customers end up using

Huxley Barbee:

spreadsheets where the existing tooling just isn't performing

Huxley Barbee:

the way they want. And so they have to end up using

Huxley Barbee:

spreadsheets instead.

Dr. Dave Chatterjee:

Wow. And when you're talking about using

Dr. Dave Chatterjee:

spreadsheets, that immediately brings to mind the importance

Dr. Dave Chatterjee:

of, of constantly updating it, which is another arduous task,

Dr. Dave Chatterjee:

it never happens. It brings back thoughts of access management,

Dr. Dave Chatterjee:

using spreadsheets and regain access management using

Dr. Dave Chatterjee:

spreadsheets. And I know, in know, in several companies, and

Dr. Dave Chatterjee:

it was absolutely bewildering, to learn, to see, that they're

Dr. Dave Chatterjee:

using spreadsheets to keep track of everyone's permission levels,

Dr. Dave Chatterjee:

authorization levels, and then again, go back to the

Dr. Dave Chatterjee:

spreadsheets to make the changes as the professional roles

Dr. Dave Chatterjee:

change, the professional roles evolve. And obviously, that's

Dr. Dave Chatterjee:

not the ideal solution. So there was discussion of developing AI

Dr. Dave Chatterjee:

tools to automate the process. So I can totally understand why

Dr. Dave Chatterjee:

Excel spreadsheets is really not the answer. But like you

Dr. Dave Chatterjee:

explained, that there are reasons why organizations are

Dr. Dave Chatterjee:

forced to go to spreadsheets. So yeah. So moving along. Let's get

Dr. Dave Chatterjee:

to some solutions, some recommendations, some approaches

Dr. Dave Chatterjee:

to better managing asset discovery.

Huxley Barbee:

Sure. So there are a number of approaches out

Huxley Barbee:

there for handling the situation. So the first one that

Huxley Barbee:

comes to mind is the use of agents. This is a very popular

Huxley Barbee:

way of doing asset discovery asset inventory. And

Huxley Barbee:

essentially, when I say agency, I mean endpoint agents, meaning

Huxley Barbee:

that you put software on every single device. Now, this works

Huxley Barbee:

to a certain extent, but mostly for managed IT assets. It

Huxley Barbee:

doesn't work very well for unmanaged devices. The reason

Huxley Barbee:

being If you can put an agent on something, that means you

Huxley Barbee:

already know about it, that means it's probably probably

Huxley Barbee:

already managed. So what is not going to capture are those

Huxley Barbee:

unmanaged devices, unmanaged IT devices, OT (operational

Huxley Barbee:

technology) devices, IoT devices, and so on, and so

Huxley Barbee:

forth. So that's a popular technique, but it actually

Huxley Barbee:

doesn't handle the the achilles heel of asset inventory. Another

Huxley Barbee:

approach is authenticated scans. This is where you have a piece

Huxley Barbee:

of software that's sitting somewhere on your network,

Huxley Barbee:

potentially on multiple locations throughout your

Huxley Barbee:

network. And what you would do is you would then go through an

Huxley Barbee:

IP range and attempt to log in to every single one of the

Huxley Barbee:

endpoints that responds. And again, this works rather well

Huxley Barbee:

for managed IT assets. Because if you know the credentials to

Huxley Barbee:

log into these endpoints, then you probably already manage it,

Huxley Barbee:

you probably probably already know about. So again, it tends

Huxley Barbee:

to miss those unmanaged IT devices, OT, IoT, and so on and

Huxley Barbee:

so forth. Authenticated scans also has secondary negative

Huxley Barbee:

security ramifications. So something known as credential

Huxley Barbee:

spraying. So let's say let's say you, right, the hacker, Dr. Dave

Huxley Barbee:

Chatterjee, you, you somehow were able to get onto the

Huxley Barbee:

network, and you were able to own a particular Linux box. So

Huxley Barbee:

you own this Linux box. And you can see, you can replace the SSH

Huxley Barbee:

server with your own with your own SSH server that's really

Huxley Barbee:

just logging passwords. And now I have my authenticated scanner

Huxley Barbee:

on the network. And I'm just logging into every single

Huxley Barbee:

endpoint that I can get to, and you your endpoint, the one that

Huxley Barbee:

you owned, is now responding to my authenticated scan as like,

Huxley Barbee:

oh, there's a machine here, I'm gonna log into this, this

Huxley Barbee:

machine, I think it's just a regular Linux box. So I send the

Huxley Barbee:

username and password. But you actually own this machine now.

Huxley Barbee:

And so now, you have credentials, you have credential

Huxley Barbee:

I have provided to you my my authenticator scanner has

Huxley Barbee:

provided this to you. And now you have credentials, that

Huxley Barbee:

allows you to laterally move to other devices on the network.

Huxley Barbee:

That's, that's the ramification of authenticated scans, that's

Huxley Barbee:

often not discussed. But it's very important for folks to be

Huxley Barbee:

aware of. So I've mentioned two methods so far, two approaches

Huxley Barbee:

so far, agents and authenticated scans, which we've said works

Huxley Barbee:

well for managed IT, but not so much some of the other stuff.

Huxley Barbee:

Well, there's a third approach called passive network

Huxley Barbee:

monitoring. Still, in this approach, you would have a

Huxley Barbee:

collector, a network traffic collector, oftentimes, these

Huxley Barbee:

come in the form of hardware appliances, because of the

Huxley Barbee:

amount of compute power that you need to ingest all the network

Huxley Barbee:

traffic that's going on in network there are of course

Huxley Barbee:

virtual appliances these days for some of this stuff. But

Huxley Barbee:

oftentimes, especially in larger networks, you still end up

Huxley Barbee:

having to use a hardware appliance. And what you would do

Huxley Barbee:

is you would reconfigure all of your switches, or all the

Huxley Barbee:

switches that have a choke point on the network, to essentially

Huxley Barbee:

mirror traffic or scan traffic or copy traffic from the switch

Huxley Barbee:

over to your collector. There are other ways to do this, you

Huxley Barbee:

can set up a tap in the in strategic places throughout a

Huxley Barbee:

network to get that sort of information. But in any case,

Huxley Barbee:

what you're doing is you're just basically collecting all the

Huxley Barbee:

network traffic on the network. And the great thing about this

Huxley Barbee:

is you end up seeing everything that's on the network, as long

Huxley Barbee:

as those devices are talking. If they're not talking the network,

Huxley Barbee:

obviously, you're gonna you're going to miss it. This is also

Huxley Barbee:

very popular, especially in the OT space, because well, agents

Huxley Barbee:

you usually cannot install on OT devices. And with authenticated

Huxley Barbee:

scans often used, you have this consequence where because OT

Huxley Barbee:

devices are designed to work in a very specific way. And

Huxley Barbee:

oftentimes, they're very old, many of them are running on like

Huxley Barbee:

Windows XP, for example, that authenticated scans can actually

Huxley Barbee:

crash these IoT devices, which may be performing some sort of

Huxley Barbee:

mission critical function within the organization. So passive

Huxley Barbee:

network monitors are very popular in the OT space simply

Huxley Barbee:

because there's no interrogation of these devices, and so

Huxley Barbee:

therefore, it's very safe. The major challenge though, with

Huxley Barbee:

passive network monitors is what if the device only talks once a

Huxley Barbee:

year, like once a year, I once worked on a project when I was

Huxley Barbee:

doing security orchestration workflows, where a customer said

Huxley Barbee:

we have some some devices that only talk on the network once a

Huxley Barbee:

year. So you need to, you need to collect traffic for 13 months

Huxley Barbee:

to make sure you're not missing anything. Right. The other the

Huxley Barbee:

other issue with passive network monitors is the only information

Huxley Barbee:

that you have to fingerprint devices, to identify those

Huxley Barbee:

devices, is based on what is being spoken on the wire. So

Huxley Barbee:

this might be a very terse information that you get from

Huxley Barbee:

the network. And so oftentimes, passive network monitors have

Huxley Barbee:

challenges in correctly identifying devices on the

Huxley Barbee:

network. So there's a fourth approach, which has become more

Huxley Barbee:

popular recently, which is to not do any discovery at all, but

Huxley Barbee:

instead ingest asset inventory information from other other

Huxley Barbee:

solutions, other tools within the existing IT and security

Huxley Barbee:

toolkit. So the obvious problem with this is there are

Huxley Barbee:

limitations. If the data sources from which you ingest that

Huxley Barbee:

information, don't know about these unmanaged devices, then

Huxley Barbee:

then your collector, collecting data via API system is not gonna

Huxley Barbee:

know about them either. So there are limitations there as well in

Huxley Barbee:

terms of unmanaged assets. So one final approach is called

Huxley Barbee:

unauthenticated scanning. So similar to authenticated scans,

Huxley Barbee:

you have software that's deployed in strategic areas

Huxley Barbee:

within the network, and it just goes through the IP range

Huxley Barbee:

through the goes through the IP space, and then talks to every

Huxley Barbee:

single endpoint that responds and gathers information. The key

Huxley Barbee:

difference between authenticated scans and unauthenticated scans,

Huxley Barbee:

of course, is that unauthenticated scans do not try

Huxley Barbee:

to log in to those endpoints. Instead, what they do is rely on

Huxley Barbee:

information that's being reported over the wire without

Huxley Barbee:

authentication in order to make a determination as to what the

Huxley Barbee:

devices in order to do the fingerprinting. And what's

Huxley Barbee:

interesting is, this is the exact same approach that

Huxley Barbee:

somebody in offensive security would take, right? People who

Huxley Barbee:

are the adversary, people doing pentesting, they use this exact

Huxley Barbee:

same approach. But oftentimes, they don't use the words asset

Huxley Barbee:

discovery, they tend to call this recon. So with

Huxley Barbee:

unauthenticated scanning, what you're doing is you're using a

Huxley Barbee:

security research based approach, to make a

Huxley Barbee:

determination as to what are all the devices that are on the

Huxley Barbee:

network, and what those devices are, what are the services that

Huxley Barbee:

they have available, available on them, and so on, and so

Huxley Barbee:

forth. So those would be the five approaches. And with

Huxley Barbee:

unauthenticated scanning, you have best of many worlds, you

Huxley Barbee:

have the ability to go out and find all the assets on the

Huxley Barbee:

network, even if they're unmanaged. But you don't have

Huxley Barbee:

the problems of of credential spraying. And depending on how

Huxley Barbee:

that unauthenticated scanner is implemented, you can even talk

Huxley Barbee:

to OT devices without the fear of of crashing, some sort of

Huxley Barbee:

mission critical function.

Dr. Dave Chatterjee:

Well, thank you. Thank you for that very in

Dr. Dave Chatterjee:

depth insight on the different approaches to asset discovery.

Dr. Dave Chatterjee:

So Huxley in light of the new CISA guidelines, as

Dr. Dave Chatterjee:

organizations prepare to deliver on the expectations, given that

Dr. Dave Chatterjee:

you shared the different approaches, and I'm sure

Dr. Dave Chatterjee:

companies are following through with some of them, if not all of

Dr. Dave Chatterjee:

them. And again, I'm not in the know of exactly what the

Dr. Dave Chatterjee:

guidelines are from CISA. But just at a general level, I often

Dr. Dave Chatterjee:

feel that maybe it's good to provide them with more than

Dr. Dave Chatterjee:

less. So would it makes sense to provide them with the results

Dr. Dave Chatterjee:

from using more than one approach, or based on what I

Dr. Dave Chatterjee:

what I heard, it seems that the unauthenticated scan seems to be

Dr. Dave Chatterjee:

the best approach. Can you please clarify?

Huxley Barbee:

Yes. So So BOD 2301, the binding operational

Huxley Barbee:

directive 2301, which was just published, I think a week go and

Huxley Barbee:

what it's saying is you need to do two things asset discovery

Huxley Barbee:

and vulnerability enumeration. Alright, so let's focus on the

Huxley Barbee:

asset discovery part here. I'm going to read you a quote from

Huxley Barbee:

from the directive. That says "asset discovery is a building

Huxley Barbee:

block of operational visibility and it is defined as an activity

Huxley Barbee:

through which an organization identifies what network

Huxley Barbee:

addressable IP assets reside on their networks, and identifies

Huxley Barbee:

the associated IP address or hosts as a distributed non

Huxley Barbee:

intrusive and usually does not require special logical access

Huxley Barbee:

privileges." That second sentence is is so key, it needs

Huxley Barbee:

to be non-intrusive, and does not require special logical

Huxley Barbee:

privileges. Non-intrusive means no agents, no authenticated

Huxley Barbee:

scans, you potentially could do passive network monitor, but as

Huxley Barbee:

we discussed earlier, with a passive network monitor that the

Huxley Barbee:

fingerprinting is often lacking. So effectively, effectively, BOD

Huxley Barbee:

2301 is suggesting that use unauthenticated scans for the

Huxley Barbee:

asset discovery portion of this particular directive. The second

Huxley Barbee:

part of this is vulnerability enumeration, and depending on

Huxley Barbee:

the asset discovery tool that you have, you could satisfy some

Huxley Barbee:

of this. Oftentimes, you don't necessarily need to do a full

Huxley Barbee:

Vuln (vulnerability) check to understand if assets are

Huxley Barbee:

potentially vulnerable. So for example, let's let's let's take

Huxley Barbee:

an analogy here. Let's say let's say you and I see somebody on

Huxley Barbee:

the street and we see that this person is wearing glasses, not

Huxley Barbee:

sunglasses, so like glasses, like like you're you're wearing

Huxley Barbee:

right now, would it be fair for us to say to to assume that this

Huxley Barbee:

person probably has some sort of need for corrective vision?

Huxley Barbee:

Maybe they're nearsighted or farsighted? More often than not,

Huxley Barbee:

we're going to be right. But you and I are not well, I don't

Huxley Barbee:

think you are, you and I are not optometrists, we didn't actually

Huxley Barbee:

do an eye exam on this person. We didn't we didn't have them.

Huxley Barbee:

go through and recognize very small letters up on the wall we

Huxley Barbee:

didn't do an eye exam, so how can we be sure? Well, even even

Huxley Barbee:

though we didn't do an eye exam, more often than not, we're going

Huxley Barbee:

to be right, this person has the need for corrective vision. Very

Huxley Barbee:

similarly, with vulnerability scanning, the right thing to do

Huxley Barbee:

is, of course, to do a full vuln check, right, but oftentimes,

Huxley Barbee:

just by knowing that, hey, this vulnerability affects the

Huxley Barbee:

services. So for example, going back to Equifax, just by knowing

Huxley Barbee:

the version of Apache struts that's running on a device, you

Huxley Barbee:

could probably tell, hey, this has this is affected by this

Huxley Barbee:

vulnerability. So very similarly, just by just by

Huxley Barbee:

having a good asset inventory, you can say, oh, because this

Huxley Barbee:

device has these services on it, there is high potential, we have

Huxley Barbee:

reasonable confidence to believe that there's this vulnerability

Huxley Barbee:

is present on that particular asset. This is not to say you

Huxley Barbee:

don't need to do a vuln check, we always recommend that you do

Huxley Barbee:

a full vuln check anyway. Always go to the optometrist and check

Huxley Barbee:

your vision. But the having good asset discovery and good asset

Huxley Barbee:

inventory actually takes you quite um, quite a ways towards

Huxley Barbee:

satisfying that need for vulnerability enumeration, not

Huxley Barbee:

necessarily full compliance with DoD 2301. But certainly good

Huxley Barbee:

asset discovery takes care of the asset discovery part of the

Huxley Barbee:

directive and can take you part of the way through the

Huxley Barbee:

vulnerability enumeration part of the directive.

Dr. Dave Chatterjee:

Very interesting. In fact, as you

Dr. Dave Chatterjee:

were describing the expectations, a thought crossed

Dr. Dave Chatterjee:

my mind, is there going to be a directive, unless there is one

Dr. Dave Chatterjee:

that require organizations to promptly respond to

Dr. Dave Chatterjee:

vulnerability discoveries and document the actions taken. In

Dr. Dave Chatterjee:

other words, it is one thing to have vulnerability enumeration,

Dr. Dave Chatterjee:

to have comprehensive asset discovery. It's fundamental.

Dr. Dave Chatterjee:

It's at the foundation of everything. But it is equally

Dr. Dave Chatterjee:

important for organizations to report on the actions taken in

Dr. Dave Chatterjee:

response to the discoveries. Is there a CISA directive to that

Dr. Dave Chatterjee:

effect? Can you shed some light on that, please?

Huxley Barbee:

So there's not there's not anything like that,

Huxley Barbee:

as far as I know, that comes from a government directive

Huxley Barbee:

similar to this BOD 2301, which, which to be fair, is it's been

Huxley Barbee:

published, but it's not enforced yet. The deadline for this is

Huxley Barbee:

April 23rd, of 2023. So civilian federal agencies have time to be

Huxley Barbee:

compliant. But in terms of directives that require folks to

Huxley Barbee:

remediate within a certain amount of time. I have not seen

Huxley Barbee:

that yet. However, however, I do think it's relevant to mention

Huxley Barbee:

that in the private sector, the driver could come from from

Huxley Barbee:

insurance in some cases. Now, obviously, there are many

Huxley Barbee:

private organizations that take CISA's directives to heart and

Huxley Barbee:

they'll they'll voluntarily follow the directors like this,

Huxley Barbee:

even though they're not a civilian federal agency, but

Huxley Barbee:

just it's just good practice. There are many things that the

Huxley Barbee:

prudent person principle, right, when applied correctly, would

Huxley Barbee:

mean would would effectively mean that these private

Huxley Barbee:

organizations take on CISA directives, CIS benchmarks and

Huxley Barbee:

what have you and follow those. But we've noticed recently that

Huxley Barbee:

there are cybersecurity insurance policies that require

Huxley Barbee:

that require organizations to have a certain percentage of

Huxley Barbee:

coverage of security controls on their assets. So what do I mean

Huxley Barbee:

by that? So let's say it this is just an example I'm quoting a

Huxley Barbee:

specific cybersecurity insurance policy here, but a policy might

Huxley Barbee:

say that an organization must have 95% coverage of endpoint

Huxley Barbee:

detection and remediation on all their assets. And this might

Huxley Barbee:

affect whether or not they qualify for the insurance in the

Huxley Barbee:

first place. Or maybe it might affect what they have to pay in

Huxley Barbee:

terms of premiums or something like that. But think about how

Huxley Barbee:

you would answer that question where we're certified that 95%

Huxley Barbee:

of your assets are covered by a point detection remediation.

Huxley Barbee:

Well, 95% of what well, 94% of your entire asset inventory. So

Huxley Barbee:

without having a comprehensive asset inventory, you can't

Huxley Barbee:

really answer the question of whether or not I have 95%

Huxley Barbee:

coverage of for EDR on all my assets. So whether it be a

Huxley Barbee:

government issued directive or a financial requirement that comes

Huxley Barbee:

from that arises from cybersecurity insurance, one way

Huxley Barbee:

or another in the future, we might see organizations having

Huxley Barbee:

to come up with some sort of SLAs for remediation,

Huxley Barbee:

remediation of of these vulnerabilities or at least

Huxley Barbee:

being proactive about being security on those assets

Dr. Dave Chatterjee:

Very true! That makes a lot of sense. At

Dr. Dave Chatterjee:

the end of the day, there needs to be a recognition that

Dr. Dave Chatterjee:

comprehensive asset discovery is extremely important for a

Dr. Dave Chatterjee:

variety of reasons. And unless the organization is willing to

Dr. Dave Chatterjee:

have a good plan in place, a good procedure in place to

Dr. Dave Chatterjee:

engage in that exercise, they are going to be hurt more than

Dr. Dave Chatterjee:

anything else. So one is compliance, the other is a

Dr. Dave Chatterjee:

substantive buy-in where an organization might decide to go

Dr. Dave Chatterjee:

beyond the compliance expectations. Of course, there

Dr. Dave Chatterjee:

is the time factor, there's the cost factor, there are other

Dr. Dave Chatterjee:

factors to be taken into consideration. But based on what

Dr. Dave Chatterjee:

I learned from our discussion, today, it's a no brainer that at

Dr. Dave Chatterjee:

the heart of the security program is the identification of

Dr. Dave Chatterjee:

all the sensitive assets, where all they reside, even before you

Dr. Dave Chatterjee:

can start classifying them, categorizing them. So this is

Dr. Dave Chatterjee:

such such an important discussion or such an important

Dr. Dave Chatterjee:

area of cyber governance,

Huxley Barbee:

I want to I want to double down on what you're

Huxley Barbee:

saying here, please, please add to this right there. And this is

Huxley Barbee:

not me, this actually came from a customer. He told me that

Huxley Barbee:

having comprehensive asset inventory allowed for his

Huxley Barbee:

company, his organization, to move from a reactive security

Huxley Barbee:

program to a proactive security program. So, think about it this

Huxley Barbee:

way, if you don't know what you have, right, and the adversary

Huxley Barbee:

is coming through into your network laterally, moving

Huxley Barbee:

through your unknown unknowns, you're always going to be on the

Huxley Barbee:

backfoot, you're always finding about things that you didn't

Huxley Barbee:

know about and having to react and try and figure out what it

Huxley Barbee:

is and, and deal with it with very little information.

Huxley Barbee:

Oftentimes, like I said, before, you know, the adversary does

Huxley Barbee:

recon, they do recon. And so therefore, oftentimes the

Huxley Barbee:

adversary knows more about your network than you do. And of

Huxley Barbee:

course, to combat that you need comprehensive asset inventory.

Huxley Barbee:

But by by moving ahead with comprehensive asset inventory,

Huxley Barbee:

they were able, because they knew about all the assets, they

Huxley Barbee:

were able to start becoming proactive about the security

Huxley Barbee:

program. Oh, here, all these assets are there, like we didn't

Huxley Barbee:

know about, let's go ahead and get security controls on them,

Huxley Barbee:

like install EDR, where that's possible, do a vuln scan of them

Huxley Barbee:

where possible, right. By having that asset inventory,

Huxley Barbee:

comprehensive asset inventory, they were able to move from a

Huxley Barbee:

reactive security program to a proactive security program. And

Huxley Barbee:

this is not to say that's the only ingredient that needs to go

Huxley Barbee:

into making that transformation. But this particular customer

Huxley Barbee:

credited this one improvement for for that, that journey that

Huxley Barbee:

they were able to go on.

Dr. Dave Chatterjee:

Absolutely. And thanks for sharing. That

Dr. Dave Chatterjee:

means I couldn't emphasize enough the importance of being

Dr. Dave Chatterjee:

proactive and not reactive, I can't emphasize enough the

Dr. Dave Chatterjee:

importance of engaging in comprehensive asset discovery

Dr. Dave Chatterjee:

without any kind of influence. Doing it on your own, because

Dr. Dave Chatterjee:

you, means the organization, because you recognize this, as

Dr. Dave Chatterjee:

such an important part of good cyber discipline. And frankly,

Dr. Dave Chatterjee:

if at any point, an organization is in a court of law having to

Dr. Dave Chatterjee:

make their case about whether they were negligent or not, if

Dr. Dave Chatterjee:

they can provide evidence that they have engaged in

Dr. Dave Chatterjee:

comprehensive asset discovery on a regular basis, and they have

Dr. Dave Chatterjee:

addressed the issues that have come up as a result of the

Dr. Dave Chatterjee:

discovery. And if there is a record of sustained such

Dr. Dave Chatterjee:

activity, proactive activity, that could only favor the

Dr. Dave Chatterjee:

organization that could beef up the defense of the organization.

Dr. Dave Chatterjee:

So I can only see positives of taking this proactive approach.

Huxley Barbee:

100%.

Dr. Dave Chatterjee:

Fantastic. So we are kind of coming to the

Dr. Dave Chatterjee:

end of our discussion today. I'd like to give you the opportunity

Dr. Dave Chatterjee:

to fill in the gaps, if any. And also if you wanted to summarize

Dr. Dave Chatterjee:

some of the key takeaways from our from our chat this morning.

Huxley Barbee:

Sure, absolutely. I think one one thing that we

Huxley Barbee:

haven't touched on here is that oftentimes asset inventory is

Huxley Barbee:

not called out in security budgets, you'll you'll you'll

Huxley Barbee:

see in security budgets, they need to spend x amount of

Huxley Barbee:

dollars on EDR on vulnerability management and so on so forth,

Huxley Barbee:

oftentimes asset inventory is not called out as a specific

Huxley Barbee:

line item. And I would encourage all the folks who who can

Huxley Barbee:

security managers, security directors, even even security

Huxley Barbee:

practitioners, to lobby with their leadership all the way up

Huxley Barbee:

to the board of directors and say, Hey, listen, this is

Huxley Barbee:

foundational to our ability to execute our security program in

Huxley Barbee:

an effective way. We need to have specific budget for asset

Huxley Barbee:

inventory. So that is one thing. I think the second thing I think

Huxley Barbee:

we we already talked about it but just want to reemphasize how

Huxley Barbee:

important it is, how important asset discovery is to having a

Huxley Barbee:

proactive security program. Without it, you couldn't do it.

Huxley Barbee:

Right. I'm not saying it's sufficient, but it's certainly

Huxley Barbee:

required. Can I can also plug runZero.

Dr. Dave Chatterjee:

Please do that.

Huxley Barbee:

Yeah. Yeah. So So runZero is a cybersecurity asset

Huxley Barbee:

management solution that leverages both unauthenticated

Huxley Barbee:

scans as well as API ingests, that allows you to have a full

Huxley Barbee:

asset inventory comprehensive asset inventory faster than

Huxley Barbee:

anybody else. And, and is it able to help you with your

Huxley Barbee:

security programs by identifying security controls coverage gaps,

Huxley Barbee:

improving your vulnerable vulnerability management program

Huxley Barbee:

and identifying risky assets. So you can be as proactive as you

Huxley Barbee:

can with your security program. And if you would like to try

Huxley Barbee:

runZero, just go to the website, www.run Zero.com, you can go

Huxley Barbee:

ahead and download our solution. And you can get a full asset

Huxley Barbee:

inventory, starting in less than 60 minutes.

Dr. Dave Chatterjee:

Awesome! In that spirit of making people

Dr. Dave Chatterjee:

aware of resources that they can check out, how about providing

Dr. Dave Chatterjee:

listeners with some selection criteria, when they are

Dr. Dave Chatterjee:

evaluating different products in the market, asset discovery

Dr. Dave Chatterjee:

products? What what should they be aware of? What are the kinds

Dr. Dave Chatterjee:

of questions they should be asking? So it helps them in

Dr. Dave Chatterjee:

making good selections?

Huxley Barbee:

Yeah, so one, one important thing to understand

Huxley Barbee:

the methodology, the solution approaches? Are you using an

Huxley Barbee:

agent based approach? Are you using an authenticated scan

Huxley Barbee:

approach, passive network monitor, unauthenticated scan,

Huxley Barbee:

and so on, so forth? The other one would, would be how long

Huxley Barbee:

does it take? What does the deployment look like? Do I need

Huxley Barbee:

professional services in order to get this done? Do I need to

Huxley Barbee:

install hardware? Or is this just something that I can self

Huxley Barbee:

service download without a credit card? And and get started

Huxley Barbee:

with in less than 60 minutes? And I think the third thing that

Huxley Barbee:

you want to look at is what is the level of detail that I'm

Huxley Barbee:

able to gather from this asset inventory. So as I mentioned

Huxley Barbee:

before, it's not just about whether you have a list of

Huxley Barbee:

devices, it's also about what's running on them, what ports are

Huxley Barbee:

they listening on? What services do they have? And who is the

Huxley Barbee:

owner of these assets? And then I think the fourth thing is,

Huxley Barbee:

what else can this asset inventory do for me? Can it help

Huxley Barbee:

me out with identifying security controls, coverage gaps, can

Huxley Barbee:

help helped me out with improving the vulnerability

Huxley Barbee:

management program and so on. So

Dr. Dave Chatterjee:

Well, thank you so much Huxley. This has

Dr. Dave Chatterjee:

been a pleasure. Appreciate your time and insights. And I'm sure

Dr. Dave Chatterjee:

we will have many more discussions in the future. Thank

Dr. Dave Chatterjee:

you again.

Huxley Barbee:

Thank you, Dr. Chatterjee, this has been fun.

Huxley Barbee:

Thank you.

Dr. Dave Chatterjee:

A special thanks to Huxley Barbee, for his

Dr. Dave Chatterjee:

time and insights. If you liked what you heard, please leave the

Dr. Dave Chatterjee:

podcast a rating and share it with your network. Also,

Dr. Dave Chatterjee:

subscribe to the show, so you don't miss any new episodes.

Dr. Dave Chatterjee:

Thank you for listening, and I'll see you in the next episode.

Introducer:

The information contained in this podcast is for

Introducer:

general guidance only. The discussants assume no

Introducer:

responsibility or liability for any errors or omissions in the

Introducer:

content of this podcast. The information contained in this

Introducer:

podcast is provided on an as-is basis with no guarantee of

Introducer:

completeness, accuracy, usefulness, or timeliness. The

Introducer:

opinions and recommendations expressed in this podcast are

Introducer:

those of the discussants and not of any organization.

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.