Guessing how many marbles are in a jar is either a fun carnival game (choose the average based on the wisdom of the crowd) or a math problem involving orb volume, cylinder volume, and space estimated between the balls. You can also simply count the marbles.
Unfortunately, when it comes to identifying the number of devices connected to your network, none of these approaches work – although near-manual counting is still all too common. Typically, organizations only know about 70% of their real devices. It will not give you a stuffed animal or a passing grade.
With the growing number and type of devices distributed across campuses, data centers, cloud, and OT/IoMT networks, it has become increasingly difficult to identify them all. Unlike marbles, you need to know much more than the number of devices. You need to know what they are, how they are connected (wired/wireless), where they are physically located (building, closet, switch, port) and what their purpose is.
Visibility and asset management go hand in hand. An accurate and context-rich asset management database, typically a configuration management database (CMDB), is needed to understand device function, relationships, business criticality, dependencies, etc. . Together, this information enables you to manage asset lifecycles and optimize performance and availability while reducing cost and security risk.
To do its job, the CMDB must be continuously updated as new assets join the network or configurations change. Most CMDBs cannot continuously discover and collect data for all devices connected to the network in real time, especially for agentless IoT and OT systems. That’s the job of a cybersecurity asset management solution. Two-way communications that synchronize information from your cybersecurity asset management solution with your CMDB increases the value of your CMDB by ensuring you have a single source of truth.
Continuous discovery, classification and evaluation
Too often, knowing what’s going on on the network still involves searching for siled information and manually picking up the pieces. Security teams have limited visibility into devices and their interactions. Governance policies are best implemented through fragmented products. The products are half deployed. In short, the overall security posture of the network, assets and its users is not known at any time. In this state, you are constantly putting out fires, at least those of which you are aware.
A best-practice based visibility strategy leverages tools that continuously agentless discover (using agents by exception) all devices upon login, automatically classify them based on device attributes, and assess their adherence policies using a policy engine that compares the current state to the policy:
- Continuous discovery relies on multiple mechanisms to detect every asset on the WAN, including computing, IoT, IoMT, and OT devices.
- Continuous Ranking provides valuable information about the device type, vendor, model, function, user, and operating system running on it.
- Continuous assessment determines what is installed, configured, and running on the device, and whether that configuration and state has changed.
Continuous is the key word. It only takes one device with outdated or inaccurate configuration details for attackers to seize the opportunity to breach a network. Partial visibility = partial protection.
Symbiotic tools provide 100% visibility
Network visibility uses a variety of passive discovery and active analysis or integration techniques to identify all IP-connected devices. They fall into four categories:
- Discovery with network integrations
- Discovery and classification with traffic monitoring
- Discovery and classification with scanning
- Assessments with third-party tool integrations
Connecting network routers, switches and WLAN controllers via SNMP, CLI or API enables asset discovery and provides critical contextual data for risk assessment and control. You see the switch IP address of the asset; provider and if it is PoE; port name, alias and configuration; and wham. Since network integrations provide the physical location of each device, they are especially useful for globally dispersed networks. If you want to know 100% of the devices connected to the network, ask the network.
Network traffic monitoring
Traffic monitoring tools are used for asset discovery and classification. They are easy to install and, as they are passively deployed, cause minimal disruption. In addition to performing deep packet inspection (DPI), they can identify HTTP, DHCP user agents and communication streams. However, it is not possible to put sensors everywhere in a global network. If all device communications do not pass through sensor locations at central choke points, it is possible to miss devices altogether.
Scanners improve the classification of all devices, including remote devices. They actively search for ports, banners, and information that cannot be seen passively. Like traffic monitoring tools, they leave gaps in visibility due to missing devices that don’t respond to scans and assets that aren’t present during scheduled scan intervals. Many devices are susceptible to active probing and analysis, which can disrupt business or, worse, harm IoMT, IoT, and OT/ICS assets.
Integration with third-party tools via APIs and SQL provides a wealth of additional asset insights. They allow security products to complement each other and strengthen your overall defenses. To verify accuracy, however, information captured through third-party integration must be reconciled with data from the other three collection methods. This is especially true when data reliability depends on a properly managed device with a properly configured agent that you don’t control.
Each technique discussed here has its advantages and disadvantages, and no one solution works on all types of devices. This is not surprising, given the disparate universe of IP-connected assets. A set of active/passive network and active/passive asset techniques is needed for safe discovery and classification of all types of devices. These should be configurable with conditions, not a global parameter. IoMT and OT/ICS require a different approach to more resilient IT.
At Forescout, we use information from our Global Cyber Intelligence dashboard to automatically categorize devices based on over 150 attributes each. Crowdsourced with anonymized information from more than 3,500 global customer deployments and 11 million devices, the repository contains data on more than 500 operating systems and 5,000 device vendors and models – and it’s not is not finished.
What to Look for in a Device Visibility and Cyber Asset Management Solution
Automated network security, including device visibility, is evolving rapidly. Providers and organizations use the terms differently; feel free to ask what they mean. Scanners are a prime example. Does the tool scan the network or query the resources? When you say “network integration”, do you mean a mirror or SNMP/CLI port to the network appliances? One hundred percent visibility with few mirror ports in a globally distributed environment? Double click on it.
Don’t let vendors hide behind misinterpreted terms. Full visibility requires a combination of the techniques described here, at least for now. If someone says you only need one or two, challenge them.
Here are four qualifying questions to protect you. The first two are obvious:
- Does it easily integrate with our existing infrastructure and tools? Network security is already complex. There is no need to add more complexity.
- Is it technology independent or do we have to buy a proprietary platform? Visibility should improve the value of your current investments, not add unnecessary costs.
- How fast is the valuation? For a complete visibility solution, continuous discovery should deliver value within days of deployment – now you can see everything on your network! For large, complex environments, expect to take full advantage of continuous classification and assessment in just over a month, on average. There is a difference between seeing “everything” and “EVERYTHING” on your network. Claims of a day, a sensor, a cable, full visibility must be carefully checked.
- Can it automatically sync all device information in our CMDB? To serve as a single source of truth for asset management, your CMDB must be continuously updated with real-time information from your visibility solution. He can’t do it alone.
Play to keep – don’t lose your marbles
Asset visibility and management is the foundation of network security. You can’t protect what you can’t see. After a major ransomware attack or other high-profile breach in the news, many cyber leaders feel compelled to go straight for zero trust. Not so fast – you risk overshooting and losing all your marbles.
As your organization matures, security initiatives become more complex and time-consuming, so it’s important to build on each other. You need a solid, unshakable base. Start with full visibility.
Before you can secure your network, you need to see the full extent of your attack surface. Find out why total visibility is the main key to zero trust.
Get the white paper
About the Author
AJ Dunham has deployed over 150 Forescout installations and is currently developing customer strategies to address the growing challenges of enterprise-wide IT, IoT, IoMT and OT/ICS. He holds a bachelor’s degree in computer networking and information security from NSA-accredited Champlain College and a master’s degree in information assurance from Northeastern University.
The post Cybersecurity Asset Management: Know What’s on Your Network appeared first on Forescout.
*** This is a syndicated blog from Forescout’s Security Bloggers Network written by AJ Dunham. Read the original post at: https://www.forescout.com/blog/cybersecurity-asset-management-know-whats-on-your-network/