First and foremost, know what you have in your IT environment. How else could you secure it? But in any environment big or small without a good asset management system we tend to lose things. Old servers that have never been turned off, some temporary switches that have been forgotten in a closet, a personal test VM or a container which keeps on spinning long after a developer has left the company. These things end up being thorns in our side when troubleshooting day to day problems in operations and even worse; they are gaping security holes in the company’s security posture.
Where are my Assets?
First let us define what an asset is in a security context: “assets are entities of value on a network that can be exploited. This includes laptops, desktops, servers, routers, mobile phones, virtual machines, software containers, and cloud instances.”
So, we need good asset management to track all these entities. Preferably with something that is better than the old Excel sheet which everyone forgets to update or worse where different teams and departments have different versions. We need a single source of truth.
The reason people forget to manually update is often that in the modern IT environment changes to infrastructure have become more dynamic and user assets come and go. Every organization is trying to be flexible, fast and agile and thus the asset management becomes a crucial factor to keep everything structured.
BYOD devices are brought in to make the end users more productive but also expand your attack surface without any visibility. Virtual machines and docker containers allow for rapid up- and down-scaling and give developers the means to be even more agile in their development. this means that we as security professionals must adapt and need a more flexible tool- set to cover these possible new attack vectors.
How do we discover these assets?
A way to automate asset management is to use a built in feature of Tenable Security center also known as .SC or the equivalent cloud platform called Tenable.io.
With these tools as repositories of asset management data on premise or in the cloud, we can deploy Nessus network scanners in key segments of the network to find and track any IP based asset in the network and send this data to a .SC or .IO instance.
What those key network segments are depends on your network architecture, where the firewalls are located in the design and how they are configured. It’s a best practice to try and avoid Nessus scans through any firewall as most of them are session based and they don’t take kindly to a Nessus scan that always includes a lot of TCP sessions to the same host on strange ports.
Despite these firewall requirements Nessus discovery scans are low resource requiring fingerprint scans that can run on pre-configured schedules to maximize discovery.
To make sure we capture all possible assets we can also deploy passive scanners close to gateways of the network. These passive scanners will analyze network streams and identify hidden or forgotten IP devices. This is also one of the best ways to shine a light on some of that infamous shadow IT.
Asset & Vulnerability Management
On a technical level the overhead on network traffic performance is minimal because we use network mirror or span ports. That creates a copy of passing traffic and sends it through our Passive network scanners.
When all this data is sent to a tenable deployment it is correlated and analyzed to create an inventory of unique identifiable assets. When a later scan happens tenable attempts to match incoming scan data to existing assets using a complex algorithm. This algorithm looks at attributes of the scanned hosts and employs a variety of heuristics to choose the best possible match.
If Tenable cannot find a match, the system assumes this is the first time Tenable has encountered the asset and creates a new record for it. Otherwise, if Tenable finds a matching asset, the system updates any properties that have changed since the last time Tenable encountered the asset.
What we end up with is a database of records containing the following information per asset.
- Interfaces (IP address and MAC address)
- DNS Names
- NetBIOS Name
- Operating System version
- Installed patches
- Installed Software
- UUIDS (Tenable, ePO, BIOS)
- Whether an agent is present
If we have scanned al segments and deployed the passive scanners at all the network gateways, we should now have a complete view of all IP based assets in our network.
With this information we have the knowledge and capabilities to go onto the next levels of a layered security approach and start thinking about implementing vulnerability management, compliance checks or making sure that devices in our organization or all configured according to corporate policy.