Asset mapping and detection: How to implement the nuts and bolts
Detective TV shows generally spotlight the brilliance of the lead detective — whether it is Richard Castle, Inspector Morse or Jane Tennison, the show's lead gets the attention. But surrounding such characters are typically a host of others who search online databases, ransack criminal records, go from door to door looking for witnesses and do endless other routine tasks that eventually help their celebrated bosses garner all the glory.
While individual brilliance certainly plays a part, the groundwork carried out by the team is ever-present. And so, it is in asset detection and asset mapping.
“Organizationally, it is vital to first understand what everybody is doing and if anybody else is trying something in this space to ensure we are not doing duplicate work,” said Huxley Barbee, a security evangelist at runZero, which helps companies discover unmanaged devices for asset inventory. “But we also need to make sure that the methodologies we're using for asset detection or asset discovery are not spilling over into somewhere else.”
For example, a network scan might run amok, exit its own network and start scanning somewhere else if it isn’t properly tuned. It might then aggressively send packets to an adjacent part of the network that isn’t prepared for that activity, negatively impacting network performance. Therefore, you must align efforts within the organization on the plan going forward.
That’s the underlying organizational aspect.
Getting ready for asset mapping
Technologically, plenty of homework must be done before you execute. One of the early steps is to discover all existing data sources that might have asset inventory data or data that could be useful for a cyber asset inventory. Ask questions such as:
-
What data sources already have all this information that I can leverage, and can I leverage it?
-
Is there any issue with pulling that data out and having it go somewhere else? The data custody issue needs to be thought through.
-
How flat or how segmented is my network? The network's flatness indicates how well a scanning technology can be used in that environment and how many scanners you need to deploy or how many switches or firewalls need to be reconfigured to allow a scanner to go through.
Consider device types
Barbee said to carefully consider the types of devices present. This includes traditional IT devices, mobile devices, internet of things (IoT) devices and operational technology (OT) devices such as industrial equipment, building systems or power generation equipment. Electronic signage on roadways would also qualify as OT devices for a civilian transportation agency.
“There are many other types of environments that have operational technologies that are under the purview of different agencies,” said Barbee. “You need to understand those types of devices as they materially affect which solution approach you can take when you're trying to do asset discovery.”
Barbee cited a statistic that 90% of chips are not manufactured for traditional IT devices such as servers, PCs and laptops. They are made for embedded devices for IoT and OT use cases. IoT examples include printers, IP cameras and smart speakers, with most running some version of Linux. These are all operating somewhere on the network these days. On the OT side, there's even more variety.
“The OT device you're going to find in an electrical plant is going to be different than what you find in a pharmaceutical factory versus what you find in a water treatment plant,” said Barbee. “They're called field devices, programmable logic controllers (PLCs) and other names that are not part of traditional networking terminology.”
Note, too, that OT devices are often designed quite differently from IT devices. They are not necessarily built with planned obsolescence in mind, for example. While a phone or laptop might be replaced every three to five years, some OT devices have been around for 30 years or even longer in some cases. That fact alone introduces another level of heterogeneity to OT environments.
Asset mapping practicalities
The nuts and bolts essentials in asset mapping include the discovery of IoT devices that have been orphaned over time.
Perhaps someone in IT set up a server and then moved on to another role or another company. You can end up with a service, a device and an application that has been completely forgotten. It is not getting updates and is not being patched. Endpoint Detection and Response (EDR) tools may be great for endpoint protection, but they will miss some of these orphaned devices and may not cover IoT and OT devices. EDR tools, therefore, may not give you a complete asset inventory.
Similarly, vulnerability scanners often have long lists of items and IPs in their exclusion lists. This is sometimes done due to cost issues (the organization can only afford to scan certain portions of the network) or because there are rules on when and where they can scan.
“When a vulnerability scanner is not tuned well, it can overload the network, causing network congestion,” said Barbee on a recent Cyber Work Podcast.
In addition, many devices are prone to disruption, and a vulnerability scanner will send a security probe to determine whether that vulnerability exists and is exploitable. Some devices and applications are coded for very specific inputs, which is especially true with IoT and OT devices, where code was written to respond to a button being pressed or a switch being flipped.
“That code is not expecting arbitrary input over the network,” said Barbee. “If it's not handled well, the device can reboot, freeze up, or crash.”
Go beyond what you already know
A common problem is that many existing solutions will only tell you more about what you already know, not what you don't know.
That’s why it’s best to take a combined approach of using API integrations, pulling in from data sources, but also using an authenticated active scanner that can go out on the network to actively find things that you already know about — as well as the things you don't know about.
Incremental fingerprinting is another smart approach where you don't just query for all the details you want from a particular device. Instead, you send a benign query to that device to understand what it might be. If there's an indication that it is prone to disruption, tailor the succeeding queries to the device to make sure it doesn’t crash.
“It has to be done in such a way that it's not going to disrupt those fragile devices,” said Barbee.
Importance of asset mapping
Asset detection and asset mapping are critical components of effective cybersecurity, but it’s important to think through your network and any implications around pulling data before you get started.
By discovering all existing data sources and carefully considering the types of devices present, you can create and execute an effective plan.
For more tips on asset detection and asset mapping, listen to the full Cyber Work Podcast with Huxley Barbee.