All security audits, re-architecture, incident investigations, and threat hunting begin with the question, “What is in the environment that I’m looking at now?” These activities require that the practitioner know what devices, operating systems, business services, subnetworks, and data paths exist where they’re focusing. Asset discovery is critical for a well-managed network and, in particular, network security. The source of understanding an organization’s vulnerabilities and risks is to know what assets are in the environment, what business value those assets represent, and where they are located.
Three personas need to understand a complete asset inventory and network mapping: auditor, threat monitoring analyst, and threat hunting analyst. In addition, there are other personas within the network operations environment with a need for this information, but this description focuses on the security environment.
The auditor starts with an asset inventory and network map to understand how disciplined the technological coverage is within the environment and what level of maturity the processes are in place. They also need to identify vulnerabilities and risks within the environment.
Threat monitoring analysts use asset inventory and network mapping to respond to and investigate Indications of Compromise. When a trigger alerts the threat monitoring analyst, they look at the asset’s attributes to understand the event, vulnerabilities associated with the asset, risk level based upon the business value, and relevant communications partners. They look at assets in immediate proximity to evaluate potential risks and investigation paths. They use network maps to understand communication paths the asset uses with other assets to investigate potential communications partners.
Threat hunting analysts use the same investigative techniques as threat monitoring analysts, but their activity triggers are different. Threat hunters proactively investigate to understand unnoticed events, unidentified vulnerabilities, and unnoticed events. They use the asset inventory to identify previously recognized assets or monitor assets that are not under direct management.
It is important to know end-to-end digital paths, and what assets are in those paths, to understand the network and security environment.
Discovery must identify all assets on every network within the environment. It must identify every subnet and how the subnets logically communicate. Asset attributes, such as operating systems and services, must be included in discovery. Discovery must be updated in near real-time and identify and flag new assets. IP address changes must be noted (DHCP lease expiration or other causes) and a history of those changes captured.
The system must discover the assets' business services to the extent possible and allow human labeling when discovery is not possible. Automated discovery can leverage fingerprinting and business application discovery for this purpose. This will enable analysts to identify and establish business risk and prioritization. The system must also have the ability to capture business service owners.
Discovery must use the contextual information about the discovered assets to identify known vulnerabilities in the hardware and the software. There are multiple sources of this information.
Discovery must identify all assets, asset attributes, network architecture, and known vulnerabilities. Interfaces and reporting must be visual and straightforward for asset and network discovery. For example, there must be an asset inventory page, which includes contextual information about the asset attributes.
There must be a vulnerability summary page that prioritizes vulnerability risk. And there must be a network architecture map that visualizes the logical data paths and connections between subnets. Each summary page must include the ability to filter and present data from different perspectives.
Finally, a reporting interface must be created that allows users to identify asset information and time frames that they want specific information dynamically reported on. These reports must be downloadable to PDF and CSV formats.
For more on asset discovery and protecting your organization, contact the UncommonX team to request a demo of our security operations platform and talk about your specific security needs.