Vulnerability Management Fundamentals: How to Perform Asset Discovery and Classification

In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.

Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list. 

Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.

In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.

Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization. 

Here are six discovery questions to ask as a starting point:

1. Where are your business offices and network infrastructure sites, including failover and backup sites, located? 
2. What are the key web applications, operating systems, software packages and databases supported by the IT organization? 
3. What types of assets (IT/OT, physical, software, mobile, development) are used by the company?
4. Do you have an asset management tool or a database of all assets owned by the organization? 
5. Do you use an asset and data classification policy to enforce security and access controls?
6. Which assets, applications and data are considered critical for the organization? 

Not all assets are equally important...

Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are. 

Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.  

Now, start digging

Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.  

Here are some asset discovery questions to consider when selecting a VM product: 

1. What asset attributes can it detect? Just detecting an asset at an IP address is not enough. Can it detect operating systems, application types and technology, and open ports?
2. Can it scan different types of infrastructures? Can it be integrated into your DevOps process for continuous discovery? Can it scale to handle a large number of assets? 
3. Can it passively monitor network traffic to detect assets connecting to your network that may not be officially authorized by your organization?

Here today, gone tomorrow.

Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:

• Baking discovery into the DevOps process; 
• Leveraging software agents installed on the assets; and
• Passively monitoring the network. 

After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies. 

For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership. 

Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey. 

In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage.