This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-Point Guide, click here to sign up and get the entire guide for free!
Most of the time when we get called into a cybersecurity emergency by a breach victim, we spend a lot of effort just trying to understand the environment and determining things like:
- which computer does what;
- what kind of operating systems are in use;
- what applications and what versions are being used;
- what the network topology looks like;
- what sort of Cloud connectivity exists;
- what sort of user access control system exists and how it's tied to any external (e.g. Cloud-based) systems
One of the most popular cybersecurity risk management guides, the Center for Internet Security (CIS) Top 20, calls out hardware and software inventories as the first two items on their checklist of things to have in order to minimize risk. This is not by accident; these are "square one" items that allow for successful management of most of the other risks in IT once they are well managed. Unfortunately, they are chronically neglected in most businesses, especially small businesses, if they even exist at all.
Having an asset discovery and inventory system that can track assets by hardware, operating system, applications, and versions is invaluable when it comes to keeping computers and users secure. This is not as painful or time-consuming as it used to be, thanks to several free open source as well as commercially available systems and management-friendly configurations on physical devices.
Maintaining a central repository of knowledge (Knowledge Base) where inventories, configurations, and other important information about an information technology environment is stored. This makes accessing the knowledge in a crisis much easier.
Another excellent way to maintain inventory is through agents on servers and workstations or network-based discovery systems that perform network discovery and fingerprinting of devices and software communicating on the network. These systems can update a Configuration Management Database (CMDB) that serves as the system of knowledge for every IT asset in the environment.
Regardless of the method of inventory management and asset discovery, here are some very important reasons to use inventory and asset discovery to reduce cybersecurity risk:
Discover Unknown and Unauthorized Devices on the Network
Rogue wireless access points, old systems that were supposed to be decommissioned, and devices that were plugged into the network but weren't approved are all examples of things you'll find when you begin discovering assets on a computer network. Additionally, software inventories will help you prevent software license issues, identify out-of-date applications, and see unauthorized applications running that are creating risk to your IT environment.
Hardware and Software Inventories Should be Related
Understanding which physical devices are running a specific type of operating system, as well as understanding which applications (by version) are running on these devices is important to know if you are investigating suspicious activity. There are many benefits to having this information available, including eliminating false positives, understanding a given device's role (e.g. database server or web server), and understanding what type of data can be found on the device (e.g. file servers contain data, database servers contain data, etc.).
Use Network Traffic to Determine Tool Coverage
One of the biggest weaknesses of endpoint protection tools such as anti-virus and Advanced Endpoint Protection is that lack of 100% coverage can still lead to compromise in the environment, through pivot from an unprotected machine. Lack of coverage also leads to a blind spot in your network. One of the most effective ways to determine whether or not you have 100% of devices covered is to look at network traffic at your network's perimeter (where it connects to the Internet or other networks) and evaluate traffic behavior. For example, if a computer has an endpoint protection tool that creates network traffic to the Internet as the tool checks in, you'll see it in the network traffic. If you see a computer that has the target Operating System of that should have 100% coverage sending traffic to the Internet but not sending traffic to the check-in site for the endpoint protection tool, that indicates the host is not covered and should be something that alerts your security analysts and IT team to fix.
Use Inventory and Asset Discovery to Drive Log Collection
Understanding which systems create useful data can be difficult unless you know what Operating System and applications are on them. Some applications produce very important data about how they are used, for both troubleshooting as well as cybersecurity purposes. Understanding what system logs should be collected can be accomplished if you have an inventory that allows you to create a matrix of the various device, OS, and application logs you need to collect. You can even check your logs against the device inventory to see if you are missing logs for certain devices.
In summary, having an inventory of systems, applications, and data is a very important part of managing cybersecurity risk. It can take some time to complete, but an accurate inventory that is maintained can be invaluable during investigations.
If your business or a client needs expert cybersecurity risk management that includes inventory and asset discovery, please contact us today to schedule an engagement with Ingalls Information Security!
Join us next week when we discuss how to do more with patch management, and the benefits of a mature Vulnerability Lifecycle Management program.
This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!