It’s the fifth requirement in CIS Control 1: Use a passive asset discovery tool. Sounds simple enough.
But what does it mean? And what, specifically, makes it so important that it became one of the first five requirements of the widely applied CIS Controls used by so many organizations to establish their most basic levels of cyber hygiene?
The usefulness of passive asset discovery and the importance of finding the right passive asset discovery tool are the subjects of today’s blog.
What Is Asset Discovery?
Asset discovery is the ability to provide visibility of all devices located within an organization with limited or no human interaction. Most organizations often attempt to manually create a list of their assets in a shared document, such as a spreadsheet or a small database, making changes whenever a new device is either added or removed.
The Challenge
This process is deceptively manageable when organizations are relatively small and not that complex. However, this method becomes very flawed when organizations or networks begin to grow. One of the main pain points of this methodology is time. Keeping these lists updated often becomes a full-time job. Another one is the issue of Shadow IT, or invisible assets that lurk undetected and unprotected beneath the surface.
Fortunately, most organizations have realized that device management is a critical part of their operations and security processes. Asset blind spots are a major security gap, as an organization cannot manage what it cannot see.
The Solution
Many organizations have closed the asset security gap using a SIEM or log management solution. In many cases, these products fulfill compliance requirements as well as maintain good security practices. These tools can usually provide some form of asset discovery functionality without any additional cost – the difference being what level they provide out-of-the-box and how much they can be customized to fit the organization’s processes.
Standard Asset Discovery
Standard asset discovery tools usually involve polling endpoint devices across a network. This could consist of something as simple as a ping sweep across the network to see which devices respond. A more complex discovery technique tracks login attempts, revealing an inventory of connected applications. Although this approach can be effective, it requires a level of risk by allowing broad bi-directional requests across the network. This could also create network congestion.
Passive Asset Discovery
Another, possibly less taxing approach is to listen for normal broadcast traffic already occurring on a network, such as syslog messages that are generated from the network devices. This approach removes the threat of excessive network traffic, but it relies on the assumption that all the devices are enabled to send syslog data. Passive asset discovery tools use a dedicated network port, allowing better control of the traffic flow.
Both the standard and passive asset discovery tool options require that a syslog message is captured by a log management solution and an asset is automatically created based on the data contained within the syslog itself, for example, a new source IP. This would be considered live data since the log management solution would have to be “listening” when the syslog is broadcast in order to create the asset. If the log management solution missed the syslog for any reason, then the asset would never be created.
Fortunately, passive asset discovery enables organizations to create assets using not only live broadcast syslog data but also historical data. A passive discovery method provides the ability to gather asset data from alternate data sources, such as archived syslog messages. Another approach would be to schedule this functionality to poll through archived data at a pre-defined date and time in order to reduce the load on the log management solution.
Another use case involves the ability for geographically disparate organizations to copy over the local syslog archives to a central repository where they may then be processed. This could streamline the asset inventory process.
Asset Discovery in an ICS Environment
When applied to an Industrial Control System (ICS) environment, the benefits of passive asset discovery are significant. Data from all of the OT devices, even the ‘no touch’ Programmable Logic Controllers (PLC), can be cataloged without jeopardizing the environment. This is a giant step towards bridging the IT and OT world without compromising security barriers.
The IT organization could then utilize its resources and expertise in asset management and security best practices to alert OT of any newly discovered devices. IT could also monitor for potential patterns of interest that OT should be aware of and again alert if the severity level goes above the organization’s acceptable threshold. Without passive asset discovery functionality, this cross-functional team methodology would be difficult to achieve and could ultimately cost the organization a lot more money and resources due to duplicated work efforts.
Choosing an Active vs. Passive Asset Discovery Tool
Ultimately, the choice is yours, and the kind of asset discovery solution you use depends on the needs of your organization, the depth of coverage desired, and the resources on hand. To help you make that choice, here are some basic things to bear in mind when considering whether an active or a passive asset discovery tool is right for you:
Active Asset Discovery Tool
- Scans for new items like hardware devices and software applications and can flag any illicit changes to those.
- Requires specialized tools to scan systems and devices.
- Can only collect data on assets that are active at the time.
- Initially discovers assets even if they are not generating activity.
- May be impacted by network segmentation.
Passive Asset Discovery Tool
- Scans for new activity patterns, which can tell you if a new asset or unauthorized activity has occurred. Operates more continuously.
- Does not require specialized scanning and impacts the overall system less.
- Allows you to collect data for assets that have gone offline using archived syslog data.
- Initially discovers only assets that are generating activity.
- Does not have to account for network segmentation because it relies on historical data and queries each asset individually.
To learn more Fortra’s passive asset discovery tool, Tripwire LogCenter, click here.
Zero Trust and the Seven Tenets
Understand the principles of Zero Trust in cybersecurity with Tripwire's detailed guide. Ideal for both newcomers and seasoned professionals, this resource provides a practical pathway to implementing Zero Trust, enhancing your organization's security posture in the ever-evolving digital landscape.