Reliable IT asset management and discovery can be a network and security admin’s best friend.
I don’t have to tell you the obvious; we all know a good security program begins with an understanding of all the devices connected to the network. However, maintaining a current inventory of every connected device used by employees and business partners is not easy. Even more difficult is ensuring that there are no connected unmanaged assets.
What is an Unmanaged Asset?
Networks can have thousands of connected devices. These might include the following to name a few:
- User devices such as laptops, desktops, workstations, virtual desktop systems, bring your own devices (BYOD), smart phones, and tablets.
- Data center and cloud devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.
- Networking devices such as routers, switches, firewalls, load balancers, and WiFi access points.
- Other devices such as printers, and more recently – Internet of things (IoT) devices.
Unfortunately, many of these connected devices may be unknown to IT, or not managed by IT group policies. These unknown devices and those not managed by IT policies are referred to as “unmanaged assets.”
The number of unmanaged assets continues to rise for many companies and organizations. Ziften finds that as many as 30% to 50% of all connected devices can be unmanaged assets in today’s enterprise networks.
IT asset management tools are typically optimized to detect assets such as PCs, servers, load balancers, firewalls, and storage devices used to deliver enterprise applications to the business. However, these management tools typically ignore assets not owned by the organization, such as BYOD endpoints, or user-deployed wireless access points. Even more troubling is that Gartner asserts in “Beyond BYOD to IoT, Your Enterprise Network Access Policy Must Change”, that IoT devices have surpassed employees and guests as the biggest user of the enterprise network.1
Gartner goes on to describe a new trend that will introduce even more unmanaged assets into the enterprise environment – bring your own things (BYOT). Essentially, employees bringing items which were designed for the smart home, into the office environment. Examples include smart power sockets, smart kettles, smart coffee machines, smart light bulbs, domestic sensors, wireless webcams, plant care sensors, environmental controls, and eventually, home robots. Many of these objects will be brought in by staff seeking to make their working environment more congenial. These “things” can sense information, can be controlled by apps, and can communicate with cloud services.1
Why is it Important to Discover Unmanaged Assets?
Quite simply, unmanaged assets create IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security starts with knowing what physical and virtual devices are connected to the corporate network. But, BYOD, shadow IT, IoT, and virtualization are making that more challenging.”
These blind spots not only increase security and compliance risk, they can increase legal risk. Information retention policies designed to limit legal liability are unlikely to be applied to electronically stored information (ESI) contained on unauthorized cloud, mobile, and virtual assets.
Maintaining an up-to-date inventory of the assets on your network is critical to good security. It’s common sense; if you don’t know it exists, you can’t know if it is secure. In fact, asset visibility is so important that it is a foundational part of most information security frameworks including:
- SANS Critical Security Controls for effective cyber defense: Developing an inventory of authorized and unauthorized devices is number one on the list.
- Council on CyberSecurity Critical Security Controls: Creating an inventory of authorized and unauthorized devices is the first control in the prioritized list.
- NIST Information Security Continuous Monitoring for Federal Information Systems and Organizations – SP 800-137: Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
- ISO/IEC 27001 Information Management Security System Requirements: The standard requires that all assets be clearly identified and an inventory of all important assets be drawn up and maintained.
- Ziften’s Adaptive Security Framework: The first pillar includes discovery of all your authorized and unauthorized physical and virtual devices.
Considerations in Evaluating Asset Discovery Solutions
There are multiple techniques used for asset discovery and network mapping, and each of the approaches have advantages and disadvantages. While evaluating the myriad tools, keep these two key considerations in mind:
Strong information security requires continuous asset discovery regardless of what method is employed. However, many scanning techniques used in asset discovery take time to complete, and are thus executed periodically. The drawback to point-in-time asset discovery is that transient systems may only be on the network for a brief time. Therefore, it is highly possible that these transient systems will not be found.
Some discovery techniques can trigger security alerts in network firewalls, intrusion detection systems, or virus scanning tools. Because these techniques can be disruptive, discovery is only executed at regular, point-in-time intervals.
There are, however, some asset discovery techniques that can be used continuously to locate and identify connected assets. Tools that provide continuous monitoring for unmanaged assets can deliver better unmanaged asset discovery results.
“Because passive detection operates 24×7, it will detect transitory assets that may only be occasionally and briefly connected to the network and can send alerts when new assets are detected.”
Asset discovery tools provide intelligence on all discovered assets including IP address, hostname, MAC address, device manufacturer, and even the device type. This technology helps operations teams quickly clean up their environments, eliminating rogue and unmanaged devices — even VM proliferation. However, these tools go about this intelligence gathering differently.
Tools that employ active network scanning effectively probe the network to coax responses from devices. These responses provide clues that help identify and fingerprint the device. Active scanning periodically examines the network or a segment of the network for devices that are connected to the network at the time of the scan.
Active scanning can typically provide more in-depth analysis of vulnerabilities, malware detection, and configuration and compliance auditing. However, active scanning is performed periodically because of its disruptive nature with security infrastructure. Unfortunately, active scanning risks missing transient devices and vulnerabilities that arise between scheduled scans.
Other tools use passive asset discovery techniques. Because passive detection operates 24×7, it will detect transitory assets that may only be occasionally and briefly connected to the network and can send alerts when new assets are detected. Additionally, passive discovery does not disturb sensitive devices on the network, such as industrial control systems, and allows visibility of Internet and cloud services being accessed from systems on the network. Further passive discovery techniques avoid triggering alerts on security tools throughout the network.
BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT mean more and more assets on to the corporate network. Unfortunately, many of these assets are unknown or unmanaged by IT. These unmanaged assets pose serious security holes. Eliminating these unmanaged assets from the network — which are far more likely to be “patient zero” — or bringing them up to corporate security standards greatly reduces an organization’s attack surface and overall risk. The good news is that there are solutions that can provide continuous, passive discovery of unmanaged assets.
Want to learn more? Ask us today!