Discovery And Asset Management Are Crucial To IT Security – Chuck Leaver

Written By Roark Pollock And Presented By Chuck Leaver CEO Ziften


Trustworthy IT asset management and discovery can be a network and security admin’s buddy.

I don’t have to tell you the obvious; we all know a good security program starts with an understanding of all the devices connected to the network. However, keeping an existing inventory of every connected device used by employees and organisation partners is challenging. Even more hard is ensuring that there are no linked un-managed assets.

What is an Unmanaged Asset?

Networks can have countless linked devices. These might consist of the following among others:

– User devices such as laptops, desktop PC’s, workstations, virtual desktop systems, bring your own devices (BYOD), cellular phones, and tablets.

– Data center and cloud devices such as servers, virtual machines (VM), orphaned VM’s, containers, and storage systems.

– Networking devices such as routers, switches, firewalls, load balancers, and WiFi access points.

– Other devices such as printers, and more just recently – Internet of things (IoT) devices.

Unfortunately, a lot of these connected devices may be unknown to IT, or not handled by IT group policies. These unidentified devices and those not managed by IT policies are described as “unmanaged assets.”

The number of un-managed assets continues to rise for many organizations. Ziften discovers that up to 30% to 50% of all connected devices could be unmanaged assets in today’s enterprise networks.

IT asset management tools are typically optimized to find assets such as computers, servers, load balancers, firewalls, and devices for storage used to deliver enterprise applications to organization. Nevertheless, these management tools usually overlook assets not owned by the business, such as BYOD endpoints, or user deployed wireless access points. Even more uncomfortable is that Gartner asserts in “Beyond BYOD to IoT, Your Business Network Access Policy Must Change”, that IoT devices have actually gone beyond workers and guests as the biggest user of the enterprise network.1.

Gartner goes on to explain a brand-new trend that will introduce much more unmanaged assets into the business environment – bring your own things (BYOT).

Basically, workers bringing items which were designed for the wise home, into the workplace environment. Examples include clever power sockets, smart kettles, smart coffee machines, smart light bulbs, domestic sensing units, wireless webcams, plant care sensors, environmental controls, and eventually, home robots. Many of these things will be brought in by personnel seeking to make their workplace more congenial. These “things” can sense information, can be managed by apps, and can communicate with cloud services.1.

Why is it Important to Discover Un-managed Assets?

Quite simply, unmanaged assets produce IT and security blind spots. Mike Hamilton, SVP of Product at Ziften said, “Security starts with understanding what physical and virtual devices are linked to the corporate network. However, BYOD, shadow IT, IoT, and virtualization are making that more challenging.”.

These blind spots not only enhance security and compliance danger, they can increase legal danger. Information retention policies created to limit legal liability are not likely to be applied to digitally saved details consisted of on unapproved cloud, mobile, and virtual assets.

Keeping a current inventory of the assets on your network is crucial to excellent security. It’s common sense; if you don’t know it exists, you cannot understand if it is safe and secure. In fact, asset visibility is so crucial that it is a fundamental part of many information security frameworks consisting of:

– SANS Vital Security Controls for reliable cyber defense: Establishing an inventory of authorized and unauthorized devices is primary on the list.

– Council on CyberSecurity Critical Security Controls: Developing a stock of authorized and unapproved devices is the very first control in the focused list.

– NIST Information Security Constant Monitoring for Federal Info Systems and Organizations – SP 800-137: Info security constant tracking is defined as keeping ongoing awareness of info security, vulnerabilities, and dangers to support organizational risk management decisions.

– ISO/IEC 27001 Info Management Security System Requirements: The standard needs that all assets be clearly determined and a stock of all important assets be prepared and preserved.

– Ziften’s Adaptive Security Structure: The very first pillar includes discovery of all your licensed and unauthorized physical and virtual devices.

Factors To Consider in Assessing Asset Discovery Solutions.

There are several methods utilized for asset discovery and network mapping, and each of the approaches have benefits and downsides. While evaluating the myriad tools, keep these 2 key considerations in mind:.

Continuous versus point-in-time.

Strong information security requires constant asset discovery no matter what technique is utilized. However, many scanning methods used in asset identification take time to finish, and are therefore performed periodically. The downside to point-in-time asset identification is that short-term systems might only be on the network for a quick time. For that reason, it is extremely possible that these transient systems will not be found.

Some discovery strategies can trigger security notifications in network firewalls, intrusion detection systems, or virus scanning tools. Since these techniques can be disruptive, identification is only carried out at routine, point-in-time intervals.

There are, however, some asset discovery strategies that can be utilized continually to locate and identify connected assets. Tools that provide continuous tracking for un-managed assets can deliver much better un-managed asset discovery outcomes.

” Due to the fact that passive detection operates 24 × 7, it will find transitory assets that may just be periodically and quickly connected to the network and can send out notifications when brand-new assets are discovered.”.

Passive versus active.

Asset discovery tools supply intelligence on all found assets consisting of IP address, hostname, MAC address, device producer, as well as the device type. This technology assists operations groups quickly tidy up their environments, getting rid of rogue and unmanaged devices – even VM proliferation. However, these tools set about this intelligence gathering differently.

Tools that use active network scanning successfully probe the network to coax reactions from devices. These responses offer clues that assist identify and fingerprint the device. Active scanning regularly examines the network or a segment of the network for devices that are linked to the network at the time of the scan.

Active scanning can typically provide more extensive analysis of vulnerabilities, malware detection, and setup and compliance auditing. However, active scanning is performed periodically because of its disruptive nature with security infrastructure. Unfortunately, active scanning threats missing short-term devices and vulnerabilities that occur between scheduled scans.

Other tools utilize passive asset discovery methods. Since passive detection runs 24 × 7, it will detect temporal assets that might just be occasionally and quickly linked to the network and can send out alerts when new assets are discovered.

In addition, passive discovery does not disturb delicate devices on the network, such as commercial control systems, and allows visibility of Internet and cloud services being accessed from systems on the network. More passive discovery methods avoid activating alerts on security tools throughout the network.

In Summary.

BYOD, shadow IT, IoT, virtualization, and Gartner’s newly-coined BYOT indicate a growing number of assets on to the organization network. Unfortunately, much of these assets are unknown or un-managed by IT. These un-managed assets position severe security holes. Getting rid of these un-managed assets from the network – which are even more likely to be “patient zero” – or bringing them in line with corporate security standards greatly lowers an organization’s attack surface and general risk. The good news is that there are services that can supply constant, passive discovery of un-managed assets.

Is Enterprise Antivirus Effective Any More? – Chuck Leaver

Written By Dr Al Hartmann And Presented By Chuck Leaver Ziften CEO


Dwindling Efficiency of Enterprise Anti-virus?

Google Security Master Labels Anti-virus Apps As Ineffective ‘Magic’.

At the recent Kiwicon hacking conference in Wellington, New Zealand, Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy. Charged with examination of extremely sophisticated attacks, including the 2009 Operation Aurora project, Bilby lumped organization antivirus into a collection of inadequate tools installed to tick a compliance check box, however at the cost of real security:

We need to stop purchasing those things we have shown are not effective… Anti-virus does some useful things, but in reality, it is more like a canary in a coal mine. It is worse than that. It’s like we are standing around the dead canary stating ‘Thank god it inhaled all the dangerous gas.

Google security experts aren’t the very first to weigh in against organization anti-virus, or to draw unflattering analogies, in this case to a dead canary.

Another highly skilled security team, FireEye Mandiant, compared static defenses such as enterprise anti-virus to that infamously failed World War II defense, the Maginot Line:

Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s threat landscape. Organizations invest billions of dollars every year on IT security. However hackers are quickly outflanking these defenses with clever, fast moving attacks.

An example of this was given by a Cisco managed security services executive presented at a conference in Poland. Their group had spotted anomalous activity on among their organization customer’s networks, and reported the suspected server compromise to the client. To the Cisco group’s amazement, the customer just ran an antivirus scan on the server, discovered no detections, and placed it back into service. Horrified, the Cisco team conferenced in the client to their tracking console and was able to show the cyber attacker conducting a live remote session at that very minute, complete with typing errors and reissue of commands to the compromised server. Lastly convinced, the customer took the server down and completely re-imaged it – the organization anti-virus had actually been an useless distraction – it had not served the customer and it had not discouraged the attacker.

So Is It Time to Ditch Organization Antivirus Now?

I am not yet all set to state an end to the age of organization anti-virus. But I know that businesses have to invest in detection and response capabilities to complement standard anti-virus. However significantly I wonder who is complementing whom.

Knowledgeable targeted cyber attackers will constantly effectively avert antivirus defenses, so versus your greatest cyber dangers, organization antivirus is essentially useless. As Darren Bilby stated, it does do some useful things, however it does not supply the endpoint defense you need. So, don’t let it distract you from the highest top priority cyber-security financial investments, and do not let it distract you from security steps that do fundamentally help.

Proven cyber defense measures include:

Configuration hardening of networks and endpoints.

Identity management with strong authentication.

Application controls.

Constant network and endpoint monitoring, constant alertness.

Strong encryption and data security.

Personnel education and training.

Consistent danger re-assessment, penetration screening, red/blue teaming.

In contrast to Bilby’s criticism of enterprise anti-virus, none of the above bullets are ‘magic’. They are merely the ongoing effort of appropriate business cyber-security.