Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Vulnerability Management Fundamentals: How to Perform Asset Discovery and Classification

In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.

Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list. 

Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.

In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.

Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization. 

Here are six discovery questions to ask as a starting point:

  1. Where are your business offices and network infrastructure sites, including failover and backup sites, located? 
  2. What are the key web applications, operating systems, software packages and databases supported by the IT organization? 
  3. What types of assets (IT/OT, physical, software, mobile, development) are used by the company?
  4. Do you have an asset management tool or a database of all assets owned by the organization? 
  5. Do you use an asset and data classification policy to enforce security and access controls?
  6. Which assets, applications and data are considered critical for the organization? 

Not all assets are equally important...

Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are. 

Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.  

Now, start digging

Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.  

Here are some asset discovery questions to consider when selecting a VM product: 

  1. What asset attributes can it detect? Just detecting an asset at an IP address is not enough. Can it detect operating systems, application types and technology, and open ports?
  2. Can it scan different types of infrastructures? Can it be integrated into your DevOps process for continuous discovery? Can it scale to handle a large number of assets? 
  3. Can it passively monitor network traffic to detect assets connecting to your network that may not be officially authorized by your organization?

Here today, gone tomorrow.

Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:

  • Baking discovery into the DevOps process; 
  • Leveraging software agents installed on the assets; and
  • Passively monitoring the network. 

After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies. 

For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership. 

Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey. 

In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage. 

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.