Guessing how many marbles are in a jar is either a fun carnival game (pick the average based on the wisdom of the crowd) or a math problem involving orb volume, cylinder volume and the estimated space between marbles. You can also just count the marbles.
Unfortunately, when it comes to identifying the number of devices connected to your network, none of these approaches works – although quasi-manual counting remains all too common. Typically, organizations are aware of only 70% of their actual devices. That won’t get you a stuffed animal or a passing grade.
With the growing number and type of devices spread across campus, data center, cloud and OT/IoMT networks, it has become increasingly difficult to identify them all. Unlike marbles, you need to know a lot more than just the number of devices. You need to know what they are, how they’re connected (wired/wireless), where they’re physically located (building, closet, switch, port) and what their purpose is.
Visibility and asset management go hand in hand. An accurate and contextually rich asset management database, typically a configuration management database (CMDB), is required to understand device function, relationships, operational criticality, dependencies, and so on. Together, this information enables you to manage asset lifecycles and optimize performance and availability while reducing costs and security risk.
To do its job, the CMDB must be continuously refreshed as new assets join the network or configurations change. Most CMDBs cannot continuously discover and collect data for all network-connected devices in real time, especially for agentless IoT and OT systems. That’s the job of a cybersecurity asset management solution. Bi-directional communications that synchronize information from your cybersecurity asset management solution with your CMDB boost your CMDB’s value by ensuring you have a single source of truth.
Continuous discovery, classification and assessment
Too often, knowing what’s on the network still involves chasing down siloed information and knitting the pieces together manually. Security teams have limited visibility into devices and their interactions. Governance policies are implemented best-effort through fragmented products. Products are half rolled out. In short, the overall security posture of the network, assets and its users is not known from moment to moment. In this state, you’re constantly putting out fires, at least the ones you’re aware of.
A best-practice visibility strategy leverages tools that continuously and agentlessly (using agents by exception) discover all devices upon connect, auto-classifies them based on device attributes and assesses their adherence to policies using a policy engine that compares current state to policy:
- Continuous discovery relies on multiple mechanisms to detect every asset on the extended network, including IT, IoT, IoMT and OT devices.
- Continuous classification provides valuable insight about the device type, vendor, model, function, user and OS running on it.
- Continuous assessment determines what is installed, configured and operating on the device, and whether that configuration and status have changed.
Continuous is the operative word. It only takes one device with outdated or inaccurate configuration details for attackers to seize the opportunity to breach a network. Partial visibility = partial protection.
Symbiotic tools yield 100% visibility
Network visibility enlists a variety of passive discovery and active scanning or integration techniques to identify all IP-connected devices. They fall into four categories:
- Discovery with network integrations
- Discovery and classification with traffic monitoring
- Discovery and classification with scanning
- Assessments with third-party tool integrations
Connecting network routers, switches and WLAN controllers via SNMP, CLI or APIs enables asset discovery and provides critical contextual data for risk assessment and control. You see the asset’s switch IP; vendor and whether it is PoE; port name, alias and configuration; and VLAN. Because network integrations provide the physical location of each device, they’re especially valuable for globally dispersed networks. If you want to know 100% of network connected devices, ask the network.
Network traffic monitoring
Traffic-monitoring tools are used for asset discovery and classification. They’re easy to install, and because they’re deployed passively, cause minimal disruption. In addition to performing deep packet inspection (DPI), they can identify HTTP user agents, DHCP and communications flows. However, it isn’t feasible to put sensors all over a global network. If all device communications don’t cross sensor locations at central chokepoints, it’s possible to completely miss devices.
Scanners improve classification of all devices, including remote ones. They actively probe for ports, banners and information that may not be seen passively. Like traffic monitoring tools, they leave gaps in visibility by missing devices that don’t respond to scans and any assets that aren’t present during scheduled scanning intervals. Many devices are sensitive to active probing and scanning, which can cause business disruption or, worse, harm IoMT, IoT and OT/ICS assets.
Integration with third-party tools via APIs and SQL provides a slew of additional information about assets. They provide an opportunity for security products to enrich one another and bump up your overall defenses. To verify accuracy, however, information captured via third-party integration must be reconciled with data from the other three collection methods. This is especially true when the data reliability depends on a properly managed device with a properly configured agent that you don’t control.
Each technique discussed here has its pros and cons, and no one solution works on every device type. That’s not surprising, given the disparate universe of IP-connected-assets. A collection of network active/passive and asset active/passive techniques is required for safe discovery and classification of all device types. These must be configurable with conditions, not a global parameter. IoMT and OT/ICS require a different approach from more resilient IT.
At Forescout, we use insights from our Global Cyber Intelligence Dashboard to auto-classify devices based on more than 150 attributes each. Crowdsourced with anonymized insights from more than 3,500 global customer deployments and 11 million devices, the repository contains data on over 500 operating systems, and 5,000 device vendors and models – and counting.
What to look for in a device visibility and cyber asset management solution
Automated network security, including device visibility, is rapidly evolving. Both vendors and organizations use terms differently; don’t hesitate to ask what they mean. Scanners are a great example. Does the tool ping sweep the network or does it query the assets? When you say “network integration,” do you mean a mirror port or SNMP/CLI to network appliances? One hundred percent visibility with a few mirror ports across a globally distributed environment? Double click on that.
Don’t let vendors hide behind misconstrued terms. Complete visibility requires a combination of the techniques described here, at least for now. If someone says you only need one or two, challenge them.
Here are four qualifying questions to protect you. The first two are no-brainers:
- Does it integrate easily with our existing infrastructure and tools? Network security is already complex. There’s no need to add more complexity.
- Is it technology agnostic, or do we have to buy a proprietary platform? Visibility should enhance the value of your current investments, not add unnecessary cost.
- How quick is the time to value? For a comprehensive visibility solution, continuous discovery should bring value within days of deployment – you can now see everything on your network! For large, complex environments, expect full value from continuous classification and assessment in just over a month, on average. There is a difference between seeing “everything” and “E-V-E-R-Y-T-H-I-N-G” on your network. Claims of one day, one sensor, one cable, full visibility should be heavily vetted.
- Can it automatically synchronize all device information in our CMDB? To serve as a single source of truth for asset management, your CMDB must be continuously refreshed with real-time information from your visibility solution. It cannot do that on its own.
Play for keeps – don’t lose your marbles
Visibility and asset management lay the foundation for network security. You can’t protect what you can’t see. After a major ransomware attack or other high-profile breach in the news, many cyber leaders feel pressured to aim straight for zero trust. Not so fast – you’re likely to overshoot and lose all your marbles.
As your organization matures, security initiatives become more complex and time consuming, so it’s important to build one upon the other. You need a strong, unwavering foundation. Start with total visibility.
Before you can secure your network, you need to see the full extent of your attack surface. Learn why total visibility is the master key to zero trust.
About the Author
A. J. Dunham has deployed more than 150 Forescout installations and currently architects customer strategies to address growing IT, IoT, IoMT and OT/ICS challenges at enterprise scale. He holds a bachelor’s degree in computer networking and information security from NSA-accredited Champlain College and a master’s degree in information assurance from Northeastern University.