May 29, 2023

Last Updated on January 15, 2024

Many organizations use a vulnerability management tool for the asset discovery component of their cyber asset management process. According to Huxley Barbee, Security Evangelist at runZero, these tools falter in today’s dispersed network environments.

“This comes down to the question of different solution approaches that have been attempted for asset discovery over the last 20 or 30 years,” Huxley describes. “There’s the use of agents, use of APIs, use of authenticated active scans, passive network monitoring, as well as unauthenticated active scans.”

Vulnerability management typically uses authenticated active scanning, which means the solution has a network-based scanner that attempts to login to as many devices as possible. But how can you know the credentials for a device unless you are already managing it? This is the drawback of the authenticated active scan methodology.

Huxley clarifies: “The thing with asset inventory is there’s been a proliferation of devices and a divergence of environments, where all these devices are now all over the place: in the cloud, in the factory, in your IoT space, in addition to corporate IT.”

 

Decentralization of control

Along with that proliferation and divergence has come decentralization of control. With the rise of DevOps, the cloud and SaaS solutions, employees are adding large numbers of physical and virtual devices to their company’s attack surface without IT approval.

“So you have this situation where there are many, many unknown devices being created on the network,” Huxley adds. “And you have this solution approach that is optimized for managed IT devices against the backdrop of this proliferation of unknown things on the network, that authenticated active scan approach is falling short. And, by extension, vulnerability scanners are not going out there and finding the unknowns on your network.”

 

What about unauthenticated scans?

What about scanners that can fall back to an unauthenticated mode when they find a device they can’t login to? That’s better, but often very little useful data comes back for asset classification/fingerprinting purposes.

Another issue with this solution approach, especially if it’s looking through a firewall, is discovery of phantom assets or duplicate assets. Not ideal when you’re paying for tools that charge by the asset.

 

Getting to zero unknown assets

“A cyber asset is a compute device with all the details that a security team cares about,” Huxley defines. “When you’re missing all that context the security team cares about, it leaves a huge gap for security. We’re like, ‘I know this thing is something and it’s there, but should I worry about it? Should I prioritize it?’ No idea.”

How do you get to comprehensive, nearer to real-time awareness of your attack surface? runZero uses a combination of unauthenticated active scanning plus an API integration with an EDR solution to bring in data about remote devices. And added to that, a research-based element.

“That allows us to say that we believe we are able to find everything on your network, no matter the type of device, whether it’s IT, OT, or IoT,” Huxley asserts. “And no matter the environment, whether that’s cloud or on-premises or in remote employees’ homes.”

What’s next?

For more guidance on this topic, listen to Episode 115 of The Virtual CISO Podcast with guest Huxley Barbee from runZero.