The first step in almost every security framework is to take inventory of what you have: SANS, PCI, NIST, you name it. Why? You need to know what you have in order to protect it.
Asset discovery and inventory is as basic as it gets in cybersecurity, yet many organizations still struggle to get an up-to-date and accurate view of their cyber assets. However, it is critical to get this right.
Endpoint discovery and inventory are like the bedrock on which the foundation of good security lies. It’s good to know the topography and where the hidden hazards lie. If you’re not getting the basics right, it’s going to be difficult to get the rest of your security program right.
Advanced threats and insiders, as well as plain old misconfiguration errors, have shown us that you can no longer trust that every endpoint connected to your network is authorized and used solely for legitimate purposes.
It’s often difficult to know where the virtual property lines are, and where your property—or area of responsibility—begins and ends.
Multi-segmented networks, which may be separated for security reasons or because they are in physically separate locations, can make discovery and inventory difficult, especially when dynamic and overlapping IP address spaces are involved. Performing discovery and inventory on partner networks aggravate this problem further by adding more segments to the scope.
Some discovery and inventory solutions simply use IP addresses to uniquely identify endpoints. However, when the address changes, or when it is used on more than one network, an IP address is not a reliable identifier.
If the solution does not detect a change in IP address for an endpoint, the system may incorrectly begin tracking the same host as another entity, potentially leading to bad data and false conclusions about the endpoint population.
Surveying the Land
When developing an endpoint detection and response program, evaluate how endpoints will be discovered and inventoried in conjunction with the program. You may need to consider discovery and inventory capabilities included with endpoint detection and response solutions, as well as how those solutions integrate with other asset discovery and inventory solutions.
Here are some considerations for how discovery and inventory will fit into your endpoint detection and response program:
How will newly discovered endpoints get on-boarded to your endpoint detection and response program?
How will your discovery and inventory solution integrate with your existing inventory tools like a CMDB?
Will you use the discovery capability of your vulnerability management solution to feed your endpoint detection and response program?
Will the discovery and inventory solution generate tickets for newly discovered endpoints?
Will you perform continuous discovery and inventory of endpoints? Periodic? On-demand? A hybrid approach depending on the asset?
What information, in addition to IP addresses, will you use to uniquely track endpoints?
How does the solution support discovery and inventory of endpoints on multiple network segments and locations from a central location?
How does the solution behave when discovering endpoints on networks with overlapping IP address spaces?
Will you use asset tagging to track and apply policies for monitoring, detection and response?
Call Before You Dig
Endpoint discovery is just like a survey and utility location service – they can help you get to work building an endpoint detection and response program that is safe and within regulations.
Building on shaky ground will only cause problems down the road, while a rock solid plan will prevent headaches and save money and sanity by automating manual processes that save time and eliminate errors.
Interested to know more? Get your FREE copy of EDR for dummies here.
Title image courtesy of ShutterStock