Taking a first step, it seems easy, but where exactly do we start? If you ask around, there’s a ton of people with ideas ready to help out and you might even settle on a good industry standard.
First and I do mean first, get prepared to find out things you don’t know (I do every time). It’s totally okay and even cool, because discovering things is the whole point to understanding how to secure what you have.
In addition you will most likely need some help because there are a lot of little parts that are not readily apparent, so prepare to learn and rework… understand that this entire process is not just a one-time event, but an ongoing iterative methodology that will become a part of what you do and how you think about your environment.
Don’t write it in stone the first, second or third time through or follow someone else process verbatim, because you have specific needs and should see them met…the way you need them met.
What’s in Scope?
For me it made sense to start with what’s in scope, like the Council on Cyber Security model. So, how about every asset purchased or every asset that has power attached to it, but I’m not sure anymore what and where they all are, so I’m going to need to figure it out. I’m getting ready for step one, and already have a step and ½.
We need to do some discovery and probably have a couple meetings to figure out our network topology and decide how to scan for assets (yeah sure, don’t tell me you have a current topology map of your network). I break out my IP360 setup (or something not as cool), staple it into my environment based on the meetings we had and set it for a scan with OS detection only.
This is a fair way to identify assets quickly and just get an understanding of how many and where they are. With the first set of results we can start the real work, figuring out what each of these IP’s are and who is responsible for their presence.
Where are We Going to Put all this Info?
Since I’d rather not start from scratch every time I scan and also would rather not be the only person to know the association of these discovered assets, I’m looking for a place to keep this output.
The answer to this question can become an entire project of its own, be a simple list, some tags, a spreadsheet (or not), and maybe even leverage something you already have in place. This list is valuable, to you and to those who would like to use you, keep it safe, but not too secret. Some of your peers could really get a lot of use from the data.
If you have a service desk or a CMDB, that would be great. If you don’t it’s not a problem, we’ll capture the data in CSV and move on. If you have something in place that already monitors your environment (like CCM or Tripwire Enterprise), you can apply asset attributes you find while scanning to groups, profiles or tags.
We have output! Great, more data…Well, at least this data has a purpose. First, let’s review the format and decide a few things; how often should we collect and compare against the last scan and who will have access to it (we can automate these steps with Tripwire)?
The assets in this data just need to have something in common with your environment to answer Cyber Security Control 1: Inventory of Authorized and Unauthorized Devices. Let’s take the CSV and add a couple columns;
- Why is this asset here and
- Who do I call about this asset?
That’s more than enough work to get you started and on your way, but that’s it, a good start for Control 1. Remember all of those iterations from earlier? One, two, three… Security!
- Managing the Complexity of the Attack Surface
- Governance: Understanding Where You Are and What is Important
- Strategies for Actively Reducing the Attack Surface
- Continuous Security Monitoring: An Introduction
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock