
What Is Asset Discovery?
Asset discovery is the ability to provide visibility of all devices located within an organization with limited or no human interaction. Most organizations often attempt to manually create a list of their assets in a shared document, such as a spreadsheet, or a small database, making changes whenever a new device is either added or removed.
This process is deceptively manageable when organizations are relatively small and not that complex. However, this method becomes very flawed, not only when organizations or networks begin to grow. One of the main pain points with this methodology is time. Keeping these lists updated often becomes a full-time job. Another problem is that of invisible assets as a result of Shadow IT.
Fortunately, most organizations have realized that device management is a critical part of their operations and security processes. Asset blind spots are a major security gap, as an organization cannot manage what it cannot see.
Many organizations have closed the asset security gap using a SIEM or log management solution. In many cases, these products fulfill a compliance requirement as well as maintaining good security practices. These tools can usually provide some form of asset discovery functionality without any additional cost – the difference being what level they provide out-of-the-box and how much they can be customized to fit the organization’s processes.
Standard Asset Discovery
Standard asset discovery methodologies usually involve polling endpoint devices across a network. This could consist of something as simple as a ping sweep across the network to see which devices respond. A more complex discovery technique tracks login attempts, revealing an inventory of connected applications. Although this approach can be effective, it requires a level of risk by allowing broad bi-directional requests across the network. This could also create network congestion.
Passive Asset Discovery
Another, possibly less taxing approach is to listen for normal broadcast traffic already occurring on a network, such as syslog messages that are generated from the network devices. This approach removes the threat of excessive network traffic, but it relies on the assumption that all the devices are enabled to send syslog data. This passive method also uses a dedicated network port, allowing better control of the traffic flow.
Both the standard and the passive asset discovery approaches require that a syslog message is captured by a log management solution and an asset is automatically created based on the data contained within the syslog itself, for example, a new source IP. This would be considered live data, since the log management solution would have to be “listening” when the syslog is broadcast in order to create the asset. If the log management solution missed the syslog for any reason, then the asset would never be created.
Fortunately, passive asset discovery enables organizations to create assets using not only live broadcast syslog data, but also historical data. A passive discovery method provides the ability to gather asset data from alternate data sources, such as archived syslog messages. Another approach would be to schedule this functionality to poll through archived data at a pre-defined date and time in order to reduce the load on the log management solution.
Another use-case involves the ability for geographically disparate organizations to copy over the local syslog archives to a central repository where they may then be processed. This could streamline the asset inventory process.
Asset Discovery in an ICS Environment
When applied to an Industrial Control System (ICS) environment, the benefits of passive asset discovery are significant. Data from all of the OT devices, even the ‘no touch’ Programmable Logic Controllers (PLC) can be catalogued without jeopardizing the environment. This is a giant step towards bridging the IT and OT world without compromising security barriers.
The IT organization could then utilize their resources and expertise in asset management and security best practices to alert OT of any newly discovered devices. IT could also monitor for potential patterns of interest that OT should be aware of, and again alert if the severity level goes above the organization’s acceptable threshold. Without passive asset discovery functionality, this cross-functional team methodology would be difficult to achieve, and could ultimately cost the organization a lot more money and resources due to duplicated work efforts. To learn more about passive asset discovery with Tripwire LogCenter for Industrial Control Systems, click here.