Asset Inventory Analysis and Review

Use the following steps to analyze the business environment and lay a foundation for asset identification.

Identify and prioritize business-critical services and applications. This is a crucial step to ensure that assets are categorized by their significance to the organization. This includes items such as:

  • Network diagrams

  • Lists of known assets; If the organization does not have a current list of devices, a list of assets can be created by using SIEM-collected DHCP logs or other similar resources that track assets.

  • Deployment roadmaps

Identify service and application owners and other stakeholders. This step is crucial if any questions arise during the discovery or classification phase, when new assets are discovered or assets are removed. For example, database teams know how many database servers are in operation, disaster recovery teams know how many failover devices are installed at each location, and web development and core infrastructure teams know where their devices are located.

Gather any required compliance requirements to ensure that identified assets are grouped together for compliance purposes. This may include devices that store or process financial information or health-related information, as there are specific regulatory requirements associated with this type of information. Finally, define a remediation workflow for how the organization will assess, analyze, and remove unauthorized devices.

Third-Party Integrations, Non-Traditional Assets, and Modern IT Assets

Organizations need a method to detect non-standard, sensitive, and ephemeral assets. Various methods can be used to detect non-standard assets, such as Operational Technology (OT) and ephemeral cloud assets.

Operational Technology

Operational Technology (OT) is commonly found across many industries including manufacturing, utilities (oil, gas, electric), maritime, rail, and aviation. Due to the convergence of IT and OT and the adoption of Industrial IoT (IIoT), IT environments can contain OT, and OT environments can contain IT. OT includes various types of devices, such as Industrial Control Systems (ICS), Human Machine Interfaces (HMIs), network devices, and IIoT. ICS, which includes Programmable Logic Controllers (PLCs), IO Modules, and Communication Adapters control processes that, if breached, could result in outages of critical components. An attack against OT systems could have significant impact or cause loss of life.

Tenable.ot has the ability to communicate with and passively monitor OT devices in each device’s proprietary protocol to create an asset inventory. Tenable.ot can be configured and customized to the requirements of each unique environment. For more information about Tenable.ot, reference the Tenable.ot Product Page

Tenable.io Service Now Integration

The Tenable.io Assets View integrates with the ServiceNow Configuration Management Database (CMDB). The ServiceNow Identification Reconciliation Engine (IRE) reconciles the assets pulled in from Tenable.io and matches each asset to existing Configuration Items (CIs) to enrich the record with Tenable-discovered data and create a unified view of assets. This information can be used to create a more comprehensive asset inventory and vulnerability scanning strategy. For more information, reference: Tenable for ServiceNow Integration

Cloud Connector Integration

There are a number of Tenable.io Cloud Connectors available to assist with keeping an up-to-date, accurate asset count as cloud assets are deployed and decommissioned, such as: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). For more information, reference: Tenable Cloud Connectors Documentation

Frictionless Assessment

Frictionless Assessment (FA) leverages the AWS Systems Manager Inventory and AWS Systems Manager Agent (SSM Agent) to collect various data points from AWS EC2 instances and create an inventory of EC2 instances. FA is agent-less and scanner-less, because the Tenable Cloud Connector queries the API of specified Amazon accounts for assets and changes in asset state. Organizations do not need to configure Nessus scanners, Nessus Agents, scans, or scan schedules to discover and assess assets with FA.

The most significant benefit of FA is the visibility of ephemeral cloud assets without the need to schedule scans or install scanners or agents. Every time an EC2 instance is provisioned in the AWS environment, the new asset is added to the Asset View in Tenable.io. The new asset can be automatically tagged as a new or rogue asset or tagged for more comprehensive scanning with a Nessus Scanner or Agent, if desired. If an AWS instance is decommissioned, Tenable.io will update the Asset View accordingly. FA Cloud Connector queries can be configured to poll for new assets as frequently as every 30 minutes to a maximum of seven days. FA requires the SSM Agent to be enabled and is limited to the vulnerabilities reported by the SSM Agent.

Data provided by FA includes:

  • Changes in IP, FQDN, MAC, DNS, Instance ID Information

  • AWS instance identification and configuration information

  • Operating System

  • System Type

  • Shadow asset detection

  • EC2 instance patch levels

More information on configuring FA can be found in: Frictionless Assessment for AWS.