Asset Inventory Analysis and Review
Use the following steps to analyze the business environment and lay a foundation for asset identification.
Identify and prioritize business-critical services and applications. This is a crucial step to ensure that assets are categorized by their significance to the organization. This includes items such as:
Lists of known assets; If the organization does not have a current list of devices, a list of assets can be created by using SIEM-collected DHCP logs or other similar resources that track assets.
Identify service and application owners and other stakeholders. This step is crucial if any questions arise during the discovery or classification phase, when new assets are discovered or assets are removed. For example, database teams know how many database servers are in operation, disaster recovery teams know how many failover devices are installed at each location, and web development and core infrastructure teams know where their devices are located.
Gather any required compliance requirements to ensure that identified assets are grouped together for compliance purposes. This may include devices that store or process financial information or health-related information, as there are specific regulatory requirements associated with this type of information. Finally, define a remediation workflow for how the organization will assess, analyze, and remove unauthorized devices.
Third-Party Integrations, Non-Traditional Assets, and Modern IT Assets
Organizations need a method to detect non-standard, sensitive, and ephemeral assets. Various methods can be used to detect non-standard assets, such as Operational Technology (OT) and ephemeral cloud assets.
Operational Technology (OT) is commonly found across many industries including manufacturing, utilities (oil, gas, electric), maritime, rail, and aviation. Due to the convergence of IT and OT and the adoption of Industrial IoT (IIoT), IT environments can contain OT, and OT environments can contain IT. OT includes various types of devices, such as Industrial Control Systems (ICS), Human Machine Interfaces (HMIs), network devices, and IIoT. ICS, which includes Programmable Logic Controllers (PLCs), IO Modules, and Communication Adapters control processes that, if breached, could result in outages of critical components. An attack against OT systems could have significant impact or cause loss of life.
Tenable.ot has the ability to communicate with and passively monitor OT devices in each device’s proprietary protocol to create an asset inventory. Tenable.ot can be configured and customized to the requirements of each unique environment. For more information about Tenable.ot, reference the Tenable.ot Product Page
Tenable.io Service Now Integration
The Tenable.io Assets View integrates with the ServiceNow Configuration Management Database (CMDB). The ServiceNow Identification Reconciliation Engine (IRE) reconciles the assets pulled in from Tenable.io and matches each asset to existing Configuration Items (CIs) to enrich the record with Tenable-discovered data and create a unified view of assets. This information can be used to create a more comprehensive asset inventory and vulnerability scanning strategy. For more information, reference: Tenable for ServiceNow Integration
Cloud Connector Integration
There are a number of Tenable.io Cloud Connectors available to assist with keeping an up-to-date, accurate asset count as cloud assets are deployed and decommissioned, such as: Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). For more information, reference: Tenable Cloud Connectors Documentation
Frictionless Assessment (FA) leverages the AWS Systems Manager Inventory and AWS Systems Manager Agent (SSM Agent) to collect various data points from AWS EC2 instances and create an inventory of EC2 instances. FA is agent-less and scanner-less, because the Tenable Cloud Connector queries the API of specified Amazon accounts for assets and changes in asset state. Organizations do not need to configure Nessus scanners, Nessus Agents, scans, or scan schedules to discover and assess assets with FA.
The most significant benefit of FA is the visibility of ephemeral cloud assets without the need to schedule scans or install scanners or agents. Every time an EC2 instance is provisioned in the AWS environment, the new asset is added to the Asset View in Tenable.io. The new asset can be automatically tagged as a new or rogue asset or tagged for more comprehensive scanning with a Nessus Scanner or Agent, if desired. If an AWS instance is decommissioned, Tenable.io will update the Asset View accordingly. FA Cloud Connector queries can be configured to poll for new assets as frequently as every 30 minutes to a maximum of seven days. FA requires the SSM Agent to be enabled and is limited to the vulnerabilities reported by the SSM Agent.
Data provided by FA includes:
Changes in IP, FQDN, MAC, DNS, Instance ID Information
AWS instance identification and configuration information
Shadow asset detection
EC2 instance patch levels
More information on configuring FA can be found in: Frictionless Assessment for AWS.