The diverse location of assets makes it challenging to discover and identify assets. Understanding where critical assets are and accurately inventorying assets is the crucial first step in Risk-Based Vulnerability Management (RBVM). Through credentialed scanning, assets can be reliably identified and attributes collected, which enables organizations to establish and validate inventory management. Tenable.io helps validate and collect information needed to maintain a healthy asset inventory. As assets are discovered, an organization can begin to establish an inventory, which can be used to assess and mitigate associated risks to the organization.
Attackers are not tied to a specific timezone and are continuously scanning the address space of target organizations, searching for new and possibly unprotected systems to be attached to the network. Transient devices, such as laptops or Bring-Your-Own-Device (BYOD) devices may be out of synchronization with security updates or already compromised providing a ripe attack vector. Often, hardware may be installed on the network one evening but not configured and patched with appropriate security updates until the following day, providing an easy target for exploitation. Devices that are not visible from the internet can be exploited by attackers who have already gained internal access and are hunting for internal pivot points.
Maintaining a comprehensive and up-to-date asset inventory is a fundamental and critical component of RBVM. Modern IT environments encompass on-premise, cloud infrastructure, mobile devices, ephemeral and transient assets, web applications, IoT devices, and more. Asset identification of all connected assets within an organization is a common baseline requirement in a number of security standards, such as NIST Special Publication 800-53 or General Data Protection Regulation (GDPR). Maintaining an asset inventory is also the critical first step in the Discovery phase of RBVM, allowing organizations to be more proactive. This document provides guidance to establish an asset inventory.
The first step of RBVM begins with asset discovery to identify and map every asset across the environment. Devices are detected through active scanning with Nessus and passive network analysis with Nessus Network Monitor to build a comprehensive list of assets and provide a clear picture of risk in the environment.
The Asset Inventory & Discovery (SEE) Tenable.io Dashboard displayed below provides guidance to establish an asset discovery, including:
Actively and passively detected assets
Asset discovery statistics
Detected web applications
Indications for device types (printers, cameras, routers, firewalls, WAPs)