Mapping, Classification, and Categorization of Assets

Once assets have been discovered across the attack surface, classifying and categorizing is the next crucial step. Ensure that collected data incorporates all assets, including OT, cloud assets, and container infrastructure, in addition to traditional on-premises IT assets. If a Host Discovery Scan still needs to be launched in Tenable Vulnerability Management, navigate to Discover and Assess under Asset View, select a Discovery Method, and choose the appropriate connectors. Classify assets to scope third party audits and ensure the appropriate assets are in scope for an audit. For example, the Payment Card Industry (PCI) mandates the PCI-DSS standard for assets that contain cardholder data. Organizations that are subject to third party PCI audits can reduce the cost of an audit by limiting in-scope IPs to only the assets that contain cardholder data. In addition to reducing the cost of the audit, limiting the scope to assets that contain cardholder data is more likely to result in passing an audit. Assets that do not contain cardholder data may not meet PCI control requirements and can introduce unnecessary risk of negative audit findings.

Identification is the process of matching a set of attributes collected by a sensor, such as Nessus, to an existing asset. If Tenable Vulnerability Management is unable to find an existing asset that matches the incoming asset, it is treated as a new asset and added to the Tenable Vulnerability Management Asset View.

Each identification request is based on a list of key-value pairs representing properties that have been collected to determine how assets are identified as unique. Tenable Vulnerability Management uses a subset of these properties, called Identification Attributes (IA), to determine if an asset has been previously seen.

The current list of IAs is:

  • AWS EC2 Instance ID

  • Azure VM ID

  • GCP Instance ID

  • BigFix Asset ID

  • Tenable UUID

  • BIOS UUID

  • Network UUID

  • MAC Address

  • NetBIOS Name

  • Fully Qualified Domain Name (FQDN)

  • IPv4 address

IAs are ordered on a spectrum, from authoritative to speculative, based on their ability to accurately link a host to an existing asset. Internal IDs generated by cloud computing platforms, such as Amazon EC2, Microsoft Azure, and Google Cloud Platform (GCP), are 100% authoritative and unique. Every asset will have at most one value for an identifier in this class.

MAC Address, NetBIOS, FQDN, and IP are considered to be network-specific, depending on the network on which the asset resides. For an asset to be considered unique with the same MAC Address, NetBIOS, FQDN or IPv4, the asset needs to belong to the same defined Network in Tenable Vulnerability Management. For more information related to Networks, please refer to the Networks section of the documentation.

Query the Tenable Vulnerability Management API to identify additional asset attributes. Returned data can be filtered from various Tenable Vulnerability Management API endpoints based on asset attributes. Tenable Vulnerability Management also allows organizations to export asset details that include these attributes. The asset attributes are supported as filters or included in an export depending on the API endpoint that is in use. For a full list of asset attributes, consult the Common Asset Attributes document page. For more information on using the API to retrieve asset data from Tenable Vulnerability Management, please refer to Retrieving Asset Data From Tenable Vulnerability Management. For information on using the API to list assets, get individual asset information, import assets, and check the status of asset import jobs, reference the API Documentation for Assets. For more information about asset management, see Assets section of the Tenable Vulnerability Management Vulnerability Management User Guide.

As assets are identified, it is strongly recommended to categorize and group them using static and dynamic tags as well as Access Groups for permissions. Grouping assets together enables organizations to scan specific targets and control which users or groups can view and interact with specific assets. For additional information review:Access Groups

Identify and Categorize OT Devices

OT Security customers have access to OT plugins in the 500000-599999 range. The Device Type value is collected from OT devices using these OT Security plugins. The values returned in the plugin output are not controlled by OT Security, but by the hardware vendor. For example, to identify all OT Controllers and modules, the following filter can be used:

  • Plugin ID: 500000-599999

  • Severity: INFO

  • Plugin Output contains: superType: “Controllers”

OT assets can be tagged using the Plugin Output filter for the following categories:

  • PLCs, Comm Adapters, IO Modules: category: "ControllersCategory"

  • Everything else: category: "NetworkAssetsCategory"

  • Cameras, Badge Access, UPS, Printers, non-ICS devices that are not IT-type: category: "IotCategory"

Addressing Unauthorized Assets

Unauthorized assets or shadow assets are unknown or not currently present in the asset inventory. These types of assets are typically left unpatched and unprotected and provide an open target to be exploited, providing a pivotal entry point to move through the network and reach critical assets and sensitive data.

Evaluate new assets that have recently been discovered or have not been assessed to determine whether they should be included in the organization’s asset inventory. Assess or remove these assets within 24 hours of detection.

For more information on identifying assets that have not been assessed, see: Identify Assets That Have Not Been Assessed.