Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Vulnerability Management Fundamentals: How to Perform Asset Discovery and Classification

In part two of our five-part series on Vulnerability Management fundamentals, we explore the essentials of asset discovery and classification, which is the first step in the Cyber Exposure lifecycle.

Maintaining a comprehensive and updated asset inventory is a fundamental and critical component of Vulnerability Management (VM) programs. This fact is reinforced by industry standards and best practices. For example, the Center for Internet Security (CIS) lists Inventory of Authorized & Unauthorized Devices and Inventory of Authorized & Unauthorized Software as the top two cybersecurity controls in its Critical Security Controls (CSC) list. 

Although an asset can be any item of perceived value to an organization, for the purposes of this blog, we’ll focus on computing assets such as web or email servers, desktops, laptops, mobile devices, cloud services, network devices, OT devices, databases and web applications.

In global IT environments spanning on-premises and cloud, maintaining an asset inventory is anything but simple. So where do you start? While there is no one-size-fits-all answer, the process begins with a comprehensive discovery and classification by business and security criticality.

Before you use any sophisticated tools, talk to the network management and IT teams in your organization. They very likely have IP address ranges and and databases of all authorized assets across the organization. 

Here are six discovery questions to ask as a starting point:

  1. Where are your business offices and network infrastructure sites, including failover and backup sites, located? 
  2. What are the key web applications, operating systems, software packages and databases supported by the IT organization? 
  3. What types of assets (IT/OT, physical, software, mobile, development) are used by the company?
  4. Do you have an asset management tool or a database of all assets owned by the organization? 
  5. Do you use an asset and data classification policy to enforce security and access controls?
  6. Which assets, applications and data are considered critical for the organization? 

Not all assets are equally important...

Once you’ve captured the above inputs, the end result will likely be a list or a database of IP address ranges and DNS records. That is a good first step. It is a good idea to start asset classification right away to help you prioritize next steps in the VM lifecycle. Remember, not all assets are equally important. A public web server running your e-commerce site is far more business critical and vulnerable to attacks than internal desktops are. 

Data and asset classification policy should be an integral part of any security policy. You should define and consistently use that policy across the organization, not just for vulnerability management, but for all security operations, such as access control, application of security controls and data retention.  

Now, start digging

Do you know what exists at those IP addresses, hostnames and URLs? At this stage you need to leverage some discovery tools to scan your network and applications to detect assets.  

Here are some asset discovery questions to consider when selecting a VM product: 

  1. What asset attributes can it detect? Just detecting an asset at an IP address is not enough. Can it detect operating systems, application types and technology, and open ports?
  2. Can it scan different types of infrastructures? Can it be integrated into your DevOps process for continuous discovery? Can it scale to handle a large number of assets? 
  3. Can it passively monitor network traffic to detect assets connecting to your network that may not be officially authorized by your organization?

Here today, gone tomorrow.

Periodic scanning provides a point-in-time view of your environment, but there may be some blind spots. For example, assets that are short-lived, turned off, temporarily connecting to you network or not accounted for in your original IP address blocks may be undetected. This emphasizes the need for a continuous discovery approach, which includes:

  • Baking discovery into the DevOps process; 
  • Leveraging software agents installed on the assets; and
  • Passively monitoring the network. 

After you have a validated list of assets, do another round of classification. Organizations often classify and group assets based on the sensitivity of data or business criticality of applications supported by the asset. Assets are also grouped and classified based on internal asset management and asset ownership policies. 

For example, for VM purposes you may want to group assets based on who owns them, the operating system or applications they run, or their physical location. Most modern asset management and VM tools provide some form of tagging and grouping capabilities to help with proper manual and automated classification and grouping of assets. One of the most difficult problems in vulnerability management is identifying asset owners who will fix vulnerabilities. Try to make that identification early on in the process and tag assets based on ownership. 

Asset discovery and classification is a fundamental first step to help you focus on actions that result in maximum reduction of your cyber risk. Watch this on-demand webinar to learn more about asset discovery best practices and find out how Tenable can help you on your journey. 

In part one of our five-part series on Vulnerability Fundamentals, we explored the first four stages of the Cyber Exposure Lifecycle. In part three, we’ll discuss the essential tactics involved in the “Assess” stage. 

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training