Know What to Protect and Why
In my last article, I discussed the importance of walking the terrain, or knowing your network. I suggested beginning at the at high level: identify your sites, then group your assets by site or facility. This is a great place to start understanding your network because network controls tend to be fairly static. However, discovering network devices like routers often leads to discovering subnets and previously unknown endpoints.
These this begs two questions: Why should I care about my endpoint inventory? What should I do with this data?
Maintaining accurate endpoint inventory data is a daunting task. In modern environments, endpoints are changing all the time. In fact, endpoint entropy continues to grow exponentially. We need to prioritize. There are two aspects of endpoint inventory security professionals should focus on.
The first is to look at your network through the eyes of an adversary and ask, “What is most valuable?” In a military example this might be a bridge, an airfield, or a key logistics site. In the cyber world this might be your credit card holder data, your intellectual property, or the CFO’s laptop. Consider what an adversary might want to accomplish. Are you concerned about a nation state stealing intellectual property? Might someone want to disrupt your operations? Could organized crime try to extort money after encrypting your systems?
Most security professions believe that “everything is important.” While that’s true, we all have limited resources. We need to prioritize where to apply preventative technologies, which vulnerabilities to patch, and what incidents to investigate. It is imperative to identify the key data or systems in order to identify a control framework to protect them.
The second important aspect of endpoint inventory data is using it to maintain the accuracy of your operational systems. Many key security systems depend on the accuracy of endpoint data. Our customers almost always have a CMDB, vulnerability scanner, EDR agents, and a patching system. The numbers coming from these systems never agree. We see CMDBs that are about “80% accurate;” endpoints that aren’t being scanned; endpoints that are missing agents; and some endpoints that aren’t being patched. Being able to quickly see the difference between these operational systems will identify gaps in your operations. For example, if your EDR count is greater than the one from your vulnerability scanner, you can quickly identify the exact systems that are not being scanned. If the count you’re getting from your vulnerability scanner is greater than the one from your patching system, you can quickly identify systems not being patched. Organizations that operationalize this process aren’t just maintaining an inventory count, they’re ensuring a more accurate use of their key operational systems.