Visibility is Key when defending the enterprise - HIDE & Seek


Enterprise cyber security can be daunting with so many systems to consider both internally and public Internet facing.

Something which on the surface seems simple is asset profiling and system visibility.  - Knowing what we have to secure is a good step in the right direction.


Visibility is of paramount importance. It helps us understand what we have to secure. 

In our experience, as an organization grows towards enterprise level visibility reduces. - More systems to secure, both physical and virtual and more change/flux occurring more frequently.

The ability to understand what systems and services (assets) are enabled and exposed to both internal users and the public Internet is key given we cannot secure assets we are not aware of.

Having visibility of your estate is important given many of such assets contain sensitive organizational data or are ingress points to such data and systems and require an adequate level of security management applied to them.

A common challenge when organizations grow is the ability to have an asset register and asset inventory,  bill-of components and categorization of assets used by the organization.

Understanding of the purpose and criticality of an organizations assets drives the level of security which must be applied to a given asset; a risk based approach

Without visibility of one’s estate applying adequate cyber security measures can be an impossible task.

6 Key requirements for continuous asset profiling:

  1. Live intelligence delivered to the correct locations in a timely manner is a requirement for continuous asset profiling.
  2. Custom event alerting when something of interest is discovered
  3. Frequent updates to information
  4. Continuous profiling across individual systems and CIDR ranges
  5. Ability to Search and filter for specific attributes
  6. Ability to automatically add and profile new hosts as they are deployed


Lets look into each of these requirements in more detail:
At edgescan we have been delivering and evolving HIDE (Host Index Discovery and Enumeration) since 2015 to address such requirements......

1. Live feeds are important such that you have operational intelligence as changes occur. Once an event occurs we care about who we need to inform. Sending event information via email, SMS, Slack, WebHook or API is important as we need to post the information to the correct dashboard so we are made aware of the event in a timely manner.

2. Custom Alerting is important such that your enterprise may have particular event types which are deemed worth reporting. Examples of such could be:
  • A new server / IP goes live since the last profile cycle.
  • A service or IP appears to be non responsive.
  • A new service or firewall change has occurred on any asset profiled.
  • An asset tagged with a specific profile undergoes a defined profile change.
  • A specific port is exposed to the public Internet which should not be exposed.

3. Frequent updates to the asset profile are important. This in effect translates to the frequency your assets are being profiled and across which protocols. The more frequent the better. 

4. Continuous profiling across individual systems and CIDR ranges 
Continuous profiling to constantly detect change coupled with CIDR (IP Range) assessment detects any change to any IP within an enterprise IP range. This approach (as opposed to only assessing specific IP addresses) helps with discovery of new hosts, rogue deployments, possibly data ex-filtration points as the profiling covers both "Live" IP's and Unused IP's which may become live over time.

5. Ability to Search and filter for specific attributes
The ability to search profiling results via an API or console in seconds. Searching and filtering by protocol/port, operating system,IP address, DNS, Tag, Status etc to provide operational intelligence in seconds. We've encountered many valuable use cases where organizations need to understand if a specific attribute is present across an enterprise estate quickly in order to determine if they have to react quickly.

6. Ability to automatically add and profile new hosts as they are deployed
If continuous asset profiling is across IP ranges/CIDR blocks we want newly deployed systems to be automatically included in the profile assessment.  This feature is also very effective in the case of Cloud deployments where systems are spun-up and torn-down on a frequent basis. This keeps pace with change and constant dynamic flux.

edgescan.com clients enjoy all of the above features via the edgescan vulnerability management portal and also via the edgescan API.





Example API calls such as:

List all systems which are "Alive" and have ports 22,80 & 443 open

 /#/hosts?c%5Bstatus%5D=alive&c%5Bopen_port_any%5D=t:22,t:80,t:443&s%5Blocation%5D=desc

List all systems which are "Alive" and have a DNS name like "edge"

/#/hosts?c%5Bstatus%5D=alive&c%5Bhostname_like%5D=edge&s%5Blocation%5D=desc

List all systems which are tagged with the tag "Critical-asset"

/#/hosts?c%5Basset_tagged_any%5D=Critical-Asset&s%5Blocation%5D=desc

Providing the ability to consume this information via a Restful API gives one the ability to develop automation, reporting and integration to other systems on an ongoing basis.

We think our HIDE feature in edgescan is pretty cool. Let me know if you would like to see a live version or trial edgescan!!





Comments

Popular posts from this blog

Edgescan, why we do what we do.....

20 years of Vulnerability Managment - Why we've failed and continue to do so.

Edgescan and Huawei - Cybersecurity - Irish Times Article and Panel Discussion