Comprehensive asset discovery is foundational to robust and proactive cybersecurity governance. The Cybersecurity and Infrastructure Security Agency recently issued a directive (BOD 23-01) requiring federal enterprises (civilian executive branch) to perform automated asset discovery every 7 days. Among other things, the directive also requires federal enterprises to initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. Huxley Barbee, Security Evangelist at runZero and former Cybersecurity Practice Lead at Cisco, discusses the various methods of comprehensive asset discovery and provides guidance in selecting an appropriate asset discovery tool.

Time Stamps

01:33 -- Please share with the listeners some highlights of your professional journey.

03:13 -- Share some stories and anecdotes of the consequences of poorly managed asset inventory.

09:37 -- Why didn't organizations engage in comprehensive asset discovery? What were the hurdles, if any? Now that there is a CISA directive, what's the guarantee that organizations will be in a position to follow through with the orders?

13:12 -- Let's discuss some solutions, recommendations, and approaches to better managing asset discovery.

22:00 -- It seems that the unauthenticated scan is the best approach. Can you please clarify?

26:16 -- It is equally important for organizations to report on the actions taken in response to the discoveries. Is there a CISA directive to that effect? Can you shed some light on that, please?

33:32 -- Please summarize some of the key takeaways from our chat this morning

35:42 -- How about providing listeners with some selection criteria when they're evaluating different products in the market, asset discovery products? What should they be aware of? What are the kinds of questions they should be asking? So it helps them make good selections.

Memorable Huxley Barbee Quotes/Statements

"The unfortunate reality is that asset inventory is still an unsolved problem for so many organizations. They might have some tooling for dealing with asset discovery, but usually, they end up with spreadsheets."

"There is greater recognition, especially from government agencies, of the need for asset discovery."

"Asset Inventory isn't just a list of devices that you have on your network. It's also what is on those devices, what services are on those devices, what ports are those devices listening to, and who owns those devices."

"There are many hurdles associated with asset inventory management. The one that looms the largest is unmanaged devices, unmanaged assets, that is the achilles heel of any asset inventory program."

"Why would the adversary go for a well-managed up to date patched machine when they can just go ahead and attack something that's out of date and unpatched, with numerous exploits that they might be able to download from the Internet."

"Unmanaged devices are why customers end up using spreadsheets where the existing tooling just isn't performing as they want. And so they have to end up using spreadsheets instead."

"With unauthenticated scanning, you have the best of many worlds, right, you have the ability to go out and find all the assets on the network, even if they're unmanaged. But you don't have the problems of credential spraying. And depending on how the unauthenticated scanner is implemented, you can even talk to OT devices without the fear of crashing, some sort of mission-critical function.

"Effectively, BOD 2301 is suggesting the use of unauthenticated scans for the asset discovery portion of this particular directive."

"A customer told me that having a comprehensive asset discovery allowed his organization to move from a reactive security program to a proactive security program."

"Oftentimes, the adversary knows more about your network than you do. And, of course, to combat that, you need a comprehensive asset inventory."

"Oftentimes, asset inventory is not called out as a specific line item in security budgets."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Welcome to the Cybersecurity Readiness Podcast

series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

the book Cybersecurity Readiness: A Holistic and

High-Performance Approach, a SAGE publication. He has been

studying cybersecurity for over a decade, authored and edited

scholarly papers, delivered talks, conducted webinars and

workshops, consulted with companies and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia. As a Duke University

Visiting Scholar, Dr. Chatterjee has taught in the Master of

Engineering in Cybersecurity program at the Pratt School of

Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast series. Our discussion today will focus on asset

discovery. We'll talk about the consequences of poorly managed

asset inventory, challenges of asset discovery, various methods

and approaches to asset discovery, and more. I'm

delighted to have as my guest Huxley Barbee, Security

Evangelist at runZero, and former Cybersecurity Practice

Lead at Cisco, who will share his thoughts and perspectives.

Welcome, Huxley.

Thank you very much, Dr. Chatterjee for having

me.

So before we get into the details, Huxley,

please share with the listeners some highlights of your

professional journey.

Absolutely. Thank you. So I've been working in

security for over 20 years at companies like Datadog, Cisco

Systems, and a number of security startups. And over the

years, I've focused on parts of cybersecurity like secure

messaging, secure web gateway, cloud security. And then of

course, finally orchestrating security workflows. And one

problem that I saw again, and again, with my customers, and

these are, these are really large customers, Fortune 500

customers as well as really small customers. They all had

this problem where they had no idea what is on their network.

And it's actually a really old problem. I remember, over 20

years ago, when I first ran a SATAN system, I think System

Administrators Tool for Analyzing Network Satan. And I

use that to discover what's on my own companies network. And

the unfortunate reality is that asset inventory is still an

unsolved problem for so many organizations. And they might

have some tooling for doing dealing with asset discovery,

but usually they end up with with spreadsheets. And fast

forward to about a year ago, I found runZero by by complete

accident, I was talking to the CEO about the company, and I

realized that runZero, was actually solving this, this age

old problem. And so I eventually joined them as a security evangelist.

fantastic. There is no disagreement that

managing assets is a huge part of cybersecurity governance,

because unless you know what you need to protect, you really

cannot implement appropriate defense measures.

That's right.

And the more digitized we get, the more

expansive our network, especially in today's day and

age where organizations are operating in a very remote kind

of a way, it makes it all the more challenging, because

employees and other stakeholders are using all kinds of devices.

And then we have IoT devices. So keeping track of all these

different devices, located in all parts of the world, let's

say, is a huge undertaking. But though it's a huge challenge,

it's not something that we can ignore considering the

consequences of poorly managed asset inventory. I think you are

an excellent person to talk about, share some stories, some

anecdotes, of the consequences of poorly managed asset

inventory.

Yes. So absolutely. I'll talk about one

example. That was, it's an anonymized because it's

something that we, we know about personally, but I'll also talk

about a more public example, just to highlight the

consequences of poor asset inventory or lack of asset

inventory. So in the example that's a little bit closer to

home, there was a medical production company that was

breached. And this is a medical production company, in the midst

of the pandemic. So very critical, not just to the the

company itself, but maybe society at large, and law

enforcement had to get involved in in terms of dealing with the

breach remediation, and so on, so forth. And a primary

recommendation from law enforcement that came out of

that that post mortem, was that this company needed to implement

a comprehensive asset inventory. And most recently, I think just

a week ago, we see once again that the government has made

this sort of recommendation. And in a very big way, so CISA, the

Cybersecurity Infrastructure Security Agency, and it's just a

department of the department, a sub department of the Department

of Homeland Security, just released BoD 2301. BOD stands

for Binding Operational Directive. And the directive has

told, all civilian federal agencies that they need to have

a solution for asset inventory and vulnerability, enumeration,

both of those, not only do they need to have this, they need to

be able to cover their entire ipv4 address base, basically

covering all of their assets. And they need to be able to do

this, they need to be able to do this automated discovery every

seven days, which, you know, especially if you don't already

have an asset inventory, that's a very tall order. And not only

do you need to be able to have this done every seven days, if

CISA demands that you produce a report for a specific set of

assets, for specific set of vulnerabilities, you need to be

able to return a report, you need to be able to run that that

scan within 72 hours and return a report within seven days. So

there's a lot going on here. There's a lot of recognition

more and more, especially from government agencies of the need

for for asset discovery. And whereas in the past, people

would say, oh, good asset inventory, a comprehensive asset

inventory is foundational because it is part of CIS

benchmarks Control Number one, the more and more we're starting

to see that there's a requirement this is compulsory

nature to asset discovery. But to go back to your earlier

question, so I promised to talk a little bit more about a more

public example of what happens when you don't have good acid

inventory, Equifax, right back in 2017, we're all familiar with

Equifax, how the adversary was able to breach Equifax through

systems that had an unpatched version of Apache Struts. That

particular incident, in large part, I would argue, came from

not having good asset inventory. So let me give you a little bit

more background about what I mean by asset inventory. Asset

inventory isn't just a list of devices that you have on your

network. It's also what is on those devices, what are the

services that are on those devices, what are the ports

those those devices are listening to, but additionally,

who owns those devices. And there could be many different

types of ownership, like the person that's logged into it,

the business unit that owns it, who's or the IT group that that

is in charge of it. But this sense of ownership of assets is

also extremely important. And that is something that needs to

go into the asset inventory as well. So going back to Equifax,

the company did send out an email to a bunch of folks in IT

system administrators about affected systems. It just so

happens that the systems that were breached are the ones that

had this unpatched version of Apache Struts, they didn't know

the owner for that, or, or maybe the the owner that was assigned

to those machines wasn't at the company anymore, something like

that, whatever the case might have been, there wasn't proper

ownership correlated with those assets. So even though the

company sent out this email, hey, everybody, let's go and

patch Apache Struts, the people who needed to know for these

particular assets did not find out. And that is a consequence

of poor asset inventory in this case. A second ramification here

is the fact that these particular systems had outdated

certificates. So you know whether or not you have

certificates that are expired, that is also part of your asset

inventory. And Equifax had this security detection tool that

would analyze traffic, but it could only do so in the cases

where there were where there's certificates that were current.

And because they were not current, the detection tool was

not actually was not actually scanning or inspecting that

traffic, like it needed to, like it needed to. A third

ramification is asset inventory also tells you about where your

assets are on the network and whether or not they can talk to

each other. And a third, a third issue that we saw at Equifax was

lack lack of segmentation amongst those assets. And again,

this just goes back to the idea of them not having a good enough

asset inventory that would allow them to handle this type of

situation on multiple levels.

Wow. That is quite a revelation. The fact

that systems that need to be patched, are staying unpatched

because they are not discoverable. That is very

concerning. Now, backing up a little bit here, there is the

ideal and then there's the practical. Like you said, it's a

very complex undertaking to be able to list all the devices

that's there, the services that they offer, the ports to connect

to, the owners. Having all these details in as comprehensive a

manner as possible is definitely a challenge. There are tools out

there, you talked about using automated scanning tools.

However, the question that comes to mind, why didn't

organizations engage in comprehensive asset discovery?

What were the hurdles, if any? Now that there is a CISA

directive, what's the guarantee that organizations will be in a

position to follow through with the orders?

Yeah, yeah. So first, maybe we should talk

about the biggest hurdle with asset inventory. There are many,

of course, but the one that looms largest is unmanaged

devices, unmanaged assets, that is the achilles heel of any

asset inventory program, I think there was a recent Deloitte

research report that mentioned that 32% of organizations

believe that shadow IT assets are probably the biggest

challenge for asset management. And these unmanaged devices pose

a number of problems, like, for example, the you cannot, you

cannot be really confident about audits or audit violations,

because of these unmanaged assets that you don't know

about. These unmanaged assets cannot be patched because

there's no ownership of them. They cannot be upgraded, you

can't automate them, or include them in some sort of automated

workflow. And then oftentimes, you cannot turn them off, right,

because they're unmanaged. And they just be sort of sitting out

there. You might not be sure, if this particular unmanaged asset

is important, it might be running some sort of mission

critical function for your organization. But you see, if

you're not sure, you can't really turn it off. Or there's

some cases where I've heard from customers where they know a

particular asset, that's unmanaged asset is, is is

important, but it's been unmanaged for so long that the

nobody wants to touch it. Nobody's even even willing to

stand near it and breathe near it. And these unmanaged assets,

of course, have a very palpable security ramification, many of

our customers tell us that they know what's going on with their

standard issued workstations, their standard issued laptops,

the biggest problem are those unknown unknown because because

these unmanaged devices are unpatched, they're there, they

have not been upgraded in some time. These are probably the

easiest targets for the adversary. Why would the

adversary go for a well-managed up to date patched machine when

they can just go ahead and attack something that's out of

date and unpatched, with numerous exploits that then

might be able to download from the Internet, or are going to

just work. So that is the security ramification and this

is why unmanaged assets looms largest in terms of hurdles, for

comprehensive asset inventory. And then finally, unmanaged

devices are the reason why customers end up using

spreadsheets where the existing tooling just isn't performing

the way they want. And so they have to end up using

spreadsheets instead.

Wow. And when you're talking about using

spreadsheets, that immediately brings to mind the importance

of, of constantly updating it, which is another arduous task,

it never happens. It brings back thoughts of access management,

using spreadsheets and regain access management using

spreadsheets. And I know, in know, in several companies, and

it was absolutely bewildering, to learn, to see, that they're

using spreadsheets to keep track of everyone's permission levels,

authorization levels, and then again, go back to the

spreadsheets to make the changes as the professional roles

change, the professional roles evolve. And obviously, that's

not the ideal solution. So there was discussion of developing AI

tools to automate the process. So I can totally understand why

Excel spreadsheets is really not the answer. But like you

explained, that there are reasons why organizations are

forced to go to spreadsheets. So yeah. So moving along. Let's get

to some solutions, some recommendations, some approaches

to better managing asset discovery.

Sure. So there are a number of approaches out

there for handling the situation. So the first one that

comes to mind is the use of agents. This is a very popular

way of doing asset discovery asset inventory. And

essentially, when I say agency, I mean endpoint agents, meaning

that you put software on every single device. Now, this works

to a certain extent, but mostly for managed IT assets. It

doesn't work very well for unmanaged devices. The reason

being If you can put an agent on something, that means you

already know about it, that means it's probably probably

already managed. So what is not going to capture are those

unmanaged devices, unmanaged IT devices, OT (operational

technology) devices, IoT devices, and so on, and so

forth. So that's a popular technique, but it actually

doesn't handle the the achilles heel of asset inventory. Another

approach is authenticated scans. This is where you have a piece

of software that's sitting somewhere on your network,

potentially on multiple locations throughout your

network. And what you would do is you would then go through an

IP range and attempt to log in to every single one of the

endpoints that responds. And again, this works rather well

for managed IT assets. Because if you know the credentials to

log into these endpoints, then you probably already manage it,

you probably probably already know about. So again, it tends

to miss those unmanaged IT devices, OT, IoT, and so on and

so forth. Authenticated scans also has secondary negative

security ramifications. So something known as credential

spraying. So let's say let's say you, right, the hacker, Dr. Dave

Chatterjee, you, you somehow were able to get onto the

network, and you were able to own a particular Linux box. So

you own this Linux box. And you can see, you can replace the SSH

server with your own with your own SSH server that's really

just logging passwords. And now I have my authenticated scanner

on the network. And I'm just logging into every single

endpoint that I can get to, and you your endpoint, the one that

you owned, is now responding to my authenticated scan as like,

oh, there's a machine here, I'm gonna log into this, this

machine, I think it's just a regular Linux box. So I send the

username and password. But you actually own this machine now.

And so now, you have credentials, you have credential

I have provided to you my my authenticator scanner has

provided this to you. And now you have credentials, that

allows you to laterally move to other devices on the network.

That's, that's the ramification of authenticated scans, that's

often not discussed. But it's very important for folks to be

aware of. So I've mentioned two methods so far, two approaches

so far, agents and authenticated scans, which we've said works

well for managed IT, but not so much some of the other stuff.

Well, there's a third approach called passive network

monitoring. Still, in this approach, you would have a

collector, a network traffic collector, oftentimes, these

come in the form of hardware appliances, because of the

amount of compute power that you need to ingest all the network

traffic that's going on in network there are of course

virtual appliances these days for some of this stuff. But

oftentimes, especially in larger networks, you still end up

having to use a hardware appliance. And what you would do

is you would reconfigure all of your switches, or all the

switches that have a choke point on the network, to essentially

mirror traffic or scan traffic or copy traffic from the switch

over to your collector. There are other ways to do this, you

can set up a tap in the in strategic places throughout a

network to get that sort of information. But in any case,

what you're doing is you're just basically collecting all the

network traffic on the network. And the great thing about this

is you end up seeing everything that's on the network, as long

as those devices are talking. If they're not talking the network,

obviously, you're gonna you're going to miss it. This is also

very popular, especially in the OT space, because well, agents

you usually cannot install on OT devices. And with authenticated

scans often used, you have this consequence where because OT

devices are designed to work in a very specific way. And

oftentimes, they're very old, many of them are running on like

Windows XP, for example, that authenticated scans can actually

crash these IoT devices, which may be performing some sort of

mission critical function within the organization. So passive

network monitors are very popular in the OT space simply

because there's no interrogation of these devices, and so

therefore, it's very safe. The major challenge though, with

passive network monitors is what if the device only talks once a

year, like once a year, I once worked on a project when I was

doing security orchestration workflows, where a customer said

we have some some devices that only talk on the network once a

year. So you need to, you need to collect traffic for 13 months

to make sure you're not missing anything. Right. The other the

other issue with passive network monitors is the only information

that you have to fingerprint devices, to identify those

devices, is based on what is being spoken on the wire. So

this might be a very terse information that you get from

the network. And so oftentimes, passive network monitors have

challenges in correctly identifying devices on the

network. So there's a fourth approach, which has become more

popular recently, which is to not do any discovery at all, but

instead ingest asset inventory information from other other

solutions, other tools within the existing IT and security

toolkit. So the obvious problem with this is there are

limitations. If the data sources from which you ingest that

information, don't know about these unmanaged devices, then

then your collector, collecting data via API system is not gonna

know about them either. So there are limitations there as well in

terms of unmanaged assets. So one final approach is called

unauthenticated scanning. So similar to authenticated scans,

you have software that's deployed in strategic areas

within the network, and it just goes through the IP range

through the goes through the IP space, and then talks to every

single endpoint that responds and gathers information. The key

difference between authenticated scans and unauthenticated scans,

of course, is that unauthenticated scans do not try

to log in to those endpoints. Instead, what they do is rely on

information that's being reported over the wire without

authentication in order to make a determination as to what the

devices in order to do the fingerprinting. And what's

interesting is, this is the exact same approach that

somebody in offensive security would take, right? People who

are the adversary, people doing pentesting, they use this exact

same approach. But oftentimes, they don't use the words asset

discovery, they tend to call this recon. So with

unauthenticated scanning, what you're doing is you're using a

security research based approach, to make a

determination as to what are all the devices that are on the

network, and what those devices are, what are the services that

they have available, available on them, and so on, and so

forth. So those would be the five approaches. And with

unauthenticated scanning, you have best of many worlds, you

have the ability to go out and find all the assets on the

network, even if they're unmanaged. But you don't have

the problems of of credential spraying. And depending on how

that unauthenticated scanner is implemented, you can even talk

to OT devices without the fear of of crashing, some sort of

mission critical function.

Well, thank you. Thank you for that very in

depth insight on the different approaches to asset discovery.

So Huxley in light of the new CISA guidelines, as

organizations prepare to deliver on the expectations, given that

you shared the different approaches, and I'm sure

companies are following through with some of them, if not all of

them. And again, I'm not in the know of exactly what the

guidelines are from CISA. But just at a general level, I often

feel that maybe it's good to provide them with more than

less. So would it makes sense to provide them with the results

from using more than one approach, or based on what I

what I heard, it seems that the unauthenticated scan seems to be

the best approach. Can you please clarify?

Yes. So So BOD 2301, the binding operational

directive 2301, which was just published, I think a week go and

what it's saying is you need to do two things asset discovery

and vulnerability enumeration. Alright, so let's focus on the

asset discovery part here. I'm going to read you a quote from

from the directive. That says "asset discovery is a building

block of operational visibility and it is defined as an activity

through which an organization identifies what network

addressable IP assets reside on their networks, and identifies

the associated IP address or hosts as a distributed non

intrusive and usually does not require special logical access

privileges." That second sentence is is so key, it needs

to be non-intrusive, and does not require special logical

privileges. Non-intrusive means no agents, no authenticated

scans, you potentially could do passive network monitor, but as

we discussed earlier, with a passive network monitor that the

fingerprinting is often lacking. So effectively, effectively, BOD

2301 is suggesting that use unauthenticated scans for the

asset discovery portion of this particular directive. The second

part of this is vulnerability enumeration, and depending on

the asset discovery tool that you have, you could satisfy some

of this. Oftentimes, you don't necessarily need to do a full

Vuln (vulnerability) check to understand if assets are

potentially vulnerable. So for example, let's let's let's take

an analogy here. Let's say let's say you and I see somebody on

the street and we see that this person is wearing glasses, not

sunglasses, so like glasses, like like you're you're wearing

right now, would it be fair for us to say to to assume that this

person probably has some sort of need for corrective vision?

Maybe they're nearsighted or farsighted? More often than not,

we're going to be right. But you and I are not well, I don't

think you are, you and I are not optometrists, we didn't actually

do an eye exam on this person. We didn't we didn't have them.

go through and recognize very small letters up on the wall we

didn't do an eye exam, so how can we be sure? Well, even even

though we didn't do an eye exam, more often than not, we're going

to be right, this person has the need for corrective vision. Very

similarly, with vulnerability scanning, the right thing to do

is, of course, to do a full vuln check, right, but oftentimes,

just by knowing that, hey, this vulnerability affects the

services. So for example, going back to Equifax, just by knowing

the version of Apache struts that's running on a device, you

could probably tell, hey, this has this is affected by this

vulnerability. So very similarly, just by just by

having a good asset inventory, you can say, oh, because this

device has these services on it, there is high potential, we have

reasonable confidence to believe that there's this vulnerability

is present on that particular asset. This is not to say you

don't need to do a vuln check, we always recommend that you do

a full vuln check anyway. Always go to the optometrist and check

your vision. But the having good asset discovery and good asset

inventory actually takes you quite um, quite a ways towards

satisfying that need for vulnerability enumeration, not

necessarily full compliance with DoD 2301. But certainly good

asset discovery takes care of the asset discovery part of the

directive and can take you part of the way through the

vulnerability enumeration part of the directive.

Very interesting. In fact, as you

were describing the expectations, a thought crossed

my mind, is there going to be a directive, unless there is one

that require organizations to promptly respond to

vulnerability discoveries and document the actions taken. In

other words, it is one thing to have vulnerability enumeration,

to have comprehensive asset discovery. It's fundamental.

It's at the foundation of everything. But it is equally

important for organizations to report on the actions taken in

response to the discoveries. Is there a CISA directive to that

effect? Can you shed some light on that, please?

So there's not there's not anything like that,

as far as I know, that comes from a government directive

similar to this BOD 2301, which, which to be fair, is it's been

published, but it's not enforced yet. The deadline for this is

April 23rd, of 2023. So civilian federal agencies have time to be

compliant. But in terms of directives that require folks to

remediate within a certain amount of time. I have not seen

that yet. However, however, I do think it's relevant to mention

that in the private sector, the driver could come from from

insurance in some cases. Now, obviously, there are many

private organizations that take CISA's directives to heart and

they'll they'll voluntarily follow the directors like this,

even though they're not a civilian federal agency, but

just it's just good practice. There are many things that the

prudent person principle, right, when applied correctly, would

mean would would effectively mean that these private

organizations take on CISA directives, CIS benchmarks and

what have you and follow those. But we've noticed recently that

there are cybersecurity insurance policies that require

that require organizations to have a certain percentage of

coverage of security controls on their assets. So what do I mean

by that? So let's say it this is just an example I'm quoting a

specific cybersecurity insurance policy here, but a policy might

say that an organization must have 95% coverage of endpoint

detection and remediation on all their assets. And this might

affect whether or not they qualify for the insurance in the

first place. Or maybe it might affect what they have to pay in

terms of premiums or something like that. But think about how

you would answer that question where we're certified that 95%

of your assets are covered by a point detection remediation.

Well, 95% of what well, 94% of your entire asset inventory. So

without having a comprehensive asset inventory, you can't

really answer the question of whether or not I have 95%

coverage of for EDR on all my assets. So whether it be a

government issued directive or a financial requirement that comes

from that arises from cybersecurity insurance, one way

or another in the future, we might see organizations having

to come up with some sort of SLAs for remediation,

remediation of of these vulnerabilities or at least

being proactive about being security on those assets

Very true! That makes a lot of sense. At

the end of the day, there needs to be a recognition that

comprehensive asset discovery is extremely important for a

variety of reasons. And unless the organization is willing to

have a good plan in place, a good procedure in place to

engage in that exercise, they are going to be hurt more than

anything else. So one is compliance, the other is a

substantive buy-in where an organization might decide to go

beyond the compliance expectations. Of course, there

is the time factor, there's the cost factor, there are other

factors to be taken into consideration. But based on what

I learned from our discussion, today, it's a no brainer that at

the heart of the security program is the identification of

all the sensitive assets, where all they reside, even before you

can start classifying them, categorizing them. So this is

such such an important discussion or such an important

area of cyber governance,

I want to I want to double down on what you're

saying here, please, please add to this right there. And this is

not me, this actually came from a customer. He told me that

having comprehensive asset inventory allowed for his

company, his organization, to move from a reactive security

program to a proactive security program. So, think about it this

way, if you don't know what you have, right, and the adversary

is coming through into your network laterally, moving

through your unknown unknowns, you're always going to be on the

backfoot, you're always finding about things that you didn't

know about and having to react and try and figure out what it

is and, and deal with it with very little information.

Oftentimes, like I said, before, you know, the adversary does

recon, they do recon. And so therefore, oftentimes the

adversary knows more about your network than you do. And of

course, to combat that you need comprehensive asset inventory.

But by by moving ahead with comprehensive asset inventory,

they were able, because they knew about all the assets, they

were able to start becoming proactive about the security

program. Oh, here, all these assets are there, like we didn't

know about, let's go ahead and get security controls on them,

like install EDR, where that's possible, do a vuln scan of them

where possible, right. By having that asset inventory,

comprehensive asset inventory, they were able to move from a

reactive security program to a proactive security program. And

this is not to say that's the only ingredient that needs to go

into making that transformation. But this particular customer

credited this one improvement for for that, that journey that

they were able to go on.

Absolutely. And thanks for sharing. That

means I couldn't emphasize enough the importance of being

proactive and not reactive, I can't emphasize enough the

importance of engaging in comprehensive asset discovery

without any kind of influence. Doing it on your own, because

you, means the organization, because you recognize this, as

such an important part of good cyber discipline. And frankly,

if at any point, an organization is in a court of law having to

make their case about whether they were negligent or not, if

they can provide evidence that they have engaged in

comprehensive asset discovery on a regular basis, and they have

addressed the issues that have come up as a result of the

discovery. And if there is a record of sustained such

activity, proactive activity, that could only favor the

organization that could beef up the defense of the organization.

So I can only see positives of taking this proactive approach.

100%.

Fantastic. So we are kind of coming to the

end of our discussion today. I'd like to give you the opportunity

to fill in the gaps, if any. And also if you wanted to summarize

some of the key takeaways from our from our chat this morning.

Sure, absolutely. I think one one thing that we

haven't touched on here is that oftentimes asset inventory is

not called out in security budgets, you'll you'll you'll

see in security budgets, they need to spend x amount of

dollars on EDR on vulnerability management and so on so forth,

oftentimes asset inventory is not called out as a specific

line item. And I would encourage all the folks who who can

security managers, security directors, even even security

practitioners, to lobby with their leadership all the way up

to the board of directors and say, Hey, listen, this is

foundational to our ability to execute our security program in

an effective way. We need to have specific budget for asset

inventory. So that is one thing. I think the second thing I think

we we already talked about it but just want to reemphasize how

important it is, how important asset discovery is to having a

proactive security program. Without it, you couldn't do it.

Right. I'm not saying it's sufficient, but it's certainly

required. Can I can also plug runZero.

Please do that.

Yeah. Yeah. So So runZero is a cybersecurity asset

management solution that leverages both unauthenticated

scans as well as API ingests, that allows you to have a full

asset inventory comprehensive asset inventory faster than

anybody else. And, and is it able to help you with your

security programs by identifying security controls coverage gaps,

improving your vulnerable vulnerability management program

and identifying risky assets. So you can be as proactive as you

can with your security program. And if you would like to try

runZero, just go to the website, www.run Zero.com, you can go

ahead and download our solution. And you can get a full asset

inventory, starting in less than 60 minutes.

Awesome! In that spirit of making people

aware of resources that they can check out, how about providing

listeners with some selection criteria, when they are

evaluating different products in the market, asset discovery

products? What what should they be aware of? What are the kinds

of questions they should be asking? So it helps them in

making good selections?

Yeah, so one, one important thing to understand

the methodology, the solution approaches? Are you using an

agent based approach? Are you using an authenticated scan

approach, passive network monitor, unauthenticated scan,

and so on, so forth? The other one would, would be how long

does it take? What does the deployment look like? Do I need

professional services in order to get this done? Do I need to

install hardware? Or is this just something that I can self

service download without a credit card? And and get started

with in less than 60 minutes? And I think the third thing that

you want to look at is what is the level of detail that I'm

able to gather from this asset inventory. So as I mentioned

before, it's not just about whether you have a list of

devices, it's also about what's running on them, what ports are

they listening on? What services do they have? And who is the

owner of these assets? And then I think the fourth thing is,

what else can this asset inventory do for me? Can it help

me out with identifying security controls, coverage gaps, can

help helped me out with improving the vulnerability

management program and so on. So

Well, thank you so much Huxley. This has

been a pleasure. Appreciate your time and insights. And I'm sure

we will have many more discussions in the future. Thank

you again.

Thank you, Dr. Chatterjee, this has been fun.

Thank you.

A special thanks to Huxley Barbee, for his

time and insights. If you liked what you heard, please leave the

podcast a rating and share it with your network. Also,

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.