Vulnerability Management Without Asset Management, Isn’t

By Daniel Miessler on May 8th, 2007: Tagged as Philosophy | Security | Vulnerability Assessment | Vulnerability Management

I’ve been doing some work for a client recently in the realm of vulnerability management. It’s an interesting area of information security because it draws on so many disciplines. The single biggest thing I’ve learned about this problem is the criticality of asset management.

Quite simply, you can’t hope to “manage” what you don’t know about. What I’d specifically like to see is a move toward security scanners that leverage rich data about an organization’s assets. I know of one product doing this (largely unsucessfully), but I’d like to see it become common in the space.

Here are a few things that asset management offers us:

Show me all Vista systems that are vulnerable to MS08-001 that are in my building.
Find all Solaris boxes in our Indiana offices that have SSH enabled, as of yesterday.
Make me a report of all systems running Telnet that Bob Smith manages.

And if we factor in other rich, user-added security data into the database, such as “importance”, “exposure”, or “risk”, we could say:

Display all high-risk systems in North America that run Windows Vista or XP, but don’t have HIPS installed.
List all webservers running Apache 1.3.x in our Wyoming offices that are exposed to the Internet but aren’t running SELinux.

Then add to that the ability to run scans off of those queries. An information loop from the asset-management database to the security scanner, and then (potentially) back into the asset-database. This is how I think we should be moving forward — gathering as much information as possible on what you are protecting, and use that information to improve the quality of your security testing.

Thoughts?

Related Content

http://compulsive.org/ craig

I’ve actually been involved in both ends – IT Asset Management engagements (mostly using CA products) and vulnerability management/assessments, and I definitely agree that this would be useful!

I have seen Qualys used at a lot of clients, and I’m pretty sure it has an asset discovery feature – but I dont think this works well as an enterprise wide Asset Management tool.

And on the other side, something like CA’s asset management products can tell you what systems are where, but I don’t think it has the capabilities to launch a qualys or other scan, or alert you to vulnerabilities, etc.. Although if it could tie in to another CA product like their security products, they’d probably be on to something.

disclaimer: I know I focused on one vendor there, but it’s just what I’m familiar with from a deployment perspective and I’m FAR from a CA fan-boy/spammer/whatever so please point me in the direction of other similar products (I know they’re out there).

The biggest thing about ITAM is, like security, the supporting processes around it are what make or break it. If the organization doesn’t follow the framework/policies you work with them to develop, then the software is just going to sit on a shelf and collect dust and not be useful for reporting on your assets and thus, your vulnerabilities. But I’m sure I’m only preaching to the choir here!
http://compulsive.org craig

I’ve actually been involved in both ends – IT Asset Management engagements (mostly using CA products) and vulnerability management/assessments, and I definitely agree that this would be useful!

I have seen Qualys used at a lot of clients, and I’m pretty sure it has an asset discovery feature – but I dont think this works well as an enterprise wide Asset Management tool.

And on the other side, something like CA’s asset management products can tell you what systems are where, but I don’t think it has the capabilities to launch a qualys or other scan, or alert you to vulnerabilities, etc.. Although if it could tie in to another CA product like their security products, they’d probably be on to something.

disclaimer: I know I focused on one vendor there, but it’s just what I’m familiar with from a deployment perspective and I’m FAR from a CA fan-boy/spammer/whatever so please point me in the direction of other similar products (I know they’re out there).

The biggest thing about ITAM is, like security, the supporting processes around it are what make or break it. If the organization doesn’t follow the framework/policies you work with them to develop, then the software is just going to sit on a shelf and collect dust and not be useful for reporting on your assets and thus, your vulnerabilities. But I’m sure I’m only preaching to the choir here!
http://www.stevengharms.com/ Steven G. Harms

You talk about security risk in these systems, but it bears underscoring that there is some compelling disaster looming around unknown assets using unlicensed software.

We’re true up on our photoshop licenses…..

( until you discover that your Windows shop actually has a hidden department of Macs running CS 3 that one guy got from a Spammy Re-seller? )
http://www.stevengharms.com Steven G. Harms

You talk about security risk in these systems, but it bears underscoring that there is some compelling disaster looming around unknown assets using unlicensed software.

We’re true up on our photoshop licenses…..

( until you discover that your Windows shop actually has a hidden department of Macs running CS 3 that one guy got from a Spammy Re-seller? )
http://dmiessler.com/ Daniel Miessler

Steven, I agree with that, but I think I’d rather deal with that than having one of these unknown systems spewing spam and/or bot traffic and embarrassing the company.
http://dmiessler.com Daniel Miessler

Steven, I agree with that, but I think I’d rather deal with that than having one of these unknown systems spewing spam and/or bot traffic and embarrassing the company.
http://www.subtlerantings.com/ Jonathan S.

There is a product that does just what you want Daniel, it’s called ArcSight. It’s got a pretty cool Asset Discovery tool and can run all the reports and queries you were using as examples (ie. All Solaris machines with SSH running as of x/x/x)

Check it out if you want/can: http://www.arcsight.com.

Disclaimer: Not cheap at all and sometimes feels “heavy” or bloated as it’s all Java based. YMMV.
http://www.subtlerantings.com Jonathan S.

There is a product that does just what you want Daniel, it’s called ArcSight. It’s got a pretty cool Asset Discovery tool and can run all the reports and queries you were using as examples (ie. All Solaris machines with SSH running as of x/x/x)

Check it out if you want/can: http://www.arcsight.com.

Disclaimer: Not cheap at all and sometimes feels “heavy” or bloated as it’s all Java based. YMMV.
http://dmiessler.com/ Daniel Miessler

Heh, yeah…I’m a big fan of that tool. My buddy loves it.
http://dmiessler.com Daniel Miessler

Heh, yeah…I’m a big fan of that tool. My buddy loves it.
raymond

Johnathan: arcsight has a few products which product contains the asset discovery tool?

thank you, raymond
raymond

Johnathan: arcsight has a few products which product contains the asset discovery tool?

thank you, raymond

Top

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

A Coffee Primer

Arguments

Projects

Collections

Twitter

Motivational Speaking in a World Without Free Will | http://t.co/fqAcoQdu #philosophy
SSD back in MBP. Happy again. RPMs only belong in cars.
Reminder: If you don't know SQL Injection it's because you don't know SQL. Once you understand the technology the security is obvious.
@simonsarris Can't tell if you're agreeing with me or not.
Is Trojan really a good name for a condom company? The original was let in trustingly, released its dangerous payload, and chaos ensued.