Vulnerability Management Without Asset Management, Isn’t

By Daniel Miessler on May 8th, 2007: Tagged as Philosophy | Security | Vulnerability Assessment | Vulnerability Management

lock.jpg

I’ve been doing some work for a client recently in the realm of vulnerability management. It’s an interesting area of information security because it draws on so many disciplines. The single biggest thing I’ve learned about this problem is the criticality of asset management.

Quite simply, you can’t hope to “manage” what you don’t know about. What I’d specifically like to see is a move toward security scanners that leverage rich data about an organization’s assets. I know of one product doing this (largely unsucessfully), but I’d like to see it become common in the space.

Here are a few things that asset management offers us:

  • Show me all Vista systems that are vulnerable to MS08-001 that are in my building.
  • Find all Solaris boxes in our Indiana offices that have SSH enabled, as of yesterday.
  • Make me a report of all systems running Telnet that Bob Smith manages.

And if we factor in other rich, user-added security data into the database, such as “importance”, “exposure”, or “risk”, we could say:

  • Display all high-risk systems in North America that run Windows Vista or XP, but don’t have HIPS installed.
  • List all webservers running Apache 1.3.x in our Wyoming offices that are exposed to the Internet but aren’t running SELinux.

Then add to that the ability to run scans off of those queries. An information loop from the asset-management database to the security scanner, and then (potentially) back into the asset-database. This is how I think we should be moving forward — gathering as much information as possible on what you are protecting, and use that information to improve the quality of your security testing.

Thoughts?

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • I've actually been involved in both ends - IT Asset Management engagements (mostly using CA products) and vulnerability management/assessments, and I definitely agree that this would be useful!

    I have seen Qualys used at a lot of clients, and I'm pretty sure it has an asset discovery feature - but I dont think this works well as an enterprise wide Asset Management tool.

    And on the other side, something like CA's asset management products can tell you what systems are where, but I don't think it has the capabilities to launch a qualys or other scan, or alert you to vulnerabilities, etc.. Although if it could tie in to another CA product like their security products, they'd probably be on to something.

    disclaimer: I know I focused on one vendor there, but it's just what I'm familiar with from a deployment perspective and I'm FAR from a CA fan-boy/spammer/whatever so please point me in the direction of other similar products (I know they're out there).

    The biggest thing about ITAM is, like security, the supporting processes around it are what make or break it. If the organization doesn't follow the framework/policies you work with them to develop, then the software is just going to sit on a shelf and collect dust and not be useful for reporting on your assets and thus, your vulnerabilities. But I'm sure I'm only preaching to the choir here!
  • You talk about security risk in these systems, but it bears underscoring that there is some compelling disaster looming around unknown assets using unlicensed software.

    We're true up on our photoshop licenses.....

    ( until you discover that your Windows shop actually has a hidden department of Macs running CS 3 that one guy got from a Spammy Re-seller? )
  • Steven, I agree with that, but I think I'd rather deal with that than having one of these unknown systems spewing spam and/or bot traffic and embarrassing the company.
  • There is a product that does just what you want Daniel, it's called ArcSight. It's got a pretty cool Asset Discovery tool and can run all the reports and queries you were using as examples (ie. All Solaris machines with SSH running as of x/x/x)

    Check it out if you want/can: http://www.arcsight.com.

    Disclaimer: Not cheap at all and sometimes feels "heavy" or bloated as it's all Java based. YMMV.
  • Heh, yeah...I'm a big fan of that tool. My buddy loves it.
  • raymond
    Johnathan:
    arcsight has a few products which product contains the asset discovery tool?

    thank you,
    raymond
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives