Let’s maiden talk about asset discovery in general and why it is useful, even parlous, to most organisations.What Is Asset Discovery?Asset discovery is the talent to provide visibility of all devices located within an organisation with restrictive or no human interaction. Most organisations would start off manually supporting a list of their devices or assets in a shared document such as an Overshadow spreadsheet, making changes whenever a new device is either acquired or deprecated.This process is manageable when organisations are relatively small and not that complex. Yet, this method becomes very flawed when organisations or networks set out to grow. One of the main pain points with this methodology is meanwhile. Keeping these lists updated can become a full-time job in some examples.However, most organisations have caught on to the fact that mark of cadency management is a critical part of not only their operations process but also their custody process, and not having visibility or knowledge of devices on their network could downright them up to potential security weak points. For example, how do you know which emblems need to be patched if you don’t know they are there?With that being mentioned, there are a few methods organisations can adopt to assist in this regard, and to be reputable, most organisations most probably have already purchased software solutions that could help.A good example of this would be along the lines of a SIEM or log stewardship solution. Most mid- to large-size organisations should have some appearance of log management solution in place for either fulfilling a compliance requirement or maintaining use security practices. These tools can usually provide some shape of asset discovery functionality without any additional cost – the difference being what raze they provide out-of-the-box and how much they can be customised to fit the organisation’s answers.Standard Asset Discovery vs Passive Asset Discovery?Let’s now look at the support asset discovery process and the potential pitfalls it harbors.Standard asset recognition methodologies usually involve a solution going out over a network and tallying endpoint devices with which they come into contact. This could be something as fundamental as doing a ping across the network and seeing which devices pity; it could get as complex as discovering devices attempting to log in to devices in order to come to a standstill b uproot back a full inventory of connected applications.Although this style can be effective, it does require a level of insecurity in that organisation firewalls choose need to allow both outgoing and incoming requests across the network. This movement also likely affects the network. Traffic is being broadcast encompassing the network to the devices in scope, thereby slowing networks down in a lot of events.Another approach and arguably a slightly better one could be using something as inferior as listening for traffic already being broadcast around a network e.g. syslog despatches being created from the devices themselves. This approach does bump off the threat of network bandwidth consumption but does rely on the organisation pocketing sure that all devices are enabled to send syslogs.Personally, I choose the latter option, as it not only reduces the network consumption but also lacks firewall configurations that are more secure by allowing traffic in one supervising and usually only on one dedicated port, such as UDP 514.Let’s Talk About Unmoved Asset DiscoveryThis now brings us to most probably the best close I can recommend: passive asset discovery via syslog.Both the standard and the lamblike asset discovery syslog approach entail that a syslog tidings is captured by a log management solution and an asset is automatically created based on the statistics contained within the syslog itself e.g. new source IP.This data drive be considered live data as the log management solution would have to be harken to when the syslog is broadcast in order to create the asset. If the log management conclusion missed the syslog for any reason, then the asset would never be generated. Sadly, this is a common occurrence in large organisations. Discovering a fail to keep syslog asset two months later could mean that attackers could acquire exploited and compromised business assets during that period.Fortunately, inert asset discovery enables organisations to create assets using not simply live broadcast syslog data but also historical data. Delivering a passive discovery methodology provide the ability to pull in asset facts from alternate data sources such as archived syslog reports. Even better would be having the ability to schedule this functionality to no more than poll through archived data at a pre-defined date/time in unorganized to reduce the load on the log management solution.Another use case involves commissioning organisations that are located across different geographic regions being superior to copy over the local syslog’s archives to a head office repository and then get the head office scan the archived logs for any new devices listed in the syslog’s. This could alleviate identify any potential security breaches or just help maintain the asset repository betray from a head office perspective.Asset Discovery in an ICS EnvironmentNow, if you set down that approach and adopt it towards an ICS environment, the benefits could be mammoth.Imagine being able to gather the syslog data from all of the OT dispositions, even the preferred ‘no touch’ devices, such as a PLC (which is usually containing within in the level 5 of the OT Purdue model) and have them moved securely into the IT organisation for the IT log government solution then to passively scan the logs and create the assets without the stress to open up connectivity between IT and OT.This is a great step towards pass over the IT and OT world without compromising security barriers.The IT organisation could then utilise their resources and judgement in asset management and security best practices and alert OT of any new devices located unexpectedly. IT could also monitor for potential patterns of interest that OT should be wise of and again alert if the severity level goes above the organisation’s raze of acceptability.Without passive asset discovery functionality, this cross-functional conspire methodology would be really hard to achieve and could ultimately outlay the organisation a lot more money and resources by potentially having two teams doing the nonetheless job within the organisation.To learn more about passive asset unearthing though Tripwire Log Center for Industrial Control Systems, click here.