• Category: Integrated Vulnerability Management
  • Tags: ServiceNow, Nessus, EDR, Splunk, Active Directory, VMware

Challenge

There's a saying when it comes to management: "You can't manage what you can't measure." When approaching management from an Information Security standpoint a better expression would be "You can't protect what you can't see." Without accurate and reliable data about the hardware and software assets deployed in your environment it's impossible to craft appropriate defense or to know that your current defenses and monitoring are performing to standard.

There's a reason that Hardware Asset Inventory and Software Asset Inventory are the first two CIS controls — They are the foundation upon which all other security controls must stand.

When a new device is deployed there is a high degree of confidence that the installed configuration is compliant with the current software baseline. But over time that configuration will drift, either due to the security standards changing, new management or security tools deployed, or updates to end-user applications (or exceptions created to not upgrade). Considering the average lifespan of a workstation is over 4 years there is a lot of potential for configuration drift as these machines age.

This is even more prevalent in servers where the lifespan can sometimes span a decade and compounded by the If it isn't broke, don't touch it mindset, which considering that 70% of outages trace human error as the root cause, is a not-unreasonable mentality from the perspective of your Systems Administrators.

The fact is that over time your current state will drift from your desired state and it's important to find where the drift has occurred and correct it. This isn't even basic cyber hygiene; it is a precursor to basic hygiene without which proper security is impossible.

Solution

Dashboard showing a comparison of deployment coverage of two different security tools
Inventory comparison of Nessus and FireEye showing differences

The first step finding the black holes in your visibility is taking an inventory of what you do know.

You no doubt have a variety of tools currently at your disposal which manage these devices in varying ways:

  • Active Directory contains an inventory of your servers and workstations which are joined to your domain
  • Virtualization platforms, either on-prem or cloud hosted, contain an inventory of your servers and workstations that are hosted in that platform
  • Vulnerability scanners such as Nessus or Nexpose contain an inventory of assets which have been scanned recently
  • EDR tools such as FireEye or CrowdStrike contain an inventory of assets where the agent is installed
  • Central log management such as Splunk contains an inventory of assets which are configured to send logs
Each of these methods has strengths and weaknesses, and these weaknesses can be augmented with the strengths of your other tools. By comparing the data in each of these inventories you can discover which of your critical systems are not properly sending logs, which workstations are missing the EDR application, or which subnets are missing vulnerability scans.

This type of comparison is extremely time consuming and would be ripe with error if done manually. Even with traditional application development techniques connecting these systems to analyze the data within would take months of development effort and result in a flat report which is cumbersome to use and share.

The Clockspring platform is purposefully built to overcome these challenges. Connecting systems together to share and analyze data can be done in hours instead of weeks via a fast an extremely flexible no-code workflow development canvas.

You can easily take inventory from each of these tools and compare it to the inventory of the others to identify where your gaps in coverage are and run this process continually. Gone are the days of assuming that if the high-level numbers match you have 100% coverage in the enterprise. Clockspring will tell you on a system-by-system basis where your coverage gaps are allowing you and quickly identify and remediate these misconfigurations.

The challenge is not over once your black holes have been identified. Continuous monitoring is needed to identify and adjust for any new drift which is inherent in the hardware and software lifecycle. The discovery process should be executed periodically, at an organization-defined frequency, to re-inspect the configuration in your various systems of record and update the gap reports.

But generating and disseminating reports is still an incomplete solution. A more robust approach includes the automatic generation of tickets which are routed to the correct team based on the gap identified. For example, if a system is identified as missing the installation of the EDR tool the ticket should route to the triage queue for that team. To prevent duplicate tickets the ticketing database should be queried to ensure that there are no existing tickets open for the issue. Only after that verification has been completed should the ticket be created and routed to the appropriate team.

Impact

This type of advanced conditional routing is extremely difficult to do with traditional automation, and the result is brittle and difficult to modify as the rules or environment changes over time. Clockspring removes the difficulty by abstracting the complexity into workflow routes and rules, making it easy to update as your environment changes and new tools are introduced or old tools decommissioned.

Using this solution, the result will be accurate and consistent inventories across the various management systems, and subsequent automations in play to exclude any exceptions from reporting and to automatically begin the remediation actions for any new gaps discovered.

Get Started