“When the asset discovery market launched, every single company that offered a solution used the line, “You can’t protect what you don’t know.” Everyone agreed with that.
Problem is, “what you don’t know” has grown… a lot.”
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our sponsored guest is Huxley Barbee (@huxley_barbee), security evangelist, runZero.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor runZero
Full transcript
[David Spark] When the Asset Discovery Market launched, every single company that offered a solution used the line, “You can’t protect what you don’t know.” Everyone agreed with that. the problem is what you don’t know has grown a lot.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series. And joining me for this very episode is Steve Zalewski. Steve, people know you by which voice sound you use?
[Steve Zalewski] Hello, audience.
[David Spark] That’s the one I know of. Hey, our sponsor for today’s episode is run Zero. They are the cyber asset management solution. Ah, we’re talking about asset management, how apar apo. Guess what? They brought us our guest, too. I’ll introduce that person in a moment. But first, Steve, the asset management space is hot, hot, hot. I don’t need to tell you that. I’ve gone to so many start up events. It seems like a third of the companies are doing something of discover, some level of some kind of asset discovery. So, there’s an eagerness of this. And it’s understandable because it’s the first thing you should do according to the CIS controls. Yet with all our efforts to know our assets, are we any better understanding? Because the definition of an asset has expanded and more and more is out there and unmanaged. That’s they key thing. A lot that’s unmanaged, being unknown as well, and not being dealt with. So, there are far more tools out there to deal with this problem than there were five years ago, but I don’t get the sense that everyone is fully happy with their solution. What do you think, Steve?
[Steve Zalewski] I would say if you look five years ago when asset management was a smaller set of assets. Even if you look today, we haven’t got that figured out. And the number of assets we now have is dramatically larger. So, I think why this is such a hot topic is we can’t figure out what to do when it was a simple problem, and we definitely don’t know what to do when it’s a complex problem. But then we have to translate that to the second half of what we were talking about was if you have a breach or if you have an incident, what do you do when it’s an unknown asset. How does that imply your ability to respond? And I think that’s the real so what, now what question that has people spun up.
[David Spark] We will get to that very discussion in today’s show. And to join us for that is our sponsor guest, who I’m thrilled to have on board because I’ve interviewed him before. And he is phenomenal and got a lot of great insight on this. It is Huxley Barbee, who is the security evangelist over at runZero. Huxley, thank you so much for joining us today.
[Huxley Barbee] Happy to be here. Thank you, David.
What are they looking for?
2:45.180
[David Spark] Duane Gran of Converge Technology Solutions said, “I would estimate that about 20% of incidents in my experience go through the ‘who the hell owns this’ gauntlet.” I’m sure that’s been said many times. And Chuck Herrin of Wib said, “While digital transformation projects are accelerating, easily less than half of APIs are managed, and they expose back end systems and data. And that trend is worsening.” And Chris Kirsch of runZero, your colleague, Huxley, said, “Unmanaged assets are the primary reason why security teams are unhappy with their asset inventory.” Speaking closely to what you said, Steve. “This is because unmanaged devices are much harder to investigate and more likely to get owned because they lack security controls and patching.” Which is kind of the theme of this whole issue, isn’t it, Steve?
[Steve Zalewski] Yes. The other kind of unmet expectation when we talk about this is assets now used to be systems. We talk about physical assets. And then we got the IOT. And now when you get to APIs, you’re getting into software as assets. They’re independent things that you use. And so how do I manage a serverless object that I’m calling and getting stiffed back to? I almost hate to say this, but people are now assets because if you look at the business units. Who owns those people and those business units that I know that they exist? How many of us have had a merger and acquisition, and all of a sudden it isn’t a systems. It’s where are all the people, and how well do we understand their kind of security risk posture.
[Huxley Barbee] Yeah, absolutely. I think everything that we’re saying here and that we’re citing in these quotes is a reflection of this trend over the last couple of decades of how there’s been a loss of control of devices, assets, and so on and so forth. It used to be you just protect the office, the on premise IT assets within the office. But there’s been this divergence of environments where now you are having to protect IOT devices, OT devices, devices in the Cloud, devices in your remote employees’ homes, and so on and so forth. Even you need to be aware of assets in the companies that might be your mergers and acquisition targets as well because you’re going to be taking on those risks and responsibilities very soon. And then along side of this, along side of this divergence of environments is the fact that end users have gotten more and more capabilities to change the attack surface of the organization without ever telling anybody. And so both because the scope of what you have to protect, the assets just going in this diaspora all over the place, and the fact that IT even doesn’t have control over what assets are existent on your network leads to the situation where we just have this complete loss of control by our security teams. So, what are they looking for? Yeah, it’s unmanaged assets all over the place because those are the ones that lead to the greatest risks for you.
[David Spark] So, where do you…? Is there a space where you find the most unmanaged assets, Huxley?
[Huxley Barbee] So, based on what we know, you’re going to find that more in the OT space as well as the IOT space because there has not been any sort of governance in those areas for… Well, maybe ever. Whereas in the IT space there has been more governance, so definitely more on the IOT side than the OT side. But every organization is different, and you may have a lot of unmanaged assets either because you had a lot of staff turnover, so therefore these assets have lost their ownership and they’re no longer being maintained or being patched. Or you might have these unmanaged IT assets that came from the acquisition. For example, Marriott and Starwood. When Marriott bought Starwood, basically I think they laid off most of the employees from Starwood, and then all of a sudden overnight all these assets that were part of Starwood basically lost ownership. And then of course we know what happened with Marriott and Starwood and those assets with the breach.
What should we be measuring?
7:17.404
[David Spark] Ezra Ortiz of Peraton said, “You can’t defend everything, but you better defend 100% of what is critical.” And Duane Gran again of Converge Technology Solutions said, “The real harm of this really is that it hampers our ability to create automation around containment because we may not have enough context to know if we are responding to a mission critical asset or a lab environment.” And lastly, Malcolm Harkins of Epiphany Systems said, “Understanding the context between all these items is not only the attack surface they create but in the attack depth that is within our organization will be critical to managing, mitigating material impact and corporate exposure to cyber risk.” So, I get a little sense from these quotes here, Steve, that while we do want to know our unmanaged assets, it’s really you can’t protect everything per Ezra’s comment. He says, “We just got to know what’s most critical that’s out there.” So, there could be stuff that’s unmanaged that we don’t have to worry about. Do you feel the same way?
[Steve Zalewski] Absolutely. I love all three of these quotes because I think they get to what we should be measuring is not efficiency but effectiveness. It’s not do we know where all 100,000 assets are. Because even if I know where they are, I probably only have visibility to 90% of them when they’re online or knocked offline, or my management tools… So, the reality is there’s a certain amount of unknown at any point in time, so we have to be much better at thinking about the effectiveness of us being able to manage the problem, not try to think that we can just 100% solve the problem. I think that’s why the measurement is let’s not think about the efficiency, let’s understand the effectiveness of our controls to manage when a bad thing happens. The so what, not what conversation. And I think that if we measure it right will move us beyond the fact that we’re going to have evermore devices to monitor and get better at resiliency to know what’s important and what do we do when a bad thing happens.
[David Spark] Huxley, I want to give you an opportunity to specifically talk about runZero right here because I know one of your charges for the company is to find unmanaged assets. But are you working with your customers to understand sort of the criticality nature of things? So, it’s not just finding the unmanaged assets, of where your exposure is and what is this physically holding that could be an issue.
[Huxley Barbee] Right. So, the concept of what is asset inventory and what is good asset inventory has grown in our opinion.
[David Spark] Right. And that’s what we were saying at the beginning – that what we know what to be or what we don’t know has grown because we’re now broadening the definition of it.
[Huxley Barbee] Right, but it’s not just the different types of assets like software and things of that nature but also what goes into that asset inventory, what are the attributes that you would want to see in an asset inventory. It’s not just, “Hey, here’s a Windows machine, and this is the IP address.” It’s gone far, far, far beyond that. It’s also about what are all the services that are on that particular asset, who is the owner of that asset, what are the vulnerabilities that might exist on that particular asset. All that goes into the asset inventory. And so what you want to do is to reduce the unmanaged assets as much as you can in order to be sure that, hey, you know what the crown jewels are. So that as this Ezra Ortiz said, you better defend 100% of what is critical. You need to at least know what is critical in order to mount a credible cyber security defense.
[David Spark] Yeah, and nobody is searching for assets like, “Could you only find the critical ones?” You got to find everything to then find out what the critical ones are.
[Huxley Barbee] Bingo, you got it. That’s it. 100%.
[Steve Zalewski] So, I’m going to chime in here, which is it’s not that an asset is critical. No asset in and of itself is critical. It’s the business process that it enables that’s either protecting consumer data or making money that we need to focus on. And then you can classify the assets against that business process to know how to mitigate. It’s people that think that the asset itself is the problem. It’s impossible to manage 100,000 problems. We got to move up the stack a little bit to look at the business, which is kind of what Ezra was saying. We got to challenge ourselves to start there and then manage the visibility of the assets that we have to the best that we can. I think that’s key.
[Huxley Barbee] Absolutely. And this goes back to what I was saying, asset inventory is not just operating system and IP addresses. It’s so much more than that. There’s all this other context around ownership, business use case, and so on and so forth.
[David Spark] What Malcolm Harkins was saying.
[Huxley Barbee] There you go, yes.
[Steve Zalewski] Right. But when you get to the use cases… And I guess we’re hammering on this one, and I really like it, which was, hey, IOT devices that we say so blithely… Which was those things are really the hard problem. I’ll use an example. Heck, in the Levi stores, we used to have stereo systems to pump music in. those were IOT devices that had firmware that hadn’t been managed for years because they were third party provided, and they weren’t even all the same. It depended upon the stores and where the countries were. And those things were network connected. That is not something you would normally think about for stores to be able to sale jeans, yet there’s an asset that was directly connected to the net that was highly vulnerable. That was where I’m coming to the it’s not just IOT, it’s not just your hockey pucks of Alexa. This is the concept where I’m saying look at the assets for what they are, known which ones are critical. And I couldn’t do anything about it. That was an accepted risk because there literally was nothing I could do. And so, again, just because you can see the asset doesn’t actually mean you can actually manage the risk of the asset to an appropriate level. You may just have to accept it and look at compensating controls.
[David Spark] All right, we go on any further, Huxley, I just want to ask a question that I ask pretty much all of our guests – are you hiring, yes?
[Huxley Barbee] Yes, 100%. We are.
[David Spark] Very much hiring over at runZero. And by the way… And if people want to contact you, I’m assuming just contact you via LinkedIn, yes?
[Huxley Barbee] Yeah, you just can search for me on LinkedIn. I’m the only Huxley Barbee you’re ever going to meet.
[David Spark] We’ll also have a link to your LinkedIn page on the blogpost for this episode as well. But one other thing I want to mention before we talk a little bit… I want to talk a little bit about runZero. Is that you are the lead organizer of BSides NYC. I’m a huge fan of BSides. I’ve done only the San Francisco and the Las Vegas ones. I’ve yet to do New York City. Is there a special flavor the New York City’s BSides has than the others?
[Huxley Barbee] Other than being the best BSides ever? Yeah.
[David Spark] [Laughs]
[Huxley Barbee] But here’s the thing – the BSides NYC was one of the unfortunate things that didn’t make it through the pandemic, so we’ve been on hiatus for a couple of years now. But we are bringing it back in 2023. So, April 22nd, 2023, is the next BSides NYC conference. It’s being hosted generously by John Jay College, D4CS [Phonetic 00:15:08]. And call for papers is open. It closes on February 6th. So, there’s probably a couple of weeks left.
[David Spark] So, you have a little more than two weeks. If you’re hearing this, you’ve got a little more than two weeks to get it in.
[Huxley Barbee] Yes, call for papers still in. Please head on over to bsidesnyc.org/cfp to submit your fantastic ideas to share with the rest of the security practitioner community.
[David Spark] And by the way, I love the presentation over at BSides. So, A, highly recommend you get it in and highly recommend you also go.
Sponsor – runZero
15:38.859
[David Spark] But before we go any further, I do want to mention your company, runZero, the cyber asset management solution. Now, for those of you who don’t know, it is the fastest and easiest way to build a full asset inventory, kind of what we’ve been talking about on the show today, to get proactive about your security program and accelerate your incident response. Well, ultimately that’s what we want to do. So, get the data and context… Oh my God, it’s like they were reading our mind. About devices, services, and configurations needed to effectively manage and secure your environment. Take advantage of their integrations with your existing IT and security stack together with a proprietary scanner to cover all of your assets, local IT, OT, IOT, the ones where we find the most unmanaged assets, Cloud, external, work from home, and even your unmanaged assets. runZero is so easy to use that you can get started in minutes on your own. So, just go to runzero.com for a free trial. No credit card is required. That’s runzero.com. Or to get a firsthand look at runZero in action, search for them on YouTube, and you can check out all their video demonstrations.
Would this work?
16:45.140
[David Spark] Yassir Abousselham, who is the CISO over at UiPath, said, “If you don’t know about it, it is safe to assume that vulnerability management controls are not applied and that incident response will be a major challenge.” So, Yassir said, “I dealt with the issue through the following mechanisms – one, my team partnered with accounting and procurement to issue and enforce a policy rejecting any Cloud/SaaS expenses that are run through personal and corporate credit cards. Two, standard controls are uniformly applied to any instances that are created under the IT managed Cloud subscriptions. And three, access to sensitive data/assets is not permitted from non-IT/engineering managed surfaces.” Now, Edward Contreras did something similar, and he wrote something very long, but I’m highly summarizing here. So, he’s the CISO over at Frost Bank, and he’s dealing with all of these issues now. He adds that he did scanning for assets, assigned an owner to an asset, identify vulnerabilities, update the configuration management database or the CMDB, all in real time and just keep doing this. All right, I’m going to throw to you again, Steve. This seems like a very sort of long prescription. In addition, it seems like it’s a ton of work. Is it as tough as it seems?
[Steve Zalewski] Like anything else, it’s a matter of scale and use case. And it can quickly get out of control. But I think what we’re really saying is would this work is anything will work. It’s just how well will it work, and is it good enough for you. And so the thing about asset management, like many issues in cyber security, is what’s good enough for you, knowing that it’s probably not possible to be perfect. And that the conversation here is put some technology in the ground, apply some logic to it. But take the output with a view of not how do I get everything in but given that this is an approximation of what I’m going to normally see, how do I best protect my company with this capability.
[David Spark] Huxley, I’m going to go to you and ask is this the case that you can’t have…? Because I’m going to kind of extrapolate from what you just said, Steve, and say we may not be able to offer best practices here given that everyone is kind of a special snowflake. Is that all right for me to save it like that, Steve?
[Steve Zalewski] Yes.
[David Spark] Okay. What do you think? Is it possible…? You’ve had lots of customers. You’ve done lots of scans of environments. You’ve seen lots of different contexts to different things, so just because this is unmanaged it may or may not be an issue. Is everyone a special snowflake, and does best practices just not work here?
[Huxley Barbee] Well, every organization is unique, that is true. But there are some common techniques that are useful to most organizations that could be leveraged in many ways. This is not me saying this. But for example in the federal space, there is the binding operational directive DOD2301. I don’t know if you’re familiar with this or your audience is. But it will take effect on April 3rd, 2023. CISA [Phonetic 00:20:16] is requiring all federal civilian agencies to have automated discovery every seven days. They have to perform automated discovery every seven days using a technique that can scan the entire IPV4 [Phonetic 00:20:32] space used by that particular agency. So, there are best practices out there that are applicable to many, many organizations that do involve use of certain types of technologies. And of course this is just the federal civilian agencies, but for many other industries in the private sector there can be best practices that would be applicable at large.
[David Spark] But also I think… And this is why industries talk to industries. Steve, we’ve talked about this a lot before is that you get more value talking to your direct competitors than you do just, “Hey, what’s the general best practice on how to handle this?” Right?
[Steve Zalewski] Yes. And I have to say this, which was… So, Huxley’s background has snowflakes in it.
[David Spark] [Laughs]
[Steve Zalewski] Okay? So, for the audience, they don’t see it, but I’m just chuckling because he’s got a background full of snowflakes as we’re having this conversation. Now, best practices are just that – deploy a technology. But we all know deploying the technology, it’s the people and the process on the back side that are the effectiveness. So, I can demonstrate to an auditor that I have the tool, and I run the asset. But if I only have one other person in my team there’s only so much I can do. That was my point about have best practice or have an asset discovery and management capability. But be very careful about explaining what you can and cannot do as an organization and where that protection perimeter is based on the realities of what you have for people and process to augment the technology.
How do we determine what’s most important?
22:09.885
[David Spark] Anthony M. of Air Products said, “As a starting point, I maintain a very broad definition of asset. So, end point, network, identity, and even down to the data itself.” We talked about this all throughout this episode. Anthony goes on to say, “Lack of asset understanding to me is the difference between being forced into a zone based defensive model and being able to use more precision asset to asset defensive approaches.” I have to assume or I think we’re all going to be in agreement that if we can do an asset to asset defensive approach that would be ideal. But I’m going to throw some curveballs out here. Huxley, I want your thoughts on this. One is could that get crazy expensive? B, is there a zone defense that would work for all the stuff that you don’t know about? What’s your thoughts?
[Huxley Barbee] Well, so along with unmanaged assets, the thing that’s really troubling for many organizations is unknown subnets. We’ve had many customers that would actually ultimately find that they actually have ten times the numbers of assets than they had known about simply because they were sitting on these subnets that were just completely not under governance at all. And I suppose you could apply zone based defense to that by use of segmentation in order to sort of quarantine these subnets or networks or unmanaged assets. But of course it’s not ideal because these [Inaudible 00:23:42] could in some cases start to affect the function of the business.
[David Spark] Right, good point. Steve, what’s your thoughts? And also, we’re using different terminology here, but a zone based defense could conceivably be brought down to a zero trust model as well?
[Steve Zalewski] I’m going to say no on that. Because if you’re going to go down that path, I believe it feels good, but it’s the wrong idea. I equivalent zone to… My wife and I have four kids. But when you had one child, it was pretty easy. It was two on one. There was two of us watching it. You have two, now it’s man to man. Once you have three and then four, you got to go to zone defense. So, you’re positioning yourself where you can best manage your children, realizing that bad things will happen. I think what I like about the zone defense and kind of what we were talking about here is so realizing you can’t do perfect. How are you establishing the insurance policy, so to speak, against the key business processes and against the most likely risks that you’ve got your defensive controls in a position that you’re able to protect against those? And that is about as good as it can get and be comfortable with that. I think that’s the way I would describe a good zone defense as a CISO that we should be applying as we look at our asset management.
[Huxley Barbee] So, it sounds like you have to at the very least identify what the crown jewels are, where they are, and then identify that zone versus other zones.
[Steve Zalewski] Correct, and so another way, again… It’s all in the analogy. Which was look, so when you had four kids, the kitchen was a critical area because the kids can get burned. They can get hurt. They can get scalded, so you put a lot of defensive controls around the kitchen. Not so much in the bedrooms. So, that simple analogy for me is take a look at your company and understand where the bedrooms are, where’s the kitchen, where’s the likelihood of risk. And that’s our zone defense.
[Huxley Barbee] So, at the very least you need to know what the zones are and what’s in those zones.
[Steve Zalewski] And you get to define those zones if the business doesn’t give you a business impact analysis.
[David Spark] Very good way to put it.
Closing
26:15.522
[David Spark] And that is wrapping up our discussion. But now to close it all out, I want to know everyone’s favorite quote and why. I’ll start with you, Huxley. Which quote was your favorite, and why?
[Huxley Barbee] Okay, I’m going to cheat, and I’m going to combine two quotes.
[Steve Zalewski] Hey, hey, hey, that’s what I do. Knock it off. You’re not a cohost. You don’t get to do that.
[David Spark] [Laughs] He gets to do it. Let him do it.
[Huxley Barbee] I’m getting an exception this time. But I’d like to combine Ezra’s, “You can’t defend everything, but you better defend 100% of what is critical.” Along with the following one from Duane Gran – just the last part of it where he says, “We may not have enough context to know if we’re responding to a mission critical asset or a lab environment.” Those two together to me really come to the heart of this. Is you need to know what your crown jewels are. You need to know if you’re defending something important versus not important. But in order to be sure about that, you need to protect 100% of those. In order to be sure about that, you do need to have a full and timely asset inventory.
[David Spark] Yeah, good point. There is no asset inventory scan that only finds the important stuff by context. It doesn’t exist.
[Huxley Barbee] If that existed then this would be such an easier problem to deal with.
[David Spark] Exactly. Steve, your favorite and quote.
[Steve Zalewski] I’m going to pick Malcolm Harkin’s from Epiphany Systems.
[David Spark] By the way, these are all the three quotes in the second segment.
[Steve Zalewski] That’s right, which is, “What should we be measuring?” Because I think for both Huxley and I, we kind of got to the it’s not about what you can see. It’s what can you do about what you see. I think that’s the measuring. So, I go with Malcolm. Because what Malcolm basically said in this last part is understanding the context between all these items is not only the attack surface they create but the attack depth that is within our organizations that is critical to managing, mitigating material impact to cyber risk. And so I like the zone defense and the fact that what we’re doing is looking at material impact. Where is it most likely that the kids may get hurt? So, look at material impact. Don’t look at just vulnerability. The kids could pinch their fingers in a door. That’s a vulnerability. But the kids could burn their fingers on the stove. That’s a material impact, and that’s higher likelihood that I want to be able to manage as an example. So, I go with Malcolm because I think it’s a good blend of understanding it’s material impact – what do you really need to focus on as a critical asset.
[David Spark] Excellent. And that wraps up our show. Thank you so much, Mr. Steve Zalewski and Huxley Barbee, who is the security evangelist over at runZero. I also want to remind everybody, not just runZero who is our awesome sponsor today, cyber asset management solution… runzero.com, check it out. But also BSides New York City, call for papers. Check them out. It’s bsidesnyc.org, right?
[Huxley Barbee] Correct.
[David Spark] All right. So, please get your papers in there and at least show up to the event. It should be a ton of fun. And a huge thanks to our audience, as always. We greatly appreciate your contributions. So, contribute comments. And also if you really see a hot discussion online, let me know about it. We’ll turn it into an episode. That’s it. Thanks for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.