Asset management is a crucial aspect of information security. It refers to the processes and procedures involved in identifying, organizing, tracking, and protecting an organization’s assets. The security of these assets is paramount, as you can’t protect what you don’t know about.
To learn more about how to Fix Cyber Asset Management, your host John Verry, sits down with Huxley Barbee, Security Evangelist at runZero, to discuss the importance of Asset Management, how it’s a critical component of any organization’s security strategy and much more.
In this episode, Join us as we discuss the following:
- Definition of an asset—the answer is surprising
- Top reasons why so many orgs are failing Asset Management 101
- Critical innovations of a modern asset management solution
- Asset management in the cloud and what teams really need to focus on
- How asset management failures killed Equifax
To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast.
Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.
To stay updated with the newest podcast releases, follow us on LinkedIn here.
See below for the complete transcription of this episode!Â
Intro Speaker (00:05):
Listening to the virtual CISO podcast, providing the best insight on information security and security it advice to business leaders everywhere.
John Verry (00:19):
Uh, hey there, and welcome to yet another episode of the virtual CISO podcast, uh, with you as always, John Berry, your host, and with me today, Huxley Barbie. Hey, Huxley.
Huxley Barbee (00:28):
Hey, John. How’s it going?
John Verry (00:30):
Uh, it is going well. It’s, uh, late on a Friday afternoon, and, uh, it’s been one of those weeks that I’m glad that I’m hitting the end of the week. How about you?
Huxley Barbee (00:37):
Uh, same here. Same here. It’s been quite the week actually. Yeah.
John Verry (00:40):
Uh, so I always start easy. Uh, tell us a little bit about who you are and what is it that you do every day?
Huxley Barbee (00:47):
So, uh, I am probably first and foremost a husband and a father of two children. Uh, but for our audience, I am also the lead organizer for BSides nyc, a security conference right here in New York. And I’m also the security evangelist at Run Zero.
John Verry (01:08):
Excellent. Excellent. So, uh, I always ask before I get down to business, um, what’s your drink of choice?
Huxley Barbee (01:14):
You know, that kind of depends on the context. If, if we’re having a meal, then, uh, love having wine, particularly red wine. If I’m doing cocktails, I prefer some sort of rum based cocktail. Uh, but, you know, I often, you know, go to a beer route as well. On rare occasions, I will have a gin martini. Rare occasions.
John Verry (01:37):
So, I know you’re from New York, uh, you’re from Queens. So there’s a place in Queens and there’s also one in Brooklyn called Fin Back Brewery. And Fin Back Brewery also has a distillery called halftone. And their, uh, their gin that they make is, uh, award-winning, uh, and really worth, worth the investment. Uh, bought two bottles of it recently, I started drink, you and I could drink together, cuz all of the things you drink are things that I drink as well.
Huxley Barbee (02:02):
Excellent.
John Verry (02:02):
So we’ll have to do that someday now that I know that you’re local. Yeah. All right. So, so, you know, to me, you know, I don’t know, we’re gonna name the podcast, but it’ll probably be something like, uh, if asset management is so damn important, why is it so poorly done? Mm-hmm. Um, you know, cuz it’s amazing to me, right? Asset management is fundamental to information security. Uh, c i s CSC has it listed as the first control right. In a foundational control, yet, I find, and, and we find in our client base that it’s rarely done real well. Um, I think one of the reasons is that asset means different things to different people. So why don’t we start with how would you define an asset?
Huxley Barbee (02:41):
Yeah, yeah. So, uh, I’ll, in fact, I’ll define a cyber asset as opposed to an it asset. To my mind, cyber asset is any sort of compute device along with the related information that security teams care about. So it’s not the device itself, like the hardware, the software, but also the vulnerabilities, the, the risky settings that are associated with it. Also, the, the running software on there, the services, things that are listing on the network on that device as well. And to round it out, I would also include in there what are the security controls on that device, and also who is the owner of that device. I think these are all the details that a security team would care about when they’re looking at assets.
John Verry (03:32):
Gotcha. And let, let me ask a question. So there’s, there’s quite a few potential assets that were perhaps not encompassed by that answer. So as an example, would you consider, uh, an application, a business application? A an asset?
Huxley Barbee (03:47):
No, not in this definition of, of a cyber asset. Okay. The application would be a software which is a related, uh, entity off of a
John Verry (03:56):
Cyber asset. So, so, so you would consider from, from your realm perspective mm-hmm. <affirmative>, you would consider the server that the software is running on as being the asset, but the, the, the, okay. And would that, would you hold the same logic for the, an inf you know, some people refer to as information as an asset, right? An information asset. Would you, would you hold the same distinction there that the information sitting on that server, the server is the asset and the information sits on said server
Huxley Barbee (04:23):
Yes. Information sits on said server. Absolutely. It doesn’t make the the data any less important. Obviously there’s a lot of Right, you know, confidentiality and integrity that we gotta worry about with that data. But in terms of asset inventory in, uh, from a cyber, from a security perspective, uh, I would say no, that is, that is a related or, or derivative type of information.
John Verry (04:44):
Okay. And just last question to that end, just to kind of frame the conversation, what about mobile devices? You know, phones specifically,
Huxley Barbee (04:50):
Those are compute devices. Absolutely. And security teams absolutely care about, you know, when we say cyber, a cyber asset, we don’t just mean the laptop that was issued by it, but it’s also mobile devices. It’s, it’s your cloud resources, it is your smart plug that is now on the network. Mm-hmm. Or your, your Amazon Alexa. It’s also, um, you know, conveyor belts and robotic arms in factories. There’s all sorts of devices these days that we would consider to be a cyber acid. And it’s all important to a cyber security team.
John Verry (05:23):
Gotcha. So, so IOT devices, I mean, it, it, could we break this down? Would you, would you simplify it like from your view of asset management that it’s anything that’s got an IP address or can we even realm into the, uh, OT operational technology world and say it’s, you know, just something that’s got a network, iden identifier,
Huxley Barbee (05:43):
Something on the network. Something on the network. Yeah. Okay.
John Verry (05:47):
All right. Cool. Um, so yeah, I think another thing that makes it a little complicated is asset management is a relatively generic high level term mm-hmm. <affirmative>, and I think it encompasses a lot of different asset management is a bunch of small disciplines, right? There’s asset discovery, there’s asset classification, inventorying, you know, uh, unauthorized asset detection, all of these different, talk a little bit about, um, talk a little bit about, is that what you think makes asset management so difficult? And when you think about asset management, what are the core components of that?
Huxley Barbee (06:19):
Yeah, I I think you definitely hit on a lot of the, the components that I would consider to be core. Obviously, asset discovery, if you can’t find it, then you don’t have an, have an inventory. But related to that, of course, is also, uh, the, you know, fingerprinting or what, what you, uh, I think you meant by classification. I think the, the two hardest things about having that asset inventory that sort of is covered, uh, under ci cis control number number one is, is completeness. Oftentimes we are using legacy asset discovery tools that only cover, uh, managed it, right? The laptops and, and the, maybe the IP phones. But you know, it does not cover all these other environments where, uh, our devices have proliferated out to, right? So that is number one, that whole completeness of the asset inventory is, is the number one challenge.
(07:14):
And the second one is the accuracy, right? Uh, you know, again, we, many of our customers, many of, uh, folks that we work with, they are using older tools that, you know, basically just, you know, discover the, the operating system on a device and goes a little beyond that. And frankly, that does the security team a disservice because oftentimes knowing, uh, other types of details like the software or the services running on there, or knowing the type of hardware it is, has a material difference in how a security team reacts to a zero day or a particular incident.
John Verry (07:58):
Yeah. So, were you, what about things like, so from a discovery perspective and classification perspective, how far up do you think asset management goes in the food chain? Because you, you know, it’s interesting, you know, when you start looking at the configuration of the day, you’re, you’re kind of leaning into configuration management. Um, you’re kind of leaning into vulnerability management, you know, is that part of the problem as well, is that asset management either borders on or is integral to those fields?
Huxley Barbee (08:24):
Asset discovery, asset inventory, a hundred percent borders onto vulnerability management and, you know, I wouldn’t say configuration management, but at least, at least now discovery of risky settings,
John Verry (08:36):
Right? Which is, which is to some extent configuration management. That’s what I’m saying. There’s some blurry lines here. That’s what I’m
Huxley Barbee (08:42):
Trying to true. Yes. Yeah, yeah. It is definitely adjacent. It is definitely adjacent. And, you know, so oftentimes what you’ll find is folks are using vulnerability management tools to double as their asset discovery asset inventory tool. Mm-hmm. <affirmative>, or they’re using a, um, discovery tool for a CMDB also as their, uh, asset inventory, uh, asset discovery tool, which, you know, as I mentioned before, we’re using a lot of older tools that maybe were good back in the day when all of our devices were in the corporate office, there were just laptops and, and desktops that were issued by it. But with this divergence of environments, this proliferation of devices to many, many different, uh, parts of your network, which is not just the office anymore, you know, those tools have, have been coming up short, uh, both in terms of comprehensiveness as well as accuracy of data.
John Verry (09:35):
So let’s actually talk about that. Um, many of our clients, I, I agree with you and, uh, to some extent even pivot point, you know, we have a relatively small footprint, uh, but we’re using tools that are, that are vulnerability configuration management type tools to build our asset inventory. So talk a little bit about the why, uh, you know, so for anyone listening that is using those types of tools, um, what, what is the danger of that? And, you know, I know you at run zero, and in your former role at, I figure it was Rumble Networks or something like that, you, you’ve dealt with, uh, asset discovery. Tell me what would be a better solution for asset discovery than a vulnerability management type tool?
Huxley Barbee (10:16):
Yeah, so, uh, one, one point of clarification, run zero is the new name for Rumble. Uh,
John Verry (10:22):
So Oh, okay.
Huxley Barbee (10:23):
Thank you. Yeah, we renamed back in August of, of last year. Is
John Verry (10:27):
That a zero trust reference?
Huxley Barbee (10:29):
No, no, absolutely not. Yes. And okay, because
John Verry (10:31):
I thought you were trying to paint your product with, you know, zero trust paint like everybody else is trying to
Huxley Barbee (10:35):
No, no, no, no, no. We, we have, we have not. I, I, I, I, I’m so thankful that, uh, the founders of our company have not decided to jump on the zero trust bandwagon. Uh, zero trust is, is, uh, is, is quite the, the trend, and it’s quite the buzzword, and we are steering very, very clear of that. So for everybody listening, we are a hundred percent not zero trust <laugh>. We’re not that type of solution. No. The, the zero is just like, Hey, we’re gonna get you down to zero unknowns on your network in terms of exit inventory. Okay. So that, that, that’s it. That’s, that’s, that’s where the zero comes in. Um, so, but to, to your answer question about vulnerability management, uh, this comes down to the question of the different solution approaches. So looking back over the last 20 or 30 years, there have been a number of different solution approaches that have been attempted for, for asset discovery, right?
(11:31):
So there is use of agents, uh, use of APIs, use of authenticated active scans, passive network monitor, as well as unauthenticated active scans. And there actually are a couple of other solution approaches, but they’re so rare that, uh, I usually don’t talk about those. Now, with vulnerability management, typically what they’re doing is they are doing an authenticated active scan, right? And so what this means is they have a, some sort of network based scanner that goes out in attempts to log into as many devices as possible. So that sort of begs the question, well, how can you log in? Well, you log in with credentials. Well, how did you know the credentials of those devices? Well, this implies that the devices that you’re looking at are ones that you already know about and you probably already manage, right? And so this is sort of that, that drawback of the authenticated active scan methodology or the solution approach is you probably already know about the thing, right?
(12:42):
And so these authenticated active scans for bone scanners, they, they go reach out to the ones, the devices that they already know about, and then they log in and they perform vuln checks. Now, the thing with asset inventory is, as I mentioned before, there’s been a proliferation of devices, uh, what we call, um, divergence of, of environments where all these devices are now all over the place in the cloud, in the factory, uh, in your iot space, uh, in addition to, uh, corporate, IT related to this is, uh, this other technological trend over the last 20 years that, that I call like the, the decentral legislation of control. No longer do you need approval from it half the time to spin things up, right? With the rise of DevOps and the cloud and, and use of SaaS products, pretty much anybody could just go and spin something up and change the attack surface of the organization without ever telling anybody. And so you have this situation where there are many, many unknown devices that are being created on the network. And so when you have a situation where you have this solution approach that is optimized for managed IT devices against the backdrop of this proliferation of things that are unknown on the network, that authenticated active scan approach is falling short. And, and, you know, by extension volume scanners are not going out there and finding the unknowns on your network,
John Verry (14:10):
Right? Well, in a perfect role, right? You have a, the, you know, you can select a scanner that it will run unauthenticated and then fall back to, excuse me, run authenticated, and then fall back to an unauthenticated state when it sees, uh, a device on the network that it can’t log into.
Huxley Barbee (14:24):
Yes, yes. Many of these do have some sort of, um, host only scan type of mm-hmm. <affirmative> facility. But typically what happens then is very little information comes back. Yes. Very
John Verry (14:38):
Little a agree. Agree completely.
Huxley Barbee (14:39):
And then number two, um, because all the capability, uh, has been sort of the capability within the authenticated piece has been optimized, not a lot of attention has been paid to the unauthenticated capability, right? And so you have this situation where these tools can sometimes come back with phantom assets mm-hmm. <affirmative> or duplicate assets, right? Especially if the devices is trying to scan us behind a firewall. And if that firewall is configured in such a way to like respond on every single IP for the subject behind it, you, you now have a situation where we have all these phantom devices and these vulnerability, vulnerability management solutions do charge by the asset. And so you have this situation where you’re potentially paying for things that don’t even exist on your network. And so you really want a different approach that can actually find what’s there and, and not tell you about things that aren’t there.
John Verry (15:34):
Yeah. The other problem that we see is that, um, with DHCP is you can often see the same device, you know, when you know it gets released, uh, on a new IP address, and you’ve got phantom copies of the same device that are sitting out there. And you, you know, and with, without, I agree with you that on a bone scan on a device that the vulnerability scanner doesn’t recognize that asset classification asset fingerprinting is so bad. It’s okay, I know there’s something there, but I don’t know what I should do about it.
Huxley Barbee (16:01):
Correct. Yeah. Yeah. And so, you know, going back to like a cyber asset is a compute device with all the details that a security team cares about. When you’re missing all that context of like the de the details that the security team cares about, it, it sort of be leaves a huge gap for security. We’re like, okay, I know, I know this thing is something and it’s, it’s there, but is it, should I worry about it? Should I prioritize it? No idea.
John Verry (16:29):
Yeah. The o one of the things that I thought you were going to say is that, that I, I would think, uh, perhaps your solution would work better than, uh, a, a scanning solution like a, a ESUs style solution, uh, is dynamicness of the environment and the fact that scans are once per x, like, you know, it’s not atypical company will run a scan quarterly or run a scan monthly. Um, a lot of crap can happen during the course of a month in a dynamic environment. I’m assuming a tool like run zero and, and the, the methodology that you would use would be something that would be closer to realtime awareness of what’s going on in the network?
Huxley Barbee (17:08):
Yeah, yeah. I mean, it is, it is closer to realtime. Although, you know, we don’t, we don’t abandon scanning entirely. The fact of the matter is scanning alone is not going to get everything. So think about all the devices that have migrated out of the office into people’s homes. Hmm. Right. No organization is gonna start scanning into their employee’s houses or that just, there’s, there’s a whole can of worm there, <laugh> that, that nobody wants to deal with. So in the cases of those types of devices, the best approach is actually to use some sort of API integration with an, an EDR solution, for example, to then bring that information, that asset inventory information into, into the larger, um, larger inventory. So there’s a combination of using, uh, API integrations as well as on unauthenticated active scanning that is coupled with a research based approach that we have found to be optimal. That allows us to say that we believe that we are able to find everything on your network, no matter the type of device, whether it’s it, OT, or iot. And no matter the environment, whether that’s cloud or on premise or, or in remote employees homes.
John Verry (18:19):
Gotcha. So let’s talk about that drill down a second cuz that’s really interesting mm-hmm. <affirmative>, so we know work from home is definitely a risk. So what you are saying, if I think I understood, is that you would consider somebody, uh, sitting on a corporate owned asset mm-hmm. <affirmative> on a home network as being a device that should be in your asset inventory and that, you know, is sitting quote unquote, on their network.
Huxley Barbee (18:42):
Yes, absolutely. Because the security team has to protect that device, right? Okay. That is an asset that is under the purview of the security team. So a hundred percent you would definitely want that particular device in your asset inventory.
John Verry (18:54):
Okay. And then, and now let’s go to the instance of the cloud mm-hmm. <affirmative>. So defining, you know, let’s, I guess we’re talking about here, um, infrastructure as a service to start with mm-hmm. <affirmative>. So let’s talk about, you know, Amazon EC two or Azure. Uh, and we’ve got, uh, instances of servers there. Yeah. From, so, you know, there, we, I think we’d both be in agreement. Those are assets that we’d want to have in our asset inventory. And you’re saying specifically about your tool, like much the same way if someone was using a scanner, they would scan that environment you’re saying in your, your tool will actually has a mechanism to go out and, uh, understand that those devices are there.
Huxley Barbee (19:32):
Yeah, so with, with the cloud, one, one thing I would do is, again, using this api mm-hmm. <affirmative> integration plus scanning approach, uh, I think is, is, um, really optimal. So, uh, by using an integration with AWS or Azure or gcp, you get a lot of insight information about the various instances. And it’s not just, you know, EC two instances aws, but it’s also Lambdas rds and so on and so forth that are, you know, also, uh, available, uh, on the public internet if you will. So using that integration could bring in a lot of insider information, uh, about those cloud resources. And you can couple that with a scan from the outside, right? Uh, your, your external attack surface, if you will, and have that both inside as well as outside view of your device. So you can see what does is look like on the inside. And then you can also see what does this device look like from the lens of the attacker. Uh, having that combined consolidated view in a single asset inventory is also something that security teams find very, very useful.
John Verry (20:37):
Um, just outta curiosity, would you consider an S3 bucket an asset,
Huxley Barbee (20:44):
An S3 bucket? Uh, if it were listening on the network? Okay, then yeah, I mean, you can, you can serve webpages off of s3, so yeah, a hundred percent that, right. That is something that security teams would definitely care about.
John Verry (20:56):
Yeah. And, and an S3 bucket often has a, a URL associated with mm-hmm. <affirmative>, you know, which is effectively an ip. So going back to your, is it sitting on the network and S3 bucket sits on the network and it’s an asset?
Huxley Barbee (21:07):
Yeah.
John Verry (21:08):
Okay. And this is, you know, so like, this has been a fun conversation cuz we’re, I think we’re speaking about what makes asset management hard. Uh, anything else that we haven’t covered? I mean, you know, that, you know, whether it’s iot or I certainly think in most organizations, lack of time and, and lack of expertise might come into play. Uh, anything else that we haven’t touched on that you think is one of the reasons asset management is harder than it would seem to be
Huxley Barbee (21:34):
<laugh>? Um, you know, one other thing that we haven’t talked about, and this is more true of OT environments, is that notoriously scanning technologies have been, have not been good friends <laugh>, no. Um, so they, they have a tendency of crashing mm-hmm. <affirmative>, uh, OT devices. And of course the OT environment is typically the last place where you want to see something crash, right? Especially if it’s, um, type of environment that’s providing, um, uh, where, where people’s lives might be at stake. Like, that is definitely the type of environment where, you know, asset discovery is a very, very hard thing. And for decades, these OT environments have sort of been, you know, off the radar, right? Um, but only since I say like 2000, 2005 or so, these OT networks have started to become overlaid on top of i IT networks. And so they become available, uh, over the internet reachable remotely by attackers. And so in the last, oh, now almost 20 years now, you know, this has become a much bigger problem. And while on the IT side, there’s been decades of innovation of various security controls for IT devices, very little has been done on the OT side, and you still find lots of, um, insecure by design and OT networks where authentication’s not even required. There’s no such thing as encryption. All, all, all the horrible things that we saw in it, you know, maybe like 30 years ago. <laugh>.
John Verry (23:12):
Yeah. Listen, ot, OT networks, I mean, they trust that the, for years there’s been the segregation, you know, complete and isolation. Then we went to IP enabled ot mm-hmm. <affirmative>, uh, and I don’t think we’ve kind of caught up. Um, so question for you. You know, the, when we’ve worked in OT networks, you know, the most com like because of the fact that they don’t respond well to active scanning mm-hmm. <affirmative>, uh, you tend to use passive, you know, what’s referred as passive technologies, right? Yes. Uh, effectively you’re sniffing on the network and whatever communication protocols, uh, that you can sniff in. Uh, is that how you do it at run zero is, you know, like how do you, how do you identify OT assets on the network?
Huxley Barbee (23:53):
Yeah. We’re not doing any sort of passive capability at this time. Okay. We are one of the few vendors out there who even attempts active scanning in OT networks. What we found is by using a security research based approach where we leverage in incremental fingerprinting, uh, and avoiding use of security probes, we are actually able to be safe for OT environments. Uh, it would appear that the bad rep that active scanning has gotten in OT has been in part, uh, due to just, uh, a lack of attention and innovation in that area. Uh, not necessarily because it can’t be done technologically.
John Verry (24:40):
Well, scanners were built, scanner, you know, when you look at a typical scanner, right? It’s built for ip mm-hmm. <affirmative>, you know, to, to work on IP networks and it’s built to, to, to work as fast. And because if you’re, if you’re turning through a class B network mm-hmm. <affirmative>, you know, the thing has to be fast and it’s gotta be, so it, it parallels everything. You know, you can set how many hosts it talks to, you can, you know, it’s, it’s opening up ports on a device at the same time trying to get information. So it is kind of like a bull in a China shop. So, you know, it sounds to me like what you’re doing is taking a more strategic surgical approach.
Huxley Barbee (25:13):
Yeah. Yeah. And with, with increment incremental fingerprinting, what we would do is we would say gather a little bit of information, like leaked information from a device and then based on what we learn succeeding packets in the scan as well as additional fingerprinting, uh, would be adjusted based. So basically as we learn more about this device, we adjust how we’re interacting with that device, how we’re querying that device in order to make sure that we’re not doing anything that the device might find offensive, and then ultimately allowing us to do a final and full scan with accurate fingerprinting.
John Verry (25:51):
Okay. So if you, if you, you ask a question and you think you’ve got an older Siemens seven plc mm-hmm. <affirmative> type device or something of that nature, something about that communication gave you a hint that might, might, might be mm-hmm. <affirmative> knowing what will cause that to crash, you’re going to alter what you’re going to send to them. You know, the next incremental thing you send will, will con give, let’s say like be confirmatory and then, okay, now I’m further down the path, now I know what not to say to it and I know what I can say to it.
Huxley Barbee (26:20):
Correct. Yeah. Okay. That’s it.
John Verry (26:21):
You know, and that’s really cool. And you’re doing that actively. I’m, I’m, I’m, I’m not aware of anyone else. I’ve heard, I, I’ve heard some people saying they’re trying to do stuff like that, but Right. Uh, if you guys are doing that and you’re doing it reliably, that’s pretty remarkable because most, most people are scared to death the skin. Yeah. And, you know, active skin
Huxley Barbee (26:37):
For, for good reason. I mean, like the, there is, um, you know, there, there have been incidents in the, the news, you know, in, in years past where, uh, there was this one big outage, um, in, uh, in the northeast. Um, I think it was like early two thousands that that was actually because of, uh, an active scan.
John Verry (27:01):
Yeah. Listen, I mean, you know, we’ve been doing, you know, pen testing and vulnerability scanning for 18 years or something crazy like that. Mm-hmm. <affirmative>. Um, and you know, you still have handle care. You know, you probably have the same issues you see in your environments. You know, there are still, like, I can remember a time that, you know, we took down a, a, you know, a sand and then the backup sand because it immediately switched to it and it was lit. Literally, we did nothing except run a regular vulnerability scan. The client said you could scan the, the sand, uh, but, you know, and it instantly switched over to the, to the backup and we took, and then the scan tried again and it took down both sands and like, you know, it disrupted operations. Yeah. Uh, you know, crap like that happens, right? So
Huxley Barbee (27:40):
Much for redundancy <laugh>.
John Verry (27:42):
Yeah. Yeah. It, well, you know, you know, to be honest with you, like the, the client, the client of course was unhappy at first, but they realized that they authorized the scan. They said there was no handle with care. They wanted that, that block scan. Mm-hmm. <affirmative>, they wanted the device scan. Uh, and it actually, to be honest with you, it actually became, they’ve actually changed the way the failover happens to prevent that from happening. So, you know, it, it did have some value, although it came with a little bit of pain. Wow.
Huxley Barbee (28:07):
Uh, people learning, huh?
John Verry (28:09):
Well, occasionally
Huxley Barbee (28:10):
<laugh>. Occasionally <laugh>.
John Verry (28:12):
So, um, so, you know, I know your expertise right, is in, you know, where I’m gonna call infrastructure and devices and identifying these, um, what is the key to accurate discovery and classification for infrastructure and devices, right? Might be like what makes your product better than other people would be a good, a good question to ask. Cuz that’s probably gonna be what makes, uh, uh, what, what the keys are, right?
Huxley Barbee (28:36):
Yeah. So, you know, keeping ’em with fingerprints is, is a constant battle devices are changing all the time. New devices are being introduced all the time. Uh, so it’s very hard for an individual to do that on their own. You, you really need to have the backing of some sort of organization that is keeping those up to date on your behalf. And, you know, it’s, it’s a difficult thing to do. I know there are other approaches out there that leverage machine learning, but as you know, with machine learning, you need a lot of training data in order to make that right. Right. You need 80% training data to, to make predictions on the, the next 20%. Uh, so it’s, um, it’s a tall task and you really need to have that, those fingerprints coupled with a security research based approach, right? Uh, the idea of approaching the network, approaching acid discovery as if you were a pen tester who is trying to not trip any alarms, who has almost no information and trying to discover as much as they can, uh, on this, this foreign network, if you will, right. Doing that is, is um, you know, it’s requires a lot of innovation and it’s just a really, really hard problem to, to deal with.
John Verry (30:06):
So we talked a lot about asset management, like we mentioned, both mentioned c i s csc, let’s say that as control one, right? That speaks to its import, right? If somebody doesn’t have a strong asset management program, I think a lot of things can go wrong. Why don’t you talk about like what are the biggest risks or dangers to, you know, where are people gonna get in trouble if their asset management program, uh, does, doesn’t work well?
Huxley Barbee (30:28):
Yeah. You know, for me, I, I go back to Equifax. Equifax to my mind is the prime example of when, when you don’t have good asset, uh, asset inventory or asset management. And the thing is, I feel like this happens all the time, but we just typically don’t hear about it. Cuz when you, when you hear about breaches, typically you hear about the action on, on objectives, right? Whether that be exfiltration or, or, uh, some sort of, of denial service. Sometimes you hear about the infiltration, like how do they get in? And you almost never hear about, um, some sort of, you know, network propagation like letter movement or privileged escalation. And the, the, the other thing that you never hear about is the underlying conditions that allowed for those, those, uh, those happenings. And one of the main underlying conditions, I feel like is poor asset inventory.
(31:25):
Uh, with, with Equifax, for example. Um, and we, we only learned some of these details very recently. I realized Equifax was 2017, but even 2020, we were learning new information with the, the Department of Justice indictment, uh, for the individuals that were responsible. So, you know, one thing that we learned from these government documents is Equifax did not maintain an accurate inventory of their public facing technologies that had Apache struts, right? That version, Apache struts that had the vulnerability. So yeah, they had a vault scanner that they’re using for asset discovery, but they didn’t know where to scan. Right? So this goes back to this idea of if your asset inventory doesn’t cover the unknown devices as well. Like it’s, it’s, it’s not really helpful. It’s pretty useless, right? Uh, they were scanning stuff, but they weren’t scanning the right things. Okay? The other part of it is, um, when they knew, when security at Equifax found out about the Patrick stress of vulnerability, one thing they did was they emailed to a mailer of quote unquote owners of devices.
(32:35):
The one person who, who would have known that that particular device, the one that was compromised, had Apache stru on it. That that one person who could have been the one that remediated that that problem or that vulnerability was not on that mailer. So they didn’t have good asset ownership tracking and whatever asset inventory system they had, which, you know, could have been spreadsheets for all I know. Um, which is often still the case. Um mm-hmm <affirmative>. But, you know, one, one thing that I stressed earlier that what is one thing that’s part of a cyber asset is asset ownership. And it’s for this reason, security teams don’t have time to go around tracking down who is the right person to go fix things, right? Because security teams usually don’t own the devices. Either IT, or some business function owns the device and having to go track down who’s the right person to go fix that or who’s responsible for that, could mean a huge difference, right? In terms of dealing with the O day now or, uh, dealing with an incident now or letting that fester over a long period of time. And so, you know, whatever asset inventory system Equifax have, it did not have up to date asset ownership. And that was part of the reason why, you know, why things <laugh> things went the, went the way they did at, at Equifax. They never emailed the right person about the part that particular device that was compromised.
John Verry (34:08):
So, you know, you, so you mentioned that they didn’t know about an asset that was in the inventory with a vulnerability management tool. Yeah, I, I, we’ve been in situations where I remember, uh, we did a pen test of a government entity, highly, highly secured network. Um, they scanned it daily with a vulnerability management tool. Uh, they had to have an annual pen test. It was mandated by a governmental entity. Um, they were very confident of course that they, you know, we weren’t gonna be able to get very far in their environment. Um, we went in, we started our pen test and in very short order, uh, literally minutes, you know, we had, we had, uh, root on, on the Linux systems in their environment. And they were just like, how is that possible <laugh>? Um, so, you know, they asked us, you know, they asked us to kind of look at what, how did, how did this happen?
(34:57):
It turned out we looked at the way that they were running their, they were running a quali scanner, which is a very good scanner mm-hmm. <affirmative>. Um, they had configured the scanner improperly, uh, in two ways. One, there was assets that weren’t being scanned. The second is they were not scanning all of the ephemeral ports and the environment. Right. They headed down to the, what they called fast scan. So it just scanned the critical ports and they ran all of the critical services on ephemeral ports to hide them. Yeah. So <laugh> yeah. So, so you have that. Now I’m gonna ask you an interesting question, right? So, so if somebody here is listening, you know, like one of the things that they’re all, everyone is worried about is business email compromise ransomware. Mm-hmm. <affirmative>. So I’ll ask the question, uh, does a strong asset management program help prevent a business email compromise and or, uh, ransomware
Huxley Barbee (35:42):
Help prevent? Ooh, uh, certainly I would say that, um, you don’t want to be in a situation where the data is being ransom from a device that you don’t even know about,
John Verry (35:57):
Right? So that’s definitely one way,
Huxley Barbee (35:59):
Right? So I I I would say that
John Verry (36:02):
I think there’s another way though.
Huxley Barbee (36:03):
Tell me.
John Verry (36:04):
Oh, because cuz I, I think I, you know, I think if you are, if you were fingerprinting things well and, and maybe maybe the asset management trips down into configuration manage and vision vulnerability management, but mm-hmm. <affirmative>, you know, if, let’s say it’s an example that you’ve got, um, malware is going to be relying on some vulnerability, if you’ve optimally configured a device in such a way mm-hmm. <affirmative>, you know, that that malware can’t take root, then it doesn’t matter. Right? So if, if, if your asset management, if I know about the device and if I, if I fingerprint it well, and I know exactly what that, those configurations are, and I make sure those configurations are hardened in such a way that that malware has a little potential of taking root, let’s say it’s a, uh, something that’s trying to take advantage of, uh, outdated adobe, uh, software in the system. That’s right. Or, uh, you know, or misconfiguration of, uh, uh, office files and take advantage of, uh, you know, the macro capabilities within them. You know, if, if like your, if, if from an asset management perspective, I know that that’s there and I know that those guys configurations are where they need to be and I know that there’s no vulnerabilities on the device, then I should be golden. Right? So even if, even if somebody makes the mistake and clicks on that link, really doesn’t matter if that software can’t take root on the box, right?
Huxley Barbee (37:16):
Yeah. So this goes back to what I was saying earlier, another part of a cyber asset is the security controls that are on there. Yep. Right? And, um, and, and going back to the solution approach of like scanner plus API integration. So let’s say, um, we’re in an organization that uses CrowdStrike or Sentinel One mm-hmm. By having that full comprehensive asset inventory coupled with data from CrowdStrike or Sentinel One, you can say, Hey, there’s a bunch of assets here, a bunch of devices here that are missing my endpoint protection missing. Exactly. So, uh, that there’s a, there’s another huge use case for a cyber asset inventory in the way that a security team would use it,
John Verry (37:58):
Right? Or, or just, or knowing that the, you know, there’s local admin access on this box or firewall’s not enabled. I mean, you know, there’s all kinds of things that if you know about a device and you, and you’ve fingerprinted it, classified it, uh, understood the configuration well, you’re gonna be in a shit load better spot than you would be otherwise.
Huxley Barbee (38:15):
Yeah, absolutely. In fact, uh, I’ll give you another example about, uh, Equifax. So they, they had some sort of, um, packet inspection technology, right, that would have caught the attacker’s exfiltrating data. But because the device, um, this in this packet inspection technology was configured to not work, was not configured properly to be able to deal with certificates that have expired. So if the encrypted traffic was using, uh, uh, an expired certificate, it just, it just wouldn’t inspect the traffic at at all. I’m just gonna pass through, right? So another part of good asset inventory is being able to identify risky settings, right? And this could be, you know, an server allowing, allowing for password, uh, but it, it also means like identifying what are all the devices that, that have expired certificates or soon to expired certificates. And in fact, I think one of the triggers for Equifax discovering this problem or the, the, the exfiltration was somebody finally months later, uh, replaced the certificate and then boom, the packet inspection technology started working and really, and then yeah. And then they realized uhoh like, we’re screwed.
John Verry (39:36):
Yeah. Um, uh, it’s been fun. Um, <laugh>, I think we beat it up pretty good. Um, anything we missed?
Huxley Barbee (39:47):
So I, I think I, I, one thing that we didn’t really talk about is how good asset inventory can allow you to be proactive, right? We, we oftentimes are working off of the back foot because, you know, we find out that there’s an incident or something that might be compromising, we say, what the hell is that thing? Right? So you’re not working with a full deck when you’re dealing with an incident or if there’s a new zero day that that comes around and you, you don’t even know what, what you have. So you can’t even go and find the vulnerability wherever that might be on your network. By having a good asset inventory, it allows you the, the chance of fighting, chance of becoming more proactive with your security program. I’m not saying that good asset inventory is sufficient for a proactive security program, but I think I, I, I am saying that is necessary. That is definitely that, that sort of bedrock component that you absolutely need. If you’re gonna even attempt to have a proactive security program,
John Verry (40:51):
Uh, give me a fictional character, a real world person you think would make an amazing or horrible cso and why
Huxley Barbee (40:58):
Can I do both?
John Verry (41:00):
Sure. You get, you get extra points for that.
Huxley Barbee (41:02):
Okay, sure. Um, so amazing CSO I would say is older Spock, older Spock, the Spock that was the ambassador. Um, and, and, and, and here’s why. So one, he’s, he’s always able to approach problems in, in a measured way, right? Not like running around like a, a headless chicken, you know, trying to put out one fire and another fire and so on and so forth, right? It’s always, always measured whenever there’s a problem, no matter what kind of disaster there might be on the enterprise. Uh, the other part of it is he’s really good at probabilistic thinking or probabilistic decision making, right? When we look at risk management, risk is, is, you know, very often defined as likelihood, time, severity, right? Likelihood is probability. Mm-hmm. <affirmative>. And most human beings, of course, I’m talking about a Vulcan, but, you know, most human beings,
John Verry (41:58):
I was gonna point that out. Yeah. The failure in your logic there, but go ahead, keep going.
Huxley Barbee (42:03):
It’s illogical, in fact, <laugh>. Um, but yeah, no, like he, he’s, he’s able to think probabilistically, you know, very well, and this is, this is a skill that most people don’t have. It’s something that we don’t really teach in schools very much. I mean, your statistics class, like if you ever had one, is usually towards the end of your time at school. And, and they only teach the basic stuff. So, but he’s really good at probabilistic thinking, which I think is really good, uh, for, for risk management. And then finally, and this is why I say it’s the older Spock, you know, as an ambassador, he must have been really good at, um, collaborating with others, being able to talk to stakeholders and aligning people around certain goals. And I think that’s super, super important for CISO as well, right? It’s, it’s not just, uh, managing risk, but also being able to communicate that and aligning various organizations, uh, for, um, for the end goal there. So for that reason, I’d say older Spock. Yeah. Um, horrible ciso. Do you, do you remember Ice Age, the movie? It’s like the, the kids
John Verry (43:05):
Movie? Oh, AB absolutely all. Do you remember, do you remember the Little srr with the Little Squirrel and the Big Ray? Ray Romano, I think plays the, uh, the big, the
Huxley Barbee (43:14):
The Mammoth?
John Verry (43:15):
Yeah. Mammoth. The Willie Mammoth. Yeah.
Huxley Barbee (43:16):
Yeah, yeah, yeah. All right. Focus on The Sloth. I think his name was Sid.
John Verry (43:20):
Yeah, Sid the Sloth, right? Yeah. I’m trying to remember who, whose voice that was. Dennis Leary. Maybe.
Huxley Barbee (43:24):
Either that or John Le Za. I
John Verry (43:25):
Don’t, I don’t know. Yeah. John Le Zamo might have been involved. Yeah, yeah,
Huxley Barbee (43:28):
Yeah. So like that sloth to my mind, like Liz, a great life, super carefree [inaudible] Um, but also probably the worst person to be your ciso. I mean, he’s so accident grown. He does nothing to manage risk, zero <laugh>, zero situational awareness whatsoever. And, you know, basically like always amplifying a problem when, whenever, whenever, whenever, wherever it might be. So, uh, that’s in my mind, is probably like the worst person you want to have, um, <laugh> managing security for your organization.
John Verry (44:09):
So that tells me your kids are still relatively young, <laugh> and you’ve watched Ice Age recently, one
Huxley Barbee (44:14):
In three.
John Verry (44:15):
One in three, yeah. There you go. All right. I knew that. It’s cuz it’s been a while. My kids are older and it’s been a while since I’ve watched Ice Age. Although, you know, I I for my money, some of those, you know, the shreks the Toy Stories, uh, monsters Inc. Uh, you know, uh, the, the movie you just referenced are all ice age great movies, you know? Uh, I, I would enjoy going back and watching ’em all, I guess. Uh, well this has been fun, man. Um, thank you. Uh, if somebody wanted to get in contact with, uh, run Zero or yourself, what would be the best way to do that?
Huxley Barbee (44:46):
Yeah, so, uh, for Run Zero, just go to www.runzero.com. Run zero.com. And we actually have a free trial that requires no credit card, so,
John Verry (45:00):
Oh, it’s not a dev, it’s not a device. I kind of assumed it was a device. What do you throw it on the VM in your network?
Huxley Barbee (45:05):
Uh, no. It’s, it’s a sas single binary
John Verry (45:09):
Really
Huxley Barbee (45:09):
That you can use.
John Verry (45:10):
Yeah, absolutely. Oh, that’s pretty cool. Yeah. And, and single binary. And you, and you just executed off of any, any workstation in the environment?
Huxley Barbee (45:17):
Yes, in fact, we, we not only support Windows, Linux and Mac, we also support bsd. So if you want to scan from BSD machine,
John Verry (45:24):
That’s pretty cool
Huxley Barbee (45:25):
If you have one. No, seriously, like usually people get started in maybe like 10 minutes and for something like your house, you can usually inventory that within like 20 minutes or something like that.
John Verry (45:38):
Oh, I might, I might actually try, try it at my, I have more crap in my house that I probably don’t know about.
Huxley Barbee (45:43):
Sure, yeah. Yeah, absolutely. I, first time I tried it out, I found out my, my washing machine was on the network. Um,
John Verry (45:49):
That was, yeah. You know, you think about it, you got that kind of stuff. I mean, and like, you know, a lot of the, you know, like your TiVo, your, your, your Xboxes your, you know, I wonder if my, my Quest, you know, if a Quest two is that Yeah, I guess that’s a device sitting on the network as well. Yeah. Yep,
Huxley Barbee (46:04):
Yep, yep. Um, but to reach me, I am on LinkedIn, uh, just search for Hucksley Barbie. I’m the only Huxley Barbie <laugh> that you’re ever gonna meet. I’m also on Twitter, it’s at Huxley underscore Barbie. I’m also on Mastodon. It’s at huxley infosec.exchange. And one more very important detail besides NYC is on, uh, the conference is on April 22nd, 2023. Tickets are going to go on sale on March 31st, 2023. It’s gonna be a fantastic conference. We had 127 submissions for only 21 speaking slots. Wow. So we had six times the number of submissions that we needed to fill all the slots, so we were able to select a lot of high quality talks. So go check that out. B besides nyc.org.
John Verry (46:56):
Awesome man. Well thank you. Uh, have a great weekend.
Huxley Barbee (46:59):
You as well.