"Can you please pass along a list of all assets and network maps?"
When asked for this information during an incident, security professionals sometimes realize they don’t know where these resources are or if they even exist. This realization often prompts a rush to compile this information in the middle of a crisis. Lack of preparation can result in overlooked systems or an incomplete picture of the environment.
To protect, defend, and respond to network-related cybersecurity incidents, it is imperative that organizations have a thorough and up-to-date inventory of all assets, including applications, databases, endpoints, servers, and service accounts. The network inventory should include the following elements:
- Hostnames and IP addresses
- Business purpose
- Serial numbers
- Vendor information
- End-of-life dates
- Ports used
- Central processing unit (CPU), graphics processing unit (GPU), and random-access memory (RAM) details
- Antivirus version
- Next-generation security products, such as endpoint detection and response (EDR) solutions
- Software and operating system (OS) information (including version)
- Physical and logical location (include rack location)
- Logical network address
- Owners (ideally a technical owner and business owner, along with contact information and backup owner information)
- Storage information
- Encryption information (at rest and in motion)
- Warranty information
After identifying and mapping systems, the next step is assigning attributes to the assets, including the data classification, criticality level, and relevant audit or regulatory requirements. A company might base the criticality of a given endpoint on various factors, such as whether the endpoint is internet facing, represents a single point of failure, supports a critical business process for the organization, or stores or processes sensitive data. This evaluation allows network defenders to ensure proper protections are in place for mission-critical systems.
The availability of asset inventories, criticality, and data classifications can facilitate logical and timely triage, containment, and isolation when an organization experiences an incident or problem. Formally assigning criticality to a given system is foundational to cybersecurity. Without understanding how systems rank in importance, security teams can’t effectively determine which systems to prioritize during patch management, incident response, and disaster recovery efforts.
In addition to inventories, organizations should develop and maintain network and dataflow diagrams. Incident responders who have access to dataflow diagrams and inventory records for critical assets start with a significant advantage. A proper dataflow diagram shows how data (and most importantly, confidential data) flows through a network or system. It includes data inputs and outputs, data stores, and the various subprocesses the data moves through. Diagrams should also include details such as ports, encryption processes, and dependencies on other systems or processes.
Ideally, organizations should autogenerate these asset inventories using a tool that alerts when a change to a known-good baseline occurs, such as a new system coming online. Relevant teams (e.g., network, security, database) should periodically review and reconcile the inventory to ensure it is complete, accurate, and devoid of discrepancies. This review is also a good time to validate all network information listed in the inventory record and to ensure network and dataflow diagrams are accurate. Many modern inventory tools have diagrams and schematic generating capabilities that can establish a starting point for a more detailed diagram.
During emergencies such as outages or cybersecurity incidents, good network diagrams, inventory records, and dataflow diagrams are extremely valuable to incident responders. Additionally, assigned criticality levels enable team members to effectively prioritize actions and objectives.
In addition to reactive incident response and recovery services, Secureworks offers proactive services to help organizations develop and test incident response processes and conduct incident response workshops and exercises. By preparing plans, resources, and processes in advance, organizations can mitigate the impact of cybersecurity incidents and other network emergencies.