The nuts and bolts of asset detection and asset mapping
Tech evangelist Huxley Barbee from runZero talks about asset detection, and yes, just asset detection. Learn about the day-to-day work of asset detection and asset mapping. Go beyond the theory and speculation about whether the U.S. federal government will implement it on time, and join Barbee as he walks you through how it’s all done and what you need in order to do it well.
0:00 - Asset detection and asset mapping
2:56 - Getting into cybersecurity
4:12 - Shifting roles in cybersecurity to evangelist
6:02 - What does a security evangelist do?
8:30 - What is BSides NYC?
14:41 - Planning in cybersecurity assets
22:50 - Tools and techniques of asset inventory
32:13 - The importance of asset discovery
34:25 - Skills needed to work in asset detection
37:32 - Cybersecurity starts and ends with assets
42:22 - What does runZero do?
44:44 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office or did he just forget his badge again? Find out with Work Bytes, a new security awareness training series from InfoSec. This series features a colorful array of fantastical characters including vampires, pirates, aliens, and zombies as they interact in the workplace and encounter today's most common cybersecurity threats. InfoSec created Work Bytes to help organizations empower employees by delivering short, entertaining, and impactful training to teach them how to recognize, and keep the company secure from cyber threats.
Compelling stories and likeable characters mean that the lessons will stick. So go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.
Today on Cyber Work, tech evangelist Huxley Barbee joins me from runZero. The topic is asset detection, and yes, we just talked about asset detection a few weeks ago, but now we're talking about the day-to-day work of asset detection and asset mapping. Go beyond the theory and the speculation about whether the US Federal Government will implement it on time, and join Huxley as he walks you through how it's all done, and what you need in order to do it well. That's all coming up next, on Cyber Work.
[0:01:33] CS: Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry.
Huxley Barbee is a security evangelist at runZero, formerly Rumble Network Discovery, a company founded by Metasploit creator, H.D. Moore that helps companies discover unmanaged devices for asset inventory. Huxley previously worked for Cisco, Spark Post, and most recently, Datadog, where he formulated the Datadog cloud security platform. During his time there, he established a new security market presence and enabled the global sales force to grow sales by 482%. Whoa.
Huxley spent over 20 years as a software engineer and security consultant. He attended his first DevCon in 1999, and holds both CISSP and CSM certifications. And on top of that, he's also an organizer of BSidesNYC. So we're going to be talking about asset detection this week. In a previous episode with Yossi Appleboum, we talked about the practicality of the White House directive on asset detection within all the nonmilitary aspects of the federal government. Today, we're going to actually just get down to the nuts and bolts of how this sort of thing is achieved on a day-to-day basis. Huxley, thanks for joining me today and welcome to Cyber Work.
[0:02:53] Huxley Barbee: Thank you very much for having me, Chris.
[0:02:55] CS: My pleasure. Huxley, to start with, I'd like to know more about your initial interest in tech and cybersecurity. How far back does your interest in obsession go? Were you a very techie kid? Did it come in college, other times?
[0:03:10] HB: Well, it was in high school. This was the mid-90s. You may remember back in the day that for us to get on the internet, we had to use modems, and we had to dial up back in the day when you –
[0:03:25] CS: Possibly take the phone out of commission so no one could make a call while you were on the computer.
[0:03:30] HB: Right. Exactly. You warn everybody else in the family, "Do not pick up the phone at any time while I'm on here because you're going to screw things up."
[0:03:38] CS: I lose my IRC. Yes.
[0:03:40] HB: Yes, that's right. An early interest came from wanting that Internet access with an ISP, local ISP at the time, but not having the money to pay for it.
[0:03:54] CS: Yes. That sort of put you down the path, you sort of like learned sort of workarounds for that and so forth?
[0:04:01] HB: Yes, we'll call those workarounds. Sure, that's good.
[0:04:04] CS: Okay. All right. Leave it at that. All right. Moving swiftly along while imagining certain scenarios. What are most reliable ways to get a sense of a person's career arc is to look through their experiences and education on LinkedIn. As we said in the intro, a number of your past work experiences revolve around software engineering, security automation, orchestration. You're basically like creation of new systems or apps from the ground up.
A few years ago, though, you shifted toward roles like security product marketing, and most recently, you've become the security evangelist for runZero. Huxley, can you tell me about this shift in your career work? The lines of your work seems to have moved from this active hands on software engineering over to explaining these products to clients, organizations, and podcasts. Talk a little bit about your work as security evangelist and how this varies from your days as a software engineer.
[0:04:55] HB: Yes, working as a security evangelist, I think another title that you often see that does the same work is called field CTO.
[0:05:04] CS: Okay. Sure.
[0:05:06] HB: Yes. I'm really loving this transition in my career. You get to go out there and you get to talk to everybody about things that are going on in cybersecurity. You get to talk about a product or products that you love, and why you think it's beneficial for the rest of the world. You get to interact with customers a lot to be learning about their ongoing challenges in whichever space in security that you're in. And you get to do a lot of speaking with folks, like you and I are doing right now or various conferences. But always staying at the forefront of the industry, and always looking for ways to help improve things for the world at large in terms of cybersecurity.
[0:06:02] CS: Now, during your days as a software engineer, obviously, all aspects of cybersecurity require ongoing learning. But at that point, your ongoing learning is probably more based around new sort of tools, or new ways of doing something more efficiently, or what have you. With security evangelist, it sounds like, I'm imagining that there's a fair amount of a research component to your work in the sense of, you need to sort of know what's going on with all different types of tech in the world right now, and how your own products sort of integrate that. Is that the case? Is security evangelist role intrinsically, sort of like, you need to be on the bleeding edge of what every single type of tech is doing?
[0:06:45] HB: A hundred percent, a hundred percent. As you know, new acronyms, new terms, new challenges come up all the time. You're constantly bombarded by all these new things that you have to intake, ingest, and then sort of synthesize into your own personal body of knowledge, and then be able to communicate that back out. Sometimes it's not even something that's new, it's just a different part of cybersecurity that you didn't have a whole lot of interaction with, at one point. Because there's so many subfields within security, there's the type of domain that you're applying to whether that be IT environment or an OT environment. It could be the type of work that you're doing; incident response versus role management versus some sort of GRC. Or it could be something more low level, like there's some folks that specialize in cryptography.
For me to talk about cryptography, I'd have to do a lot of learning, beyond the high level like, what is PKI, and what are the various cryptographic algorithms, and what they do, which would make more efficient. But if you want to get down to the nitty gritty of these bits are being transferred to encode into those bits, that will require a lot of learning on my part.
[0:08:12] CS: You have to be kind of an aggressive generalist then. You have to really –
[0:08:15] HB: Aggressive generalist, yes. That is one way to put it. Lifelong learner, ever learning, various catchphrases we have for that kind of thing. Definitely a growth mindset, I would say.
[0:08:26] CS: Yes. Okay. To that end, I know, you're also involved with an organization called BSidesNYC. Can you talk about that information security conference, and how it differs from other conferences in the security space?
[0:08:40] HB: Right. There's an entire framework of BSides' conferences throughout the world. It arose from the lack of speaking slots for many, many great speakers at the larger security conferences like RSA, or Black Hat, or DevCon. Jack Daniels, Chris Nickerson, and some other folks got together and say, "We're going to create this framework for regional security conferences throughout the country" at first. Now, it's gone international, obviously. BSides New York City is the New York City version of BSides. I would say the three primary aspects, or three primary principles or pillars of BSides New York City is one that is that is community based. Two, that is accessible and three, that is technical.
There are other conferences in New York that are not community-based, so there's some sort of commercial interest in bringing buyers and sellers together. They have all these booths where folks are pitching, or demoing their products, and things like that. At a community conference, it's not like that. In fact, we are not a non-lead generating event. We're purely a brand awareness event. We don't collect PII from our attendees, and so we have no PII to share with the vendors or the sponsors.
[0:10:10] CS: Right. Okay.
[0:10:12] HB: In that sense, it's community. There are other community events in New York City, of course, but they're not necessarily technical. They might have more a GRC focus, or like a privacy focus, and things like that. Then finally, there are other community security conferences in New York City that are also technical, but not as accessible. There are some that are held in certain venues where you have to be 21 over to go. Or as you can imagine, in New York, pretty much every venue is small, so they tend to hold maybe like 100, 200 people. And they also charge, they also charge a certain dollar amount.
BSides New York City is held at a university, and so we're able to have a large number of attendees. In fact, we had about 800 attendees show up at the last conference a couple of weeks ago. Ticket prices are $15.
[0:11:10] CS: Wow.
[0:11:12] HB: Which is fairly accessible. Then on top of that, if you registered with your .edu address, you automatically get a refund, which is fabulous. It's already happened. Then, if anybody has any financial hardship, they can just email us. We go through a process to try and get them a free ticket. So making it as accessible as possible, and for that reason, we end up seeing a lot of students, or early in career, cybersecurity engineers that attend our conference. There's a lot of this knowledge, technical knowledge sharing with attendees that range the gamut from super knowledgeable expert, cybersecurity, all hack, all the way to college student that is looking for her latest internship.
[0:12:02] CS: Fabulous. Now, have you gotten positive or negative feedback regarding this option? Because yes, as soon as you said, you don't capture any PII, and then you're not sharing the list with your vendors or whatever else. I mean, that's a pretty big jump from a lot of the big-name conferences. Do you have vendors who are okay with that and still come? Or is this really just like sort of a gathering of learning?
[0:12:32] HB: Well, it's definitely a gathering of learning. We had sponsors, right up until the last day for prospective sponsors. There were some vendors, of course, when I told them, "Hey, this is brand awareness only, where they would just step away and say, "Okay, that's not our cup of tea." But there are there are still many vendors who –
[0:12:57] CS: Who are okay with that, yeah.
[0:12:58] HB: Yes. They welcome the brand awareness opportunity. They realize there's – think about it this way, you are trying to sell to a group of individuals that do not accept cookies, and block ads. Lead attribution is always going to be hard anyway. You need to bite the bullet and have a brand awareness play if you're trying to make money in cybersecurity. Go big on brand awareness. That ultimately is going to result in the payout in the long run.
[0:13:34] CS: Yes. You're also targeting a group of people who don't have the expenses or the wherewithal to spend $800 on an admission for a conference like that as well. So, yes, what you really are doing is you're kind of seeding them for the days when they have high-paying jobs and then they say, "Okay. Which vendor did I have great relationships with?"
[0:13:58] HB: To be fair, we had plenty of CISOs, and security managers, and directors attending the conference. They're among there. They're not the type of people that like to be sold to. If you're there, and just engaging with them in an intimate way, you're more likely to show up on their radar, for the time when they are out there looking for the next tool to purchase. There's definitely return on value. It's hard to attribute and I understand, but there's no reason why any cybersecurity company should not have a brand awareness play with community conferences.
[0:14:38] CS: Love it. That's exactly what we're looking for. Thank you, Huxley. I want to get into our topic for today. As we said at the top of the show, our meetup stemmed from a desire to continue a discussion I had a few episodes back with Yossi Appleboum, specifically around the federal government's directive to create a complete map of its assets in a very short timeframe. Which I interpret to be the first step in a larger scale security strategy. Once you know where all your assets are, the next step is to devise optimal strategies for prioritizing and securing the most crucial ones. In that episode, we just considered the whys of the directive as well as the challenge of achieving the task on a large scale.
For today's episode, Huxley, I want to focus on the nuts and bolts work of what is involved in achieving a goal on a day-by-day basis. Can we start with the planning stage? On first blush, it might seem like you're just – you would just get started making asset maps and then tying them all together. But I'm guessing, there's a lot more planning and logistical pre planning work to make sure that there's not duplicate work happening or gaps that are being missed? Can you tell me once the directive came down all of the project management work, maybe that went into coordinating an effort like this, or in a similar asset management directive?
[0:15:50] HB: Yes. There's definitely a organizational aspect to it, and then there's a technological aspect to it. Organizationally, if you're the type of federal agency that has a federated model. Well, I don't know if I want to name specific agencies, but there are some that there's a regional aspect to it, or what have you, or it might be an umbrella organization that has multiple sub agencies underneath. The organizational aspect is to understand, hey, what is everybody doing? Is anybody already trying something in the space? How do we make sure that we are not duplicating work? But also, how do we make sure that the methodologies that we're using for asset detection, or asset discovery is not somehow spilling over into somewhere else? I can see you're wondering about that.
[0:16:53] CS: Yes.
[0:16:54] HB: Think about it this way. If I were to let a scan, a network scan run a mock, what are the chances they might exit my part of the network, and start doing something somewhere else. Let's say, my network scan, we're not properly tuned. But instead, it's aggressively sending packets out on the network. Let's say, this other sub agency, some adjacent agency, or the adjacent part of the network is not prepared for that type of thing. I could potentially be negatively impacting their network performance while I'm trying something out in my little part of the agency here. That is this organizational aspect to it, of making sure that any of the parts under you, under your organization are aligned on what everybody's currently trying to do, and what the plan should be going forward. That's the organizational aspect of it.
Technologically, there definitely some homework you want to do before you execute. One of the things you want to do is understand what are the existing data sources that you have that might have asset inventory data or data that could be useful for a cyber asset inventory? If you want, we can talk a little bit more about what is cyber asset and cyber asset inventory.
[0:18:24] CS: Please.
[0:18:25] HB: We could follow up on that afterwards.
[0:18:27] CS: We'll switch around, yes.
[0:18:29] HB: Yes. What are the data sources that have all this information already that I can leverage, and can I leverage it? Is there any issue with pulling that data out, and having it go somewhere else? There's custody of data issue that you need to think through. Another important question to ask is, how flat or how segmented is my network? Because the flatness of the network gives you some indication of how well a scanning technology might be, might be used in that particular environment. As part of that, you will understand, okay, the ramifications of how many scanners you need to deploy, or how many switches or firewalls need to be reconfigured to allow scanner to go through?
A third thing to consider is, what are the types of devices that I have? By that, I mean, do I have IT devices? Hundred percent of the time, it could be yes. Do I have IoT devices? More and more so, that's going to be the case. Do I have OT devices? Let's say, I am a type of civilian agency that has something to do with transportation. The signs on the freeway, that's an OT device. There are many other types of environments that have operational technologies that are under the purview of these agencies. So you need to understand those types of things as well. Because those types of devices, which ones you have materially affect which solution approach you can take when you're trying to do asset discovery. Those would be the top three that you really want to think about there.
[0:20:16] CS: Okay. Well, you said we were going to circle back a little bit on asset data inventory, and so forth. Can you talk about some of – because we've talked about the main three. Can you sort of break down some of the different types of assets that your company may or may not have? I'm sure maybe there's hundreds of them. But if you can sort of bucket them into some of the main features, because I think, I didn't think of highway signs in terms of OT and so forth. That's a really good example. But what are some other things that you need to be understanding about?
[0:20:51] HB: Well, here's the thing. I saw some statistics somewhere that 90% of chips are not manufactured for traditional IoT devices; servers, laptops, and so on and so forth. Ninety percent are manufactured for embedded devices. We're talking about IoT and OT. On the IoT side, we're talking about printers, IP cameras, smart speakers. UPSs. These are all on the network these days. On the OT side, there's even more variety. Because on the IoT side, typically, it's some like device, but it will probably run Linux, some version of Linux.
On the OT side, we're talking about specially designed devices for very specific purposes. The OT device you're going to find in an electrical plant is going to be different than what you find in a pharmaceutical factory, versus what you find in a water treatment plant, and so on and so forth. They're all called field devices or PLCs, and things like this. Different terms on the OT world.
The use of these acronyms belies the variety that you find in OT. It's just like – it is just all over the place. OT devices were not necessarily built with planned obsolescence. Your phone, your laptop you probably replaced in three to five years. These OT devices, some of them have been around for 30 years plus.
[0:22:30] CS: Thirty, forty years. Oh, yes.
[0:22:32] HB: That introduces another level to that heterogeneous nature of OT environments, as well. We could be here all day, Chris, enumerating all the different OT devices that exist.
[0:22:47] CS: Okay. Well, let's turn from that then to the sort of the actual work of it. Since a lot of our listeners are listening in to get a preview of the type of work that they'll be searching for after school or in their first jobs. I want to talk about the day-to-day of this. What are some of the tools and techniques that go into a thorough asset inventory? Also, are there junior and senior members of the team? Are there people who can run very basic programs and sort of cut their teeth that way, while others are doing things on a larger, more organizational level?
[0:23:19] HB: Sure. I'll address this question by first talking about what are the things that people typically try when they first attempt to do asset inventory? Oftentimes, they will try an ADR, right? Because you typically are maximizing your coverage of either, I heard this one customer say, EDR saturation. Trying to get EDR everywhere. The thing is, though, those tend to be really good only for the IoT devices that you already know about.
[0:24:02] CS: And the ones that are up to date, and are all sort of speaking the same language, I imagine.
[0:24:06] HB: Right. Like IoT, OT, that's not covered at all. The IoT devices that have been orphaned over time, let's say, Jill set up a server, and then she ended up getting another role or moving to another company. Then all of a sudden, that service sort of been forgotten. It's not been getting updates and not been getting its patches. Now, you have a situation where that device is no longer covered. And maybe you had an EDR at one point, but it's sort of disconnected from the mothership of the EDR portal here. EDR is great for endpoint protection. It is not really a tool that can get you to a full asset inventory.
Another tool that people often try to use is vuln scanner, right?
[0:24:53] CS: Right. Okay.
[0:24:55] HB: Right. The thing with the vuln scanners is, a lot of organizations do not scan their entire network with vuln one scanners. Either because there's a cost issue, or because there's some rules are strictures on when they can scan and where they can scan. Every vuln scanning deployment I know of has a large list of IPs in the exclusion list. For other reason, they were told, "Don't scan this place anymore. Don't scan the subnet anymore." Or the devices that it scanned at one point crashed.
[0:25:40] CS: Yes. I was going to say, is that because of the aforementioned traffic disruptions and so forth?
[0:25:46] HB: Yes. There's a couple of issues here. One is on the network level. When a vuln scanner is not tuned well, it can overload the network causing network congestion. Another part of it is, there are a lot of devices out there that are prone to disruption, and a vuln scanner is going to send a security probe. That's its job. Its job is to send security probes to determine whether or not that vulnerability exists and is exploitable, right? There are devices out there who have a network stack, or applications that are coded for very specific inputs, right? This is especially true with IoT and OT, where the code was written to respond to a button being pressed, or switch being flipped. The code is not expecting arbitrary input over the network. That's an edge case. If it's not handled well, then the device can reboot, freeze up, or crash.
[0:26:59] CS: Just simple, just like that. On a previous episode in regard to water treatment plants, and how their time done on such as a split-second interval that any additional sort of material that goes through there is going to mess up these mechanical aspects of it. Is that similar?
[0:27:15] HB: Yes, that's definitely part of it. Vuln scanners have that effect, which aren't great. One, you might not be covering everything, and then two, you're potentially disrupting parts of the network by doing so. Then finally, for vuln scanners where the discovery portion and the vulnerability assessment activities, those two are coupled. You end up having a really, really long scan time.
[0:27:49] CS: Yes, sure.
[0:27:51] HB: Another tool that people might consider is their network access control. Very similar to these other tools is really good for those managed IoT devices that you already know about. But in terms of the things you don't know about, they really just don't do the job at all. Other folks might try their CMDB. CMDBs are notoriously inaccurate, in terms of their coverage of the devices, as well as their ability to fingerprint those devices. The one remaining tool that seems to be popular, aside from spreadsheets, of course, which has its own problem is Nmap. Nmap, in its way of doing fingerprinting may send non-standard packets to do item identification. Nmap has gotten a bad rep in terms of devices that are prone to disruption as well. There's a lot of attempts have been made with different types of tooling to go out there and do asset discovery, whether it's for BOD 23-01 or not. They fall short. They all fall short.
Recently, there are some solutions that try to basically just pull data from a bunch of other data sources. To combine them, correlate them, aggregate them, and then hopes that, hey, this gives us a good sense of acid inventory. But the thing is, if the data sources that you pull from are your EDR, and your vuln scanner, and your CMDB, then you're limited to their ability to cover your asset landscape, and identification of those assets.
They're only going to tell you more about what you already know, not about what you don't know. What we found to be useful is a combined approach of using API integrations, pulling in from data sources, but also using an authenticated active scanner that can actually go out on the network, to actively find things that you already know about, as well as the things you don't know about. But it has to be done in such a way that it's not going to disrupt those fragile devices.
There's a lot of engineering that goes into that. Part of it is use of incremental fingerprinting, where you don't just query for all the details you want from a particular device, but instead, you send, at first, a super benign query to that device. Just to get some sense of what that might be. If there's an indication that one of those devices that are prone to disruption, then you tailor the succeeding queries to the device to make sure you're not crashing it. Also ,having the ability to tune your packets per second to whatever is necessary, but also distributing the scan traffic across networks is another really helpful tactic.
Not sending security probes like a vuln scanner would, and always sending standard packets. So I'll give you an example. An unexpected request. So let's say I send you a SYN, and then you send me SYN/ACK, and then you're waiting for me to finish that three way TCP handshake. But a legacy network scanner, what it will do is just walk away.
[0:31:30] CS: They'll just drift off, yes. Then meanwhile, you're waiting for it to come back. I didn't send you a fin, I didn't send you a reset, and you're just hanging there. That type of thing is something you have to avoid if you're going to be in a scanner worth its salt. Now, of course, as I mentioned before, you need to now understand the flatness, or how segmented your network is. Because that determines like your ability to scan. There's definitely this sense that, hey, you need to combine the scan traffic with all these other data sources by APIs in order to get that full breadth of asset inventory.
[0:32:12] CS: Okay, that's great. Now, that sparked to have one little side question with regards to this. Because it seems like a lot of what's happening here, especially with these very sort of mixed device organizations, is that there's a lot of work being put into the planning of how to do this big project with no disruption ideally, especially in the case of infrastructure where you don't want to have the disruption of your water treatment plant go down or whatever. But it sounds like that's kind of a big part of the project. Do you have – can you talk a little bit about the way that organizations have to sort of negotiate from place to place, to make sure that – a lot of times, IT people will say, "Leave your computer on because we're installing patches overnight." A lot of these places never sleeps. What is the solution for places that never sleeps to sort of do this in a non-disruptive way?
[0:33:13] HB: Yes. Tooling is very, very important. But also, having a well-thought out plan for a staggered approach for rolling out asset discovery, right? Don't ever just scan the world, and pray that it works, right?
[0:33:31] CS: Hit the button and wait 12 weeks.
[0:33:35] HB: What you want to do is try and identify, and categorize your various sites, and try and group them in such a way that you have as much coverage as you think you need. Then, pick a representative site from that group of sites that you identified, and then try each one of those. Then, based on what you've learned, from those test sites if you will, then sort of grow your asset discovery scope out to the rest of the sites that are in that group that you've categorized. Something along those lines, right? This comes down to project management. It is partially tooling, but it's also partially project management.
[0:34:25] CS: That's perfect. That figures perfectly into my next question here, because I was going to ask about what types of skills, or qualifications, or experiences students, or new professionals, or people changing careers should be, focusing on if they want to do this type of work. So project management sounds like it's a big one, and it also sounds like there's just a lot of kind of logistics of like, almost like business management stuff. Can you talk about what makes a good – someone who organizes asset discovery really well? What are the skill sets that they have?
[0:35:00] HB: Well, as we said, if you're good at project management, that's definitely going to help. I see like there potentially being multiple roles in any sort of asset inventory type of project or asset inventory initiative. Project managers is one. You definitely want to have somebody who can also showcase the value of that asset inventory to the business.
[0:35:23] CS: Yes, because you're spending a lot of money in time and possibly disrupting things, and they might not necessarily understand what they're getting out of it.
[0:35:30] HB: Right. That person needs to be able to go out there and talk to the various stakeholders to make sure that they're aligned with this type of thing. Give forewarning about the type of activity that's happening. I mean, when the tool is really good, you could probably surreptitiously just go out there and do discovery. But it's always better to just make sure that everybody's were in over communicate that this is what you're trying to do. Make sure that everybody's aligned to the goal, and so there are no surprises. Because, let's say one very important stakeholder is surprise, then that could scuttle the entire project.
In terms of operationalizing some sort of asking them enjoy tooling, you probably want somebody who's familiar with things along the lines of how our software packages work together, like how do APIs work, how do you connect these various data sources, and things along those lines. In terms of creating reports, and interpreting the results, and scoping, any sort of asset discovery, you definitely want somebody that has like strong networking background. You need to know what a subnet is, you need to know how subnets are, or Netmask, and so on and so forth. That's super important. Also, in terms of interpreting results, you need to understand operating systems, what are all the ports on the operating system, or the common ports, and what are the types of things that you would expect to see on those ports.
Because asset discovery and asset inventory is so fundamental, the type of skills or knowledge that you can leverage in interpreting that data is really quite deep.
[0:37:29] CS: Yes, right. That's great. One more question in that regard. You were recently on the Down the Security Rabbithole Podcast. The title of the game was Cybersecurity Starts and Ends with Assets. I think a good place to tie up the concepts we've discussed so far, is to talk about that, cybersecurity starts and ends with assets. How does this concept that cybersecurity starts and ends with assets help us to reframe the challenges facing cybersecurity in the coming years? We've talked a lot about, explain to the stakeholders why you're doing this. Let's sort of explain to ourselves why you're doing this. how does this change the way that we think of securing networks, securing organizations, securing sort of large-scale businesses or federal agency?
[0:38:16] HB: Yes. Traditionally, we have attempted to solve security problems at the edge. Because we can't we can't go out to every single device, we don't know what was on every single device, and we can't necessarily touch every single device. The owner might not let us do that. So what do we do? We draw a little perimeter around our network, and we hope that everything goes through a single choke point or a few choke points. Then, we install security controls, like IPs or firewall at those choke points. Hopefully, that's good. But that is an old paradigm that doesn't work anymore. As devices have become mobile. Or as networks that used to be physically isolated, became connected to the internet. I'm thinking OT environments specifically. Before 2005, they were never connected to the internet. They're all air gapped, and that's quickly not becoming the case.
[0:39:21] CS: Yes, previous guests mentioned that it was like defending a castle with a moat around it. Now, we're trying to defend a bunch of tents that are all over the forest here. They have to all be equally strong, but you don't have that perimeter wall thing going on anymore.
[0:39:38] HB: When you think about asset – security ends with assets, what does the adversary want to do? The adversary wants to exfiltrate data from a device. The adversary wants to ransom data on a device. The adversary wants to create an outage on a device or devices. At the end of the day, it's good to defend the network. But the end goal for the adversary is typically the device, the asset. That's where it ends. Now, at the beginning of it, and this is where on the defensive side, we often fall short, is when you have a full acid inventory, you can actually become proactive.
I'm not saying you will be productive, but you have a chance of becoming proactive with your security program. If you're thinking about it, next time an [inaudible 0:40:36] comes out, and you have no idea which devices are potentially vulnerable. If you had a full asset inventory of a cyber asset inventory, very specific term, cyber asset inventory, you will be able to go out there and identify which are the devices that are potentially vulnerable, and you have a punch list of what to go after. Or if you have an incident, how many times are you dealing with an incident and you find out oh, there's this device that's compromised. Then the next statement is, "What is that? Who owns that?" Or also very common, "I thought that was decommissioned."
[0:41:19] CS: Yes. What's that still doing here?
[0:41:21] HB: Right, exactly. For this reason, we see that security starts with asset inventory as well. I mean, we could talk about like CIS controls in this. It just so happens, the asset inventory is also listed as first, and second controls in these frameworks. But concretely, if you have a full asset inventory, and that's also timely up to date, you actually have a fighting chance of becoming proactive, rather than always being on the backfoot, and always being met with this unhappy surprise of, "What? What is it? What is that?"
[0:42:01] CS: Running from room to room with a box full of Band-Aids, you just keep sticking things and patching holes. Yes, right.
[0:42:07] HB: Or like, "Oh, who owns that thing? Wait, no. She left the company a year ago. So who owns it now?"
[0:42:14] CS: Yes, that's a stomach drop feeling. Oh, no, on my watch no less. Before we go, this has been this has been great and very illuminating. Thank you, Huxley. But before we go, we discussed your work as security evangelist at runZero. Tell our listeners about the type of work products, whatever that runZero provides. Also, if you have any sort of big plans, projects or assets for the second half of 2023 you're excited to get working on. Tell us all about it.
[0:42:48] HB: runZero is a cyber asset management solution. That is the fastest and easiest way to get to a full and timely asset inventory. runZero finds all of your devices, IT, IoT, and OT, and it doesn't matter where those devices are. They could be in the cloud, or on-premise, or even in your remote employees' homes. runZero is really easy to use, really easy to get started. Most people get started within minutes. You can just go to the website, runzero.com and click on the button that says free trial. You just need to provide an email address. You don't need to provide a credit card or anything like that. Typically, people get started in minutes. So runzero.com.
As for myself, if you want to reach out to me, I am the only Huxley Barbee you're ever going to meet. Just go on Google, Huxley Barbee. I am active on LinkedIn, on Twitter, and Mastodon. Go to infosec.exchange. In terms of major projects, really just focus on being the best security advocate evangelists that I can be. I do have a number of speaking sessions coming up. Looks like I'm going to [inaudible 0:44:14] coming up in August. Oh. BSides Las Vegas, I'm also speaking there as well. But there may be more on the calendar coming up.
[0:44:24] CS: I imagine if people want to know more about that, they can hit you up on LinkedIn, and you'll be announcing stuff like that and so forth.
[0:44:31] HB: Yes, absolutely. Please connect with me. I'd love to hear from folks.
[0:44:34] CS: We've heard from past guests that our listeners like to connect and ask questions and stuff. Check your inbox. All right. Huxley, thank you for joining me today, and building on my knowledge of asset detection visibility. This was really eliminating, appreciate it.
[0:44:49] HB: Thank you.
[0:44:51] CS: Thank you to all of you who have been listening to and watching the Cyber Work podcast on an ever-ballooning scale. I think we're up to 70,000 subscribers now on YouTube. Amazing. We just hit our million visits, I think. We're glad to have you all along for the ride. Thank you. Thank you. Thank you. Before we go, just want to invite you to visit infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners. We have the security awareness training series Work Bytes, live action features featuring a host of fantastical employees including a zombie, a vampire, a princess, a pirate making security mistakes and hopefully learning from them.
You can also download our free cybersecurity talent development eBook. It's got in-depth training plans for the 12 most common roles including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder, and more. Lots to see, lots to do. Just go to infosecinstitute.com/free and get started today. Thank you once again to Huxley Barbee, and runZero, and thank you all so much for watching and listening. We'll speak to you next week. Take care.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.