By April 3, 2023, agencies will be expected to perform automated asset discovery every seven days and to identify and report suspected vulnerabilities every 14 days. It's a strong move in the right direction as the whole of the federal government moves to meet Zero Trust requirements. But, without proper validation, the weekly automated asset discovery runs the danger of becoming an exercise of compliance rather than security. Adversaries, as well as admins, are adept at timing activities to avoid detection for a scheduled scan. If you're not doing both passive network monitoring and active network scanning to identify and categorize assets, the managed and unmanaged ones, you're simply not getting the complete picture. The outliers will stand out when both the passively and actively collected asset inventories are compared against each other.
This is certainly the approach we have been advocating Corelight's federal clients incorporate into their zero trust strategy. A “set it and forget it” approach to automated discovery and vulnerability detection introduces opportunities for exploitation in overlooked or dormant assets that may appear online intermittently or seemingly randomly.
Corelight has continued to enhance our sensors not only to show the breadth of a network, but also to provide powerful insights into how the assets interact with one another. For instance, which services are provided or consumed by a particular asset, such as discovering which hosts have used SSH in the last 24 hours. Our most recent sensor release (v26) introduced the Corelight Entity Collection, eight new entity-specific data logs for context and fast searching giving customers a pre-aggregated, contextual view of a given entity from a single search.
This enhanced visibility around hosts, services, and apps provides the necessary context to better validate unknown or unexpected activities or assets found on the network.
As our federal customers pivot to meet the deadlines outlined in both BOD 23-01 and the federal zero trust architecture (ZTA) strategy, validating what your asset management and vulnerability detection practices are producing is vital to move beyond compliance. If you’d like to learn more about how Corelight is supporting Zero Trust or the new Entity Collection, send us a note at firstname.lastname@example.org.
Also check out these additional resources for more information: