{"id":60826,"date":"2022-12-23T15:47:07","date_gmt":"2022-12-23T07:47:07","guid":{"rendered":"https:\/\/version-2.com\/?p=60826"},"modified":"2024-09-13T16:31:51","modified_gmt":"2024-09-13T08:31:51","slug":"cisa-bod-23-01-why-vulnerability-scanners-miss-the-mark-on-asset-inventory","status":"publish","type":"post","link":"https:\/\/version-2.com\/en\/2022\/12\/cisa-bod-23-01-why-vulnerability-scanners-miss-the-mark-on-asset-inventory\/","title":{"rendered":"CISA BOD 23-01: Why vulnerability scanners miss the mark on asset inventory"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks<\/a>. The directive requires that federal civilian executive branch (FCEB) departments and agencies perform automated discovery<\/a> every 7 days and identify and report potential vulnerabilities every 14 days. Additionally, it requires the ability to initiate on-demand asset discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.<\/p>

To meet these requirements, agencies will need to start with an accurate asset inventory. Most agencies will attempt to leverage existing solutions, like their vulnerability scanners, to build their asset inventories. It seems reasonable to do so, since most vulnerability scanners have built-in discovery capabilities and can build asset inventories. However, they will quickly learn that vulnerability scanners are not up for the task and cannot help them sufficiently and effectively meet the requirements laid out by CISA.<\/p>

Let\u2019s take a look at why agencies need a solution solely focused on asset inventory, in addition to their vulnerability scanner, if they want to tackle CISA BOD 23-01.<\/p>

Asset inventory is a foundational building block <\/i><\/h2>

Every effective security and IT program starts with a solid asset inventory. CISA BOD 23-01 reinforces that imperative. Specifically, it states, \u201cAsset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.\u201d<\/p>

What does this mean? FCEB agencies looking to meet the requirements outlined by CISA BOD 23-01 must be able to discover managed and unmanaged devices connected to their networks. Internal and external internet-facing assets must be cataloged with full details and context. All within the timeframe outlined by CISA.<\/p>

So now, the question is why vulnerability scanners can\u2019t be used to meet the requirements laid out in the directive.<\/p>

The challenges of asset inventory with vulnerability scanners <\/i><\/h2>

As the number of devices connecting to networks continues to grow exponentially, agencies need to stay on top of these devices; otherwise, they could provide potential footholds for attackers to exploit. However, common issues like shadow IT<\/a>, rogue access<\/a>, and oversight continue to make it difficult to keep up with unmanaged devices<\/a>. BOD 23-01 highlights the importance of identifying unmanaged assets on the network. That\u2019s why the need for a fully comprehensive asset inventory<\/a> is the key to adequately addressing the directive.<\/p>

So, why can\u2019t vulnerability scanners deliver on asset inventory? Most vulnerability scanners combine discovery and assessment together, resulting in slower discovery times, delayed response to vulnerabilities, and limited asset details. As a result, most agencies are left wondering how they can do a better job building their asset inventories.<\/p>

Combining discovery and assessment slows everything down <\/i><\/h2>

Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface, this appears to be efficient, it is actually quite the opposite. In regards to asset discovery, CISA BOD 23-01 specifically requires that FCEB agencies perform automated discovery every 7 days and identify and initiate on-demand discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.<\/p>

Because vulnerability scanners leverage a lot of time-consuming checks, they\u2019re not able to scan networks quickly enough. Add in the complexity of highly-segmented networks and maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for discovery and meet the timing requirements outlined by CISA.<\/p>

Under the new directive, assessing the potential impact of vulnerabilities becomes even more urgent. Agencies will need to perform on-demand discovery of assets that could be potentially impacted within 72 hours, if requested by CISA. When security news breaks, agencies need to respond as quickly as possible, but vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that agencies can search\u2013without rescanning the network<\/strong>. This is particularly useful if agencies know there are specific assets they need to track down, they can query their existing asset inventory to identify them immediately.<\/p>

For example, let\u2019s say a new vulnerability is disclosed. Vendors will need some time to develop the vuln checks, and agencies will need to wait for the vuln checks to become available. Once they\u2019ve been published, agencies can finally start rescanning their networks. Imagine waiting for the vuln check to be released, and then delaying the rescan due to scan windows. Without immediate insight into the potential impact of a vulnerability, agencies are playing the waiting game, instead of proactively being able to assess the risk.<\/p>

How agencies can speed up discovery <\/i><\/h2>

So, what can agencies do? Let vulnerability scanners do what they do best: identify and report on vulnerabilities. Complement them with a dedicated solution that can automate and perform the discovery of assets within the timeframe set by the directive. In order to accomplish this, the asset inventory solution must be able to quickly and safely scan networks without a ton of overhead, be easy to deploy, and help security teams get ahead of new vulnerabilities.<\/p>

Agencies need to have access to their full asset inventory, on-demand, so they can quickly zero in on any asset based on specific attributes. This information is invaluable for tracking down assets and investigating them, particularly when new zero-day vulnerabilities are uncovered. When the new zero-day is announced, agencies can find affected systems by searching across an existing asset inventory\u2013without rescanning the network<\/strong>.<\/p>

Meet CISA BOD 23-01 requirements with a dedicated asset inventory solution <\/i><\/h2>

It is increasingly evident that decoupling discovery and assessment is the most effective way to ensure that agencies have the data needed to accelerate vulnerability response and meet the requirements outlined in the directive. Because let\u2019s face it: vulnerability scanners are really good at vulnerability enumeration\u2013that\u2019s what they\u2019re designed to do. However, they really miss the mark when it comes to discovering assets and building comprehensive asset inventories. Because vulnerability scanners combine discovery and assessment, they aren\u2019t able to scan entire networks quickly, and at times, they don\u2019t fingerprint devices accurately.<\/p>

As a result, many agencies are wondering how to meet the requirements outlined in CISA BOD 23-01 if they can\u2019t depend on their vulnerability scanner for discovery. Agencies will need to start looking for a standalone asset inventory solution that is capable of performing unauthenticated, active discovery, while also enriching data from existing vulnerability management solutions.<\/p>

How runZero can help agencies focus on asset discovery <\/i><\/h2>

runZero separates the discovery process from the vulnerability assessment stage, allowing agencies to perform discovery on-demand. Because runZero only performs discovery, it can deliver the data about assets and networks much faster than a vulnerability scanner. Customers have found that runZero performs scans about 10x faster than their vulnerability scanner, allowing them to:<\/p>