Listen to learn about the first steps any organization should take to implement asset management.
It is axiomatic in our industry that you can’t protect what you don’t know about, but assembling a comprehensive asset inventory can be much more difficult than it seems.
Chris Kirsch, CEO of runZero, a cyber asset management company he co-founded with Metasploit creator HD Moore, sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. Today, we're gonna talk about asset inventory, and it's actually a lot more important and interesting than than you might immediately think.
So let me tell you a little bit about the guest that we have to tell us about it. His name is Chris Kirch, and he is the CEO of Run Zero, a cyber asset management company he cofounded with Metasploit creator, HD Moore. Chris started his career at an infosec startup in Germany and has since worked for PGP, nCypher, Rapid7, and Vericode. He has a passion for OSINT and social engineering.
In two twenty seventeen, he earned the black badge for winning the social engineering capture the flight competition at Defcon, the world's largest hacker conf conference. That's a really big deal. So much respect. Chris, welcome to the show.
Thank you for having me. Really appreciate it.
Did I miss anything so far?
No. You're all good. You're all good.
You you have you have quite the background in in security. And so some people might think, well, why asset inventory?
And I think we're gonna get into it. Let's start with what is asset inventory.
Sure. Asset inventory. I mean, there there are many different types of asset inventory. You can also do, like, financial asset inventory and those kind of things.
What we're talking about here is IT asset inventory or just figuring out what's connected to the network. So it starts with your laptop and your server and your router and all of those things, but then it goes to your, you know, things like your, IP based surveillance camera or your HVAC system that might, you know and and the thermostat that's control controlling it and so on. It might be, stuff that you have on the cloud. It could be people working remotely with their assets that they're using, their phone, their their laptops, and so on.
And people just, you know, need to know that, to manage their IT, but also to manage their security program.
Right. And so I think that that gets into a little bit of why it's important. I often will go into a new customer and say, alright. Let's start with your scoping exercise. We need to know what we're looking at before we can even dive into either a security program or a compliance program or anything like that. And it often really relies on, inventory, because you you you can't even know your data flows if you don't know what the systems are that are flowing through it. So tell me, why do you think, asset inventory is so important, and why do we start with it?
You know, it's so foundational. There are so many security startups out there that solve, a problem for what what what I call the one percent or the even, you know, like, tenth of a percent. Typically, the founders come from, like, a, you know, three letter agency background or military intelligence, something like that. And they're assuming way too much about what companies are able to do today.
Mhmm. When right? Yeah. And so when I, talk to pen testers and also, you know, my my cofounder, HD Moore, who who created Metasploit, a lot of times when, customers get owned by the pen testers and fail the audit, it's because there was something on the network that they didn't know about.
Yeah.
And, that's a way for attackers to get in. So asset inventory, knowing what you have, is very foundational to security.
And so if you look at the CIS benchmarks, which is a a framework for how to do security or the the NIST cybersecurity framework, they both name asset inventory as requirement or control number one.
Mhmm.
Because it is so foundational. If you don't know what you have, you can't even begin to start because you don't know what you're protecting.
Right.
And right. And even if you're trying to figure out, you know, do I have my, endpoint, detection and response software installed on every endpoint. Well, do you know what every endpoint is? Right? Yeah. Right?
And it's surprising how many times the answer is no. We don't know.
And and, and I I like to ask the question, okay. You've shown me that your dashboard with all of your endpoints and and how how recently they've been either patched or, you know, run some scan on them.
How do you know for sure everything's on there? And and the stairs that I get are like, well, we don't we don't know. We we put them on there when we set them up. Okay. Well, when you originally set this up, how did you know for sure you got everything? And so it seems like an easy problem to solve to know what systems because somebody had to have spent money on them for starters. It seems like anything that you're that you're putting onto your network, you would know exists.
But but it's so much harder than that. Why is it so hard?
So I think it's for a number of reasons.
The first one is that most networks weren't created in the past year. You know, there is generations of sysadmins that, manage the network over time, and a lot of knowledge gets gets lost over the years.
We have one customer, we have customers across all industries. This one is a a large national museum.
And, they scanned our, they scanned their network with our software, and they figured out that they had a a BACnet device, an industrial controls device on the network on the same network as their, POS systems Oh, wow. Where they're swiping credit cards.
And, and they didn't even know they had it. And the device had been there since the museum was built, like, twenty years ago or something like that. Twenty, twenty five years ago. Right?
Yeah.
So sometimes you're coming in and you don't know all of the legacy stuff that's there.
But then, also, people plug in things to the network. Yeah. Networks grow organically. You've got a lot of m and a.
Right? Mhmm. Where or or sometimes you have, environments that are very, decentralized. So think think of, let's say, university.
Universities. Yes. That's what I was just going to say.
Universities are are probably the hardest, networks to figure out what's going on.
Right.
Because, every student brings something. Every research group hooks up some custom or odd device to the network to try out some experiment and so on.
People come and go all the time, and and you really lose control over what you have.
And if you're trying to you know, there's a there's a funny meme going around the Internet, on on asset inventory where it says, like, you know, CSO says, like, hey. How many devices do we have on the network? And the the vulnerability management folks give one number, and the endpoint detection folks give another number, and the CMDB folks give a a third number, and so on. And nobody actually knows.
Nobody knows.
Nobody knows. Right? And so the the the the challenge is that all of these approaches are basically taking an IT admin's mindset Mhmm. To try and figure it out. So they either wanna install a piece of software on something, so your endpoint protection, for example.
Mhmm.
Or, they want to log on to something and and and interrogate it that way over the network without installing something.
Neither of what What that means You have to know that they exist before you can do either of those things.
Exactly. You have to know that they exist. You have to have credentials to actually install something on the machine. Right?
Username and password is what I mean by credentials. Yep. And, so that's not always a given. And thinking back to the university, you're never gonna get username and password for every device on the network.
It's just, you know, even if they would be willing to give it to you, logistically, it's just a really hard problem.
Yeah. Yeah.
We were, we were doing a project with a large global retailer, like, high end fashion, retailer.
Okay.
And they were trying to figure out what they had on the network, and they had a, a CMDB project. So CMDB stands for configuration management database. It basically means, like, an an a database that should list everything that you have on the network.
And they had set up the database, but they were having trouble populating it because they'd acquired these fifteen different companies roundabout.
Mhmm.
And they didn't know what was what and where was, you know, where even their subnets were and so on. And so we did a bake off, and we found, I think it was two and a half times as many devices as the the alternative solution that tried to log on to everything.
And And for people who don't know, a bake off is, like, where you're comparing one one solution against another solution to see how they do, which I love because, I mean, who doesn't love cake?
But, so you so you did this bake off and found a lot more, devices more. Yeah. Than than the other one, but and probably a lot more devices than they were expecting to see.
Yes. Yes.
For sure. We've got another customer who who started out saying, you know, they they licensed for for ten thousand devices because they thought that's roundabout what they had. I think they're now at a hundred thousand, which is a huge jump. Right?
That is massive.
So alright. It it's good for us, because we're we're proving the value and so so on, but it's also good for them because they have they have visibility, into what they have, and they can better manage it and be more proactive about the security program.
Right. So a lot of, of organizations don't know. Even smaller ones don't know that they have, say, an older, Windows device that's no longer it's past end of life and is no longer supported. Mhmm. And it's been in some closet for so long that they don't even see it anymore because it's just kind of part of the background.
Or, you know, back to universities, what you were talking about, one of the PCI requirements is that even if you don't allow Wi Fi to be used for payment, data flows, you have to check and make sure that nobody has put Wi Fi in on one of those subnets.
And so I'll often ask, well, what are you doing to check for Wi Fi?
And they'll say, oh, we just go look.
Yeah. But that's the that is the worst way. There's no you know, people like you said, people can come in and plug in a device and you not be aware of it because it just happens so fast, first of all. But also, you know, there's there's a lot of places that things can get plugged in. If you don't have your network a hundred percent locked down, it's very, very even even if you do, people can get around it. And there's ways that they can put devices on on your network that you were completely unaware existed.
Yeah. Yeah. And it's also how they're configured. So I I remember very vividly, one one customer came to us.
That that's how they became a customer. They they came to us and said, hey.
We just had a pharmaceutical production line ransomweared.
And so, law enforcement came in and and, you know, helped them with the, with the incident.
And it was a a device that was bridging, the network between the IT and the OT network.
Oh, no.
That's how the intruders got in. Right? Yeah. So if you have those kind of devices that are not authorized to be on both networks Yeah.
That's a huge risk. Right? It could be a machine that's hard plugged into the secure network, but then it's also, you know, like, they needed to download something or whatever and couldn't get to it and jump on the Wi Fi, and now you have a network bridge. Yeah.
Right? So it it it, it matters not only what's on the network, but also how things are connected.
Yep. This episode is brought to you by SecurityMetrics Shopping Cart Monitor Inspect. It's a revolutionary new product that can help you detect any problems with your shopping cart security, allowing you to effectively improve your ecommerce security. Here's what I know about it. A lot of times people say, well, hey, I am PCI compliant because I passed my SAQA.
Great. You're missing most of the things that people are actually stealing information from right now. Shopping cart monitor was created to actually close those gaps and help you against things like made cart and other known ecommerce issues. To learn more about this shopping cart monitor, head to our website www.securitymetrics.com/shopping-cart-monitor.
So, I don't often talk about, vendor specific solutions. You know, we try and keep it away from the salesy part. But because you do things so much differently and your results are so much better, I wanted to let people know a little bit about it. First of all, asset inventory is super important and and that's kind of the underlying theme here.
But but then also how you perform it, whether you get all of your assets is also very important. So, I wanted to hear about how you're doing it so people can maybe look into the different ways and be aware that Yeah. Maybe not all asset inventory, discovery solutions are the same and and help them do a little more research on their own about that. So so tell me, with that kind of the setup, how do how do most places do their asset inventory and how how does your solution differ from that?
Maybe maybe give people an overview overview in that way.
Yeah. Sure.
Yeah. I think it helps to to talk about the different approaches out there, just to educate your listeners and and to get an understanding of of the different pros and cons of the different approaches. Yeah.
So, oftentimes, people just try to use, other tools that are aren't really made for asset inventory to get the data. So most commonly, they're vulnerability scanners and they're EDR agents.
Mhmm.
And so for the reasons that we talked about, those are not great sources because they require you to have a piece of software on something or have the credentials for something. And, otherwise, you don't get a lot of information. Mhmm.
Also, at least the vulnerability scanners don't actually aren't very good at identifying what something is. Yeah. So I I saw, with with one telco customer that we serve, they were seeing in the vulnerability scanner, they were seeing forgot which Linux flavor it was, like, a CentOS or something Linux on on the network.
And, we told them it was a a a a big IP load balancer of a certain model and so on. And they said, well, which one is it? You know, like, because we need to know what's connected there. Yeah.
And so the underlying operating system of that load balancer was that particular flavor of Linux. It Mhmm. Had was derived from that, but that wasn't really the helpful information. The helpful information is to really know what that box is.
Right.
Right? Because, otherwise, you can't manage it properly.
And and like you like you said, you know, sometimes these these and I think that a lot of our listeners have experienced this where they run vulnerability scans and get back some kind of a result that says they have a vulnerability in a system they don't even have on their on their network. And because like you said, sometimes, these a lot of times, these vulnerability scanners are terrible at figuring out exactly what these systems are that are running. They kind of get close.
And so, like you said, if they if they're throwing false positives about, about vulnerabilities based on on OSes, they're not gonna be very good at figuring out what the asset in between is.
Yeah. To start I mean, the they're probably the best you have for, you know, sweeping for vulnerabilities broadly, but they just weren't built for asset inventory. They don't tell you what the hardware is, what the software is exactly, and don't give you a full breakdown of of what's installed and and what's connected where. Right?
So yeah. So those two are often what people are trying to use. There are other approaches, especially in OT networks, so that's operational technology. So anything, you you know, from factory floors to utilities, those kind of things.
Mhmm.
Those are those usually use a passive monitoring solution.
So that means you, capture the network traffic Mhmm.
And then analyze it to try and figure out what's on the network. That is very, compute intensive. So you usually need big boxes of hardware. It's not super scalable. It's kind of hard to set up your your span or cap ports, so that you you capture all of that information and then process it.
Mhmm.
And it only works for very contained environments.
If you have got an OT environment that only has, you know, one path out to the Internet and you're monitoring that Right.
Kind of thing, that that may work.
But if you also want to do cloud and remote and IT and small offices, branch offices, those kind of things, passive is just really hard to do. And even when we roll it out in an environment, you are limited to the to the information that you get just by listening. Mhmm. And so the way I think about this is like a cocktail party. You know, you can stand in the middle of a cocktail party and you can listen into people's conversations.
And, you can get some information about who's who and where they're from and and all their stats.
But if you actually go up to every person and have an individual conversation, you can get out much, much more. Right? And so this is where I think passive solutions are. They're typically expensive because of the compute requirements.
They don't, deliver as good results because of the, the passive nature be because you have to take what you get.
Right.
And then also, as more and more protocols are starting to get encrypted, now it becomes really hard to figure out what things are because you no longer understand what it is people you know, the the devices are saying. So it's a little bit like standing in the at the cocktail party, and now everybody's talking different languages that you don't understand. Right? Yeah. Right?
So, but it's it's often used in those environments because there is a misconception, and and rightly so from the tools that have been out there so far, that you cannot do active scanning in these kind of environments because active scans can destabilize some of the the flakier devices.
Mhmm.
And but that's I think that's old thinking, and I'd like to to break that open.
Yeah.
Because that's actually, a pushback that I've heard from Mhmm.
Like, sys admins in the past is, yeah, don't talk to this divide. Don't don't bring that that in here because this is so delicate. It's going to fall over. So so maybe speak to that a little bit.
Yeah. So, typically and this is, both true for, kind of the the the general purpose network scanners and especially for vulnerability scanners.
They do a number of things. So, first of all, they, send some, network traffic that's not standard conforming.
So they, might, send send some malformed IP packets Mhmm.
Because it's a way to, tease out of certain Linux flavors what they are Mhmm. In in terms of how they handle it and how they will respond. But if you have a TCP IP stack in an embedded system, you know, maybe it's something custom or something outdated, some of those choke on these kind of malformed IP packets. So so that's, one reason.
One one of the one of the examples that I think, I come across for what you're describing is some of the medical devices that are Mhmm. Full stacks that everything is is contained, and and they really struggle with anything, they're not supposed to be able to communicate with.
Yeah. Yeah. And so yeah. Medical devices, a lot of, PLCs, Ethernet serial, converters are notorious for for being pretty bad.
Yeah. Then some devices just can't handle a a ton of scan traffic at the same time.
Mhmm.
So if you send too many packets to them, they get overloaded and they freeze up or they they behave erratically.
Then, and then there's sometimes devices, that are just not very resilient to scanning. So you you talk to them on a certain port and they expect an answer. And if you don't follow-up, then they just freeze up and they don't continue talking to the network. Right?
Okay.
And and then the the final reason is, vulnerability scanners often also use security probes. So it might be like a SQL injection or something like that. Right? That they're trying on on web interfaces, and that can also destabilize some of these devices. Right?
Right.
So if if you're scanning with vulnerability scanners or even the the general purpose network scanners, those are the kinds of problems that people have seen.
Mhmm.
And, and that's why I think why people are reluctant, to to do active scanning in these kind of networks.
The the secret to scanning OT networks is just don't do that stuff.
Right?
Don't send security probes. Don't send malformed, IP traffic.
So start by knowing what the what the subnet supports and and what kind of traffic would be useful without breaking people's stuff.
You can even without knowing it, you can actually if if you just stick to standard compliant standard traffic, you you eliminate a lot of the problems. Terrific. Then if you, throttle the network traffic per host, not necessarily how much you, you know, send from the scanner, but how much you're sending to each host, it would be, you can eliminate a lot of the overload problems. So, if we think of the cocktail party, you know, if you go to one person and you ask them sixty questions at a time, it's probably a bit much.
Yeah. They'll probably get tripped up. But But if you go to them and you ask the first person one question and then the second person the same question, and and then you go back around and you ask the second question to everybody and so on. Right?
You go round robin.
Sure.
And you limit the number of questions in a certain time interval. Now people have time to process it. And then that's the same for for these kind of devices. So if you if you limit the, you know, technically, if you talk about it, the the number of packets per second that you send to each device, you can, eliminate a lot of those, issues where the device gets overloaded.
Or sometimes in in OT environments, they just you know, the devices need to be able to respond in a certain time Mhmm. For things to work. And so for that reason, you don't wanna overload the devices. Right.
And then the the last thing is those kind of, like, flaky snowflake devices.
You just need to have provisions in your scanner so that they get detected early on in the scan psych cycle, and then you branch off and you treat them differently. Right? Okay. So, so that's super important.
And when you follow all of these things, like, we're with this approach, scanning car manufacturing plants and hospitals and utilities and weird stuff like cattle farms and fish farms and sawmills and, like, all sorts of stuff. Right? Yeah. So there and and, you know, everybody says, like, oh, our OT environment is very different and it's very unique. And, actually, across industries, you see a lot of the same things.
Oh, okay.
Even, you know, for example, like, we've seen first time we saw it was a little bit odd, but, like, a a drone spotter, You know, a drone detector.
Mhmm.
It's like, what the hell is this thing? Right?
But we've seen that across a a a few different industries. Like, I think one was, like, utility and then a railway company and, like, different ones. Right? Uh-huh. So you you even though there are different businesses and they think, oh, like, this is unique to us, you actually see a lot of repetition.
Okay.
Yeah. So we were talking about the approaches.
We talked about vulnerability scanning, EDR. We talked about passive.
Let's talk about APIs, because there are some vendors out there that claim, hey. You already have all of the information.
You just need to collect it and, and deduplicate it and and sort it. Right?
Okay.
So they say, hey. You know, give us the APIs for your volume scanner, for your EDR, for your cloud environments, all of those things. And, we'll pull them in and we'll do some magic and then give you your asset inventory.
Well, if you missed the devices earlier with EDR or if they weren't properly identified, like, with a volume scanner, you're not gonna be happy with the results because the data just isn't there. Right? I do think there that absolutely there is is room for APIs, and we use APIs as well. Okay. It's really critical, right, to get to cloud environments Mhmm. To get to, remote workers.
It's, really important when you're trying to do security controls coverage. So for example, do I have CrowdStrike or SentinelOne on all of my, let's say, Windows devices? Right?
For those kind of things, it's really important to pull that stuff in through APIs, but you can't rely on that alone.
Okay.
So what we do is we combine that with an active scan Mhmm. That is unauthenticated.
Okay.
And it's just, very good at at teasing out the details, from the individual devices.
Right.
So my cofounder is the creator of Metasploit, which is a network penetration testing tool that I think you you said you're familiar with.
I mean, it I think most people should be familiar with Metasploit, and it's but but I appreciate you you the explanation. For some of I I I'm never quite sure how much our our listeners know because I know we have a lot of kind of business side people. So, yeah, I appreciate you explaining things as you go. It's been really helpful.
Okay. Great. Yeah. So Metasploit is so a penetration tester is basically an ethical hacker that a company would hire to break into their networks.
Right.
Right? And so, to start with, the the pen tester doesn't know anything about the network, either coming from the outside looking from the in Internet or that's an external pen test or behind the firewall, on the inside, that's called an internal pen test. And in an internal pen test, you're basically simulating either a rogue employee or, you know, consultant or janitor or something who's, you know, on the inside of the network and attacking from there, or somebody who got phished. And you assume that one of the computers is controlled by an external attacker, and then they can go from there.
Unfortunately, very, very common, that last one. Right. Yeah. Where we're seeing a lot of breaches.
And and and, I think people need to so a lot of times, just to as a side comment, I'll have people say, oh, I trust all my people. They're all good people. Nobody's going to do these things from the inside. Well, but but phishing happens.
Right? And so Yeah.
You know, those credentials get given away, and suddenly, you don't know who's inside your network. And so those internal pentests, I think, are super important.
Yeah. And, you know, it's I I completely agree with you because a lot of people think that, oh, the internal side of the network is not important to protect. It's actually extremely important for that reason. And even the people who teach, social engineering and phishing trainings Yeah.
Have told me that they have fallen for phishing emails. Yeah. Right? Yeah. They might not fall for as many, but don't blame the victim.
It's just really hard to keep that out. So you need to have defense in-depth Yes. Where you look at all the different layers. Right?
And you try to reduce the probability of somebody getting through each layer.
Absolutely.
Right?
So we were talking about about Metasploit. Right? And so as a as a pen tester, you don't know what's on your network, what's on the network that you've just been dropped into. Mhmm.
You have to kind of feel around in the in the dark and see, like, oh, there's something here. There's something there. Right? So that's what we call enumeration.
Yes.
Counting the the things on the network.
Then the second thing is fingerprinting.
So that is, you know, filling that thing up and saying, like, okay. Like, what what is that? You know? Like, is that a router?
Is it, like, a computer? Okay. It's a computer. What operating system is it? Does it have any services running?
All those things. Right? And you extract more and more information.
And then, the other steps are exploitation, which means taking you know, breaking into, one of the devices on the network, and then you've got post exploitation, which could be extracting information, so exfiltration, or, you know, placing data there or changing something or going from that machine to another machine. Mhmm. So so pivoting and lateral movement.
And when you think about these, the the first two steps, enumeration, so counting things on the network, and fingerprinting Mhmm.
If you leave out all the rest, those are actually very similar to what we need for asset inventory.
Yeah.
Right? Yeah. So what my cofounder did is and and Metasploit, by the way, is one of the things that I wouldn't run on an OT network. Right? Because it it does some of these things that can knock over fragile devices if you're not careful.
Mhmm.
But, my cofounder has so much experience in this field, and he knows exactly, like, where the buddies are buried that he wrote this that he wrote this entire new scanner from scratch that avoids all of these issues and but leverages a lot of that previous knowledge.
Oh, interesting.
And so right? And so all of the tiny little, I call them penetration testing parlor tricks, you know, of how you can get, like, this piece of information and this tiny piece of information and that one.
Yeah.
If you put them all together and put them in a piece of software that's super easy to use and that's scalable Mhmm.
Now you can get a lot of information about the network. And most people are shocked at how much we're able to glean without having any, you know, no username and password, nothing, no software on the on the host, And we're still able to find out a lot.
Oh, that's all that that's really I mean, it's so helpful because, then you're finally once you know all of those things, finally, as an organization, in a position to protect these things. Because Mhmm. Different different, pieces of inventory have to be protected in different ways. And like you said, defense in-depth, and to prevent kind of, the the pivot that that you talked about.
There are all all sorts of different places in the communication paths and the devices themselves where different types of security can be applied. But it all starts with what is it? What do you have? What's out there?
And so, knowing that there's a a kind of a new way to look at this and and be able to find these things out is is a very I think this is a a super exciting step forward for asset inventory. Well, so is your solution targeted towards a specific size of organization? Can it be used by anyone? What do you recommend?
So yeah. So we've got, you know, customers all the way from, like, mom and pop shops all the way up to Fortune fifty. I think biggest one is Fortune five. And so it scales up and down pretty pretty well, but people use it differently depending on where they are. So a mom and pop shop would use this as their system of record where they do everything and so on. Whereas in the larger organizations, we, people still log into our interface and and, do things, but they also feed the data into their CMDB, so ServiceNow, for example, or their SIM, you know, like Splunk and so on because they they want to see the information there.
The CMDB is clear because, you know, you you can only open a ticket for a, you know, a help desk ticket for a device if it's in the system.
Exactly.
Right, for for Splunk, it it helps the incident responders. So we had an an interesting case. This is a fun one, that maybe illustrates the the point a little bit for for incident response. So we were, doing a a proof of concept, at a, like, a big theme park. Okay.
And, they were trying out our software.
And while they were trying it out, they had an alert in their SIM that one of their internal IP addresses was communicating out to another IP address in China that was a known bad IP address.
Okay.
Right? Mhmm. And so they were getting a little worried, and they were thinking like, okay. What is this thing? And they couldn't figure it out from the existing tooling.
And, so what they did is they they plugged in the IP address into run zero and and and saw that it was a Chinese made, video surveillance camera, right, that they have in the theme parks.
Okay.
And so they said, like, oh, okay. So, you know, we told them, like, what model it was and serial number or or MAC address, right, and where it was connected in order to switch and so on. So that was pretty easy for them to unplug it, take it off the wall, and they had that problem solved.
Yes.
But then the next question was, how many more of these things do we have?
How much do they have to send to?
Just be the one.
Right?
And so, so they ran a quick query, and they, saw that they had forty of those Oh my goodness.
So now now they could take action. Right?
Mhmm.
But they could only take action and be proactive about the security because they had the visibility on everything.
Right.
And so if you think back on on the previous examples, you can't install, like, an EDR agent on a security camera. Mhmm. Your Windows, vulnerability scanning password probably doesn't work for your service account probably doesn't work on the on the security camera.
Probably not.
Yeah. So so that's why they didn't have that data. Right?
Yeah.
But you were asking me about size of company and so on. So so different modes of how people use it.
Mhmm.
Then in addition to the scanner, typically, people, hook into APIs for EDR, vulnerability scanners, MDMs, so, mobile device management, then virtualization technology like vCenter and so on, Active Directory, because you need to figure out who the owner is of something. Right? Mhmm. If you if you don't know who the owner is, this is how this is something that only came out years after the breach at Equifax in a in a congressional hearing.
Equifax had figured out that they had a vulnerability on that server, and they'd also notified the person they thought was the owner of the server. They just got the owner wrong.
Oh, no.
So so the person who received it didn't feel responsible, but the person who was responsible didn't get the message.
Oh. Right?
Yeah.
So ownership is super important Mhmm.
Because, otherwise, you can't respond to these kind of, you know, big, celebrity vulnerabilities.
Yeah.
And so yeah. So we we take this combination of active, unauthenticated scanning, and APIs, and that helps you figure out, you know, like, where you're missing, endpoint protection, also subnets that you, didn't know you had and that are not covered with your vulnerability scanner. If you kind of, you know, run that query and you can see exactly where you're not covered with your vulnerability scanner.
Where did these super help come from? And some sysadmin is alright. I had the network guy do this because I needed a thing. Right. So a lot of times, there there are sensible reasons why things happen, but they don't always get communicated forward Mhmm.
In in ways that let you then protect them. So Yeah. I think that's a very good point.
Yeah. And then on the very low end, we have a free version that's free for, you know, either if you're tech enthusiast, you just wanna try this at home. And I encourage you because it's a lot of fun. You'll I I promise you, you will find a device that you didn't know you had.
Nice.
Or you didn't know you had anymore on the network. And, and but this, version is also free, to use for, smaller companies that have, fewer than two hundred and fifty six devices.
Okay.
So they can use it for free.
Nice.
You know, unlimited because we believe that, you know, that they shouldn't be, like, a you must be this tall to be secure kind of Yeah.
I I love this because I I run into a lot of single practitioner or small practitioner, dentistry places, health care places, where they really are very small and trying to do all on their own. So knowing that there's a tool out there that's free that can maybe give them some lift, that's a a really great, idea.
Yeah.
And so if you wanna roll this out, if you're a little bit technically minded, for a small network like that, a, you know, home network or a with a flat network structure and just a few devices, you'll probably have this up and running and see your inventory in fifteen, twenty minutes, something like that.
Terrific.
So it's pretty quick and easy. Yeah.
Well, great. Well, before we wrap up, are there any other, anything we missed or any advice you wanna offer people?
No. I think we we covered it pretty well. I I think, you know, go back to the basics. I I think there is people are always worried about the latest zero day and the the everything, but cover the basics. You know, asset inventory is one thing, but it's also two factor authentication, using a password manager, not reusing passwords, all of those things, not clicking on stuff and emails from people that you don't know.
So, think if you cover the basics, you have a lot of it handled. And, if you follow some of the, or if you have to follow some of the compliance frameworks, like, I I know you do a lot of HIPAA work, you do a lot of PCI work, and so on. Those are actually some of the things that are they cover a lot of these basics, right, including including asset inventory. Yeah.
And, so as much as people hate the compliance aspect because there's a lot of, paperwork Mhmm.
They do actually have, I think, ultimately, a positive outcome because people get educated and people, you know, have to do certain things that otherwise would be hard to make a business case for.
Yep. I agree. And I appreciate you saying that. It's, sometimes it it feels a little bit, you know, more than people understand going into it.
But having a framework to follow, any framework to follow Yeah. When you're first getting started, I think it provides a lot of lift for a lot of organizations. So, Chris, it's been just absolutely delightful talking to you. Thank you so much for coming on and talking to me.
Thank you. It was a pleasure.
Bye bye. Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
