Why runZero is the best way to fulfill CISA BOD 23-01 requirements for asset visibility - Part 1


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently published the Binding Operational Directive 23-01 for Improving Asset Visibility and Vulnerability Detection on Federal Networks. CISA’s asset visibility requirements are doing a big part in moving the industry forward and evolving our approach to asset inventory while also highlighting the importance of asset inventory in relation to national or organizational security.

The directive covers both vulnerability management and asset inventory. This blog post only focuses on the relevant parts for asset inventory. However, there are some important areas where the two disciplines interact and asset inventory is better suited to fulfill the requirements.

CISA recommends unauthenticated scanning for asset discovery #

Many organizations are using data sourced from authenticated vulnerability scans and installed EDR agents to derive asset inventory. CISA’s directive demonstrates that while this is a viable way to augment the data set, it is no longer sufficient:

“Asset discovery is non-intrusive and usually does not require special logical access privileges.”

“No special logical access privileges” translates to either unauthenticated active discovery or passive collection, which is confirmed in the following statement:

“Discovery of assets and vulnerabilities can be achieved through a variety of means, including active scanning, passive flow monitoring, querying logs, or in the case of software defined infrastructure, API query.”

API queries are only recommended for software defined infrastructure, such as cloud-hosting other virtualized environments, but not for your physical network.

Log files can be a helpful way to augment breadth of asset inventory but they do not yield depth. DHCP and DNS logs don’t yield much more information than IP addresses, hostname, and MAC addresses. This misses the essence of what a device is: you know it’s there but you don’t know what hardware and operating system it’s running or what ports and services are active.

CISA directive solves for unmanaged devices #

When talking to security teams about challenges with their asset inventory, they frequently cite unmanaged devices as the biggest headache. The CISA directive seems to optimize for unmanaged devices since these are the hardest to cover.

Many asset inventory vendors, particularly those in the CAASM (Cyber Asset Attack Surface Management) space, claim that you can magically solve for unmanaged devices via integrations with existing tooling. That is a great pitch, but it ignores the fact that security teams have tried to use the data from vulnerability scanners and EDR agents for asset inventory for a long time and failed. They do not provide the right data–we’ll get to why in part two of this series.

CISA is well aware of this fact and recently published a binding directive that requires more than just integrations for solving asset inventory.

We’ll take a deeper look into why that is throughout this blog series. Stay tuned for more details and subscribe to our blog so you don’t miss out.

Follow the story #

Check out Part 2 of this story.

Written by Chris Kirsch

Chris Kirsch is a co-founder of runZero. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.

More about Chris Kirsch
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..
runZero Insights
Celebrating Women’s History Month with trailblazers & innovators
It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers.
Upcoming NYDFS regulatory requirements on asset inventory and vulnerability enumeration
Is your business prepared for the approaching deadlines for complying with the latest version of the NYDFS Cybersecurity Regulation (23 NYCRR 500)?...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved