Passive flow monitoring is expensive and lacks depth for asset inventory - Part 3

(updated ), by Chris Kirsch

CISA BOD 23-01 blog series

This is part 3 of our 5-part CISA BOD 23-01 series. Check out part 1 to start at the beginning of the series.

Passive flow monitoring is expensive and lacks depth

The CISA directive does include a provision that you can use passive flow monitoring to find devices. While this is an option, it has a few drawbacks.

Passive network monitoring is difficult and costly to deploy at scale

Passive flow monitoring is tricky to set up. You need to tap into a SPAN port on the networking equipment to get a copy of all network traffic. This is usually a large amount of data that needs to be stored and analyzed.

While this may be feasible for a data center or headquarter office, it’s tough to do for an organization with many network segments, branch offices, cloud infrastructure, and people working from home. The cost of deployment and hardware puts this approach out of reach for many budget holders.

Analyzing network traffic isn’t optimal for fingerprinting assets

Passively collecting network data is also not the best approach for asset inventory requirements or fingerprinting. Let’s take a look at the following example: if you are standing in a room at a cocktail party, simply listening into conversations, you can get a decent amount of information about who people are.

If you have a conversation with every person on the floor and can ask questions directly, your understanding of who is who will increase dramatically. That’s why active scanning has a much better chance of accurate fingerprinting. An active scanner can talk to all devices on all relevant ports and protocols to interrogate it, whereas analyzing passive network data relies on devices communicating on all open ports and sharing information that is useful for fingerprinting.

Encrypted traffic kills passive collection

Passive collection also increasingly struggles with encrypted protocols. Revisiting the cocktail party, if most guests spoke in languages you didn’t understand (or more accurately, if they spoke in code), you wouldn’t be able to glean much from their conversations.

As more network operators try to encrypt more and more traffic, passive methods of fingerprinting assets will become increasingly difficult, if not impossible.

Passive collection is no longer the only game in town for OT

Some people use passive collection because they have experienced challenges with scanning fragile devices. As previously discussed, this is true for some of the legacy network and vulnerability scanners. runZero has demonstrated that active scanning is not only possible in theory, but safe to do in production for many OT networks.

Passive flow monitoring is best used for threat detection

Analyzing network traffic still has its use cases. For example, an active scan cannot detect malicious traffic on the network, and it cannot detect rogue devices that intentionally don’t communicate when pinged.

Passive network monitoring also cannot be successful in asset inventory projects that try to get full visibility from IT to OT, on-premise to cloud, or with a remote workforce.

Follow the story

Check out part 4

Part 4 of this story was published on Wednesday, February 8, so be sure to follow along. Make sure to subscribe to stay up-to-date with our latest blogs!

Try runZero for free

See how you can comply with CISA BOD 23-01 using runZero.

Get started
Learn more about runZero

Similar Content

February 15, 2023

Get to full asset inventory by combining active scanning with API integrations - Part 5

A dual approach is the best way to make sure you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations, agent installs, or passive monitoring for compliance.

February 8, 2023

Why an integrations-only approach isn't enough for full asset inventory - Part 4

Your CAASM may not be enough to help you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations for compliance.

January 30, 2023

Speed up pentesting with runZero

runZero may not be the first tool you think of when you talk about penetration testing but we have several ways of helping with reconnaissance. Learn more about the ways runZero can help with your next engagement.