Passive flow monitoring is expensive and lacks depth for asset inventory - Part 3

Passive flow monitoring is expensive and lacks depth

The CISA directive does include a provision that you can use passive flow monitoring to find devices. While this is an option, it has a few drawbacks.

Passive network monitoring is difficult and costly to deploy at scale

Passive flow monitoring is tricky to set up. You need to tap into a SPAN port on the networking equipment to get a copy of all network traffic. This is usually a large amount of data that needs to be stored and analyzed.

While this may be feasible for a data center or headquarter office, it’s tough to do for an organization with many network segments, branch offices, cloud infrastructure, and people working from home. The cost of deployment and hardware puts this approach out of reach for many budget holders.

Analyzing network traffic isn’t optimal for fingerprinting assets

Passively collecting network data is also not the best approach for asset inventory requirements or fingerprinting. Let’s take a look at the following example: if you are standing in a room at a cocktail party, simply listening into conversations, you can get a decent amount of information about who people are.

If you have a conversation with every person on the floor and can ask questions directly, your understanding of who is who will increase dramatically. That’s why active scanning has a much better chance of accurate fingerprinting. An active scanner can talk to all devices on all relevant ports and protocols to interrogate it, whereas analyzing passive network data relies on devices communicating on all open ports and sharing information that is useful for fingerprinting.

Encrypted traffic kills passive collection

Passive collection also increasingly struggles with encrypted protocols. Revisiting the cocktail party, if most guests spoke in languages you didn’t understand (or more accurately, if they spoke in code), you wouldn’t be able to glean much from their conversations.

As more network operators try to encrypt more and more traffic, passive methods of fingerprinting assets will become increasingly difficult, if not impossible.

Passive collection is no longer the only game in town for OT

Some people use passive collection because they have experienced challenges with scanning fragile devices. As previously discussed, this is true for some of the legacy network and vulnerability scanners. runZero has demonstrated that active scanning is not only possible in theory, but safe to do in production for many OT networks.

Passive flow monitoring is best used for threat detection

Analyzing network traffic still has its use cases. For example, an active scan cannot detect malicious traffic on the network, and it cannot detect rogue devices that intentionally don’t communicate when pinged.

Passive network monitoring also cannot be successful in asset inventory projects that try to get full visibility from IT to OT, on-premise to cloud, or with a remote workforce.

Follow the story

Try runZero for free

See how you can comply with CISA BOD 23-01 using runZero.

Get started