Ambient Asset Management revisited

A while back I introduced the concept of ambient asset management. On further research I discovered some glaring gaps in that approach which I explore today.

A fundamental aspect of ambient asset management is leveraging existing tagging systems in the environment to act as asset management without introducing another system or technology. It turns out that is really not sufficient, but the overall idea is getting to the right place.

In having conversations with colleagues in the security profession who have experienced a variety of different company cultures and structures some common themes of requirements emerged. An asset management system is most useful to a security analyst as a hub for event correlation. A common use case is finding the asset involved in an event by IP. This sounds like an almost trivial problem, but it regrettably is not. With DHCP in place and an arbitrary pool of IPs for endpoints on VPN the identity of an asset associated with an IP is a temporal mapping.

This requires expanding the notion of ambient asset management and recognizing some of its inherent limitations. Just using single point in time tagging is clearly not sufficient. Its deficiency is made obvious in part by the presence of DHCP and dynamic VPN pools, but also - perhaps surprisingly - by the life cycle of virtual infrastructure. IPs are reused even in virtual infrastructures such as EC2 VPCs. With autoscaling groups and rapidly scaling up and scaling down in response to load it is more than conceivable to wind up reusing IPs. I've seen it in practice and it can seriously confuse efforts to associate events with assets.

With these things considered it's evident that we need some form of time-series tracking. Fundamentally the assets exist, but facilitating the search by IP and date/time requires thinking about the storage in terms of querying. For AWS-based assets the raw source for this information isn't the EC2 metadata, but the CloudTrail. Polling the EC2 metadata has the potentially to miss short lived instances leaving gaps in event correlation. On the manual infrastructure side human processes need to be formalized to include some form of data entry to keep the asset inventory up to date. The ideal scenario to support both is some form of event driven asset tracking.

One way of achieving event-driven asset tracking is to hook into the infrastructure events that occur on the entry and exit of an asset from an environment. In an office environment with 802.1x these could be fed in from the network authentication logs. It is important to configure these logs with sufficient detail to link the assigned IP to a specific asset and not just a specific person. Why? Because many people (most these days) have more than one assigned asset: laptop, phone, virtual desktop, etc.

VPN sessions pose a unique challenge as they can introduce recursive associations of the same asset into the environment, particularly if the VPN is split tunnel. As a result it is important that the asset management system support the notion of multiple IP associations for a given asset within the same time period.

In a similar vein, thinking about split tunnels, having a tracking of unmanaged IPs a corporate asset is using is also helpful if challenging. This is trickier as it likely requires the asset to have an agent on board.

Overall to obtain a comprehensive temporal list of assets by IP requires all environments where assets reside to be integrated with an infrastructure event system. This infrastructure event system captures the entry and exit of the asset and the IP it obtains or releases and the times of those events. The asset management system turns these events into a time series query-able by IP or other attributes.

With these pieces together you get an asset management system that is well equipped to support an effective SIEM and eyes on glass SOC in a way that minimizes the amount of time security analysts must spent correlating events. As a result it enables quicker response and recovery time when a security incident occurs.

I hope after reading this I've imparted a sense of how valuable infrastructure events integration is for effective asset management. I hope also that I've shared what I learned: that asset management isn't a point in time exercise and rather that it is the full chronicling of each asset's travels through environments and configurations.