The first SANS Top 20 Security Control is Inventory of Authorized and Unauthorized Devices. When you first consider this control, you may be tempted to dismiss the value of the opportunity to have near real time awareness. I encourage you to think of creative ways to lean into your existing tools to help solve the problem of knowing what is on your network at all times. The following is an attempt to give you several ways to know what is on your network using existing or no cost means.
Ways to implement this control:
1 – Use SourceFire RNA product to provide constant automation. This is accomplished with alerts that notify on New Host and New MAC found alerts. It is also valuable to have an alert to an IP address change for given MAC address.
2 – Daily network discovery scans using a tool such as nmap can also accomplish this objective. Consider a diff scan to identify all hosts and then in subsequent scans, just the new hosts identified going forward. Depending on the complexity of the network, multiple scanners man need to be deployed for complete coverage.
3 – Use a standard naming convention for your host names. Should a host that does not match the naming appear on the network, it will be noticed more readily.
4 – Seek out the person responsible for purchasing new computers. Review an invoice to see if a MAC address is listed on the documents. Ask them to notify you about new purchases going forward.
It is hard to argue that knowing what is on your network is critical to the success of your information security program. It is just as important to do this with automation. With an automated means to know what is on your network, it would be easier to determine if it is authorized. Or not. Take steps this week towards implementing this control and enhance your continuous monitoring capabilities.