In a preceding blog article we discussed the logical flaw in network anomaly detection marketing collateral: Vendors emphatically advocate “passive scanning” with the argument that “active scanning” would be too dangerous, yet focus on completely different risks (sophisticated cyber attacks) with their products. In this sequel we focus on a different aspect of the “passive scanning” vs. “selective probing” approach that we introduced in the preceding blog post: Cost/benefit. As you will learn, being shy to confront your systems with something as trivial and benign as ARP or SNMP packets does come with a juicy price (hardware cost), and at the same time limits the extent of configuration data you can discover reliably.
Why you want to discover what’s NOT installed
Let’s focus on one use case: Discovering software, drivers etc. that are not installed. With passive scanning, you have a chance of discovering systems and software that produce network traffic, but you can’t be positive about a configuration item being not installed.
Why would you want to know about such items? The simple answer is, because policy. Think about security patches. As a part of your vulnerability management, you want to identify systems where specific security patches are not installed. In the same context, you may also want to be able to prove compliance with baselines by demonstrating that specific applications, libraries, or services which are prohibited by policy are not installed. Think about vulnerability-loaded Adobe Flash as an example. All this can be done easily and reliably by simply send a WMI (Windows Management Instrumentation) query to the systems in question, for example your operator stations.
That WMI query will not disrupt your physical process, since WMI is a legitimate feature of your MS Windows operating system — which is most likely already used by other (administrative) applications in your network. Using it for asset discovery is not some hacker stunt, it’s an appropriate use of legitimate tools at your disposal. Arguing that such use is dangerous is nonsense.
There are more examples which could be pulled to show the benefits of using legitimate interfaces for asset discovery, but you get the point. So far for the benefits, now let’s look at cost.
What if you didn’t need to put hundreds or thousands of black boxes into your networks?
Passive scanning expects you to install black boxes, a.k.a. appliances in every network that you want to scan. And we’re not talking about Raspberry PIs here, but about equipment with a four digit acquisition cost per box. CPU horsepower and memory is needed because passive scanning happens in realtime. And let’s not forget the “artificial intelligence” part that runs on top of it! If you’re running a Ma-and-Pa operation with three networks, that may not matter, but then again you might not be worrying about detecting anomalies in network traffic in the first place. If you’re running a global operation with hundreds or thousands of networks, hardware cost alone sums up to a juicy six or seven digit figure. And that’s without maintenance cost, and software & services.
The beauty of selective probing is that it is resource-friendly. No realtime processing is needed, and data traffic for the probing is minimal. Performance is not critical, as it is irrelevant if a full network probe takes minutes or even hours (in OT-BASE Asset Discovery, you can throttle network traffic if desired). That means, you can install on existing hardware — such as operator stations, historians, or engineering servers. Or on a laptop, which enables your engineers to quickly do asset discovery on disconnected networks. Think about standalone, “air gapped” systems, or a Factory Acceptance Test.
The bottom line is: Due to its small footprint, selective probing can be implemented as a software-only solution on existing hardware, saving you substantial investments in passive scanning appliances that provide no production value. At the same time, discovery results usually are superior since you get access to configuration data that simply cannot be extracted from wire traffic.
Does this cost/benefit comparision motivate you to take a closer look at selective probing? Then simply request a free copy of OT-BASE Asset Discovery and check it out in your own environment.