Get to full asset inventory by combining active scanning with API integrations - Part 4
This is the final part of our 4-part CISA BOD 23-01 series. Check out part 1 to start at the beginning of the series.
A combination of integrations and active scanning works best #
No single approach can get to full asset inventory across IT and OT, on-premise and cloud, and your remote workforce. However, a combination of active scanning plus integrations usually covers all areas.
You need breadth and depth for asset inventory. Breadth means enumerating all of the devices. Depth means knowing as much as possible about each device.
| Active scanning | API integrations | |||
|---|---|---|---|---|
| Breadth (enumeration) | Depth (detail) | Breadth (enumeration) | Depth (detail) | |
| Managed IT | ||||
| Unmanaged IT | ||||
| IoT/OT | ||||
| Cloud | ||||
| Remote workforce | ||||
Breadth: Enumerating all assets #
Active scanning is the fastest way to get breadth. Start with the networks you know about, then look around the edges to see what’s hiding in the shadows. To discover all devices and subnets, do a full RFC 1918 scan, then find unmapped assets that were seen through SNMP but not reached directly to see where you are missing subnets.
Active scanning can be used for cloud environments and remote work, but getting to breadth is usually better achieved through integrations with cloud hosting providers, EDR, MDM, and productivity suites (e.g., Google Workspace).
Depth: Getting detailed information on all assets #
Next, let’s focus on depth. For managed devices, you can typically get a lot of depth with integrations with EDR, MDM, and productivity suites. However, you’ll get nothing at all for unmanaged IT. A scanner that does not require authentication and is purpose-built for asset inventory, such as the runZero Explorer, will give you the best depth you can get for unmanaged devices, IoT, and OT.
Asset inventory for cloud environments #
For cloud integrations, you’ll typically start out with an API integration, which gives you both breadth and depth. However, active scanning can give you more depth in certain areas, such as open ports, service protocols, and operating systems.
Consider AWS EC2 for example, where each approach delivers only part of the details:
| Asset detail | Active scanning | API integrations |
|---|---|---|
| Hostname | ||
| IPv4 address | ||
| IPv6 address | ||
| MAC address | ||
| Open ports (from VPC & internet) | ||
| Service protocols | ||
| Operating system | ||
| Installed software | ||
| Account ID | ||
| Architecture | ||
| Availability zone | ||
| ID | ||
| Image ID | ||
| Instance type | ||
| Region | ||
| Root device name | ||
| Subnet ID |
Asset inventory for your remote workforce #
For your remote workforce, both breadth and depth will come from integrations. Typically, the following sources are the most helpful, although one source is typically sufficient:
- EDR agents, such as CrowdStrike and SentinelOne
- MDM solutions, such as Microsoft Intune and Miradore
- Productivity suites, such as Google Workspace
- Directories, such as Microsoft Active Directory and Azure AD
Correlate all data sources to identify security coverage gaps #
Having the breadth of all assets, especially through active scanning, and information on security controls via integrations, enables you to find security coverage gaps, such as:
- All machines missing EDR agents
- Subnets missing vulnerability management coverage
- Devices not covered by MDM
Options if you already have an integration-based CAASM solution for asset inventory #
If you have already rolled out an integrations-based asset inventory solution without active scanning, you have options:
- Add active scanning to your existing CAASM solution: Use runZero Professional Edition to scan your network, then use the export API to feed the data into other CAASM solutions. runZero has existing integrations with Axonius and JupiterOne.
- Replace existing CAASM solution: Use runZero Enterprise Edition to have a single solution that includes active scanning and integrations with key sources. This approach may be favorable if you are trying to consolidate solutions and reduce cost.
CISA BOD 23-01 requires full asset inventory
If you’d like to test out runZero’s approach to cyber asset management that combines both active scanning and integrations, get the 21-day trial of runZero Enterprise Edition - no credit card or sales conversation required.
Get started
Chris Kirsch is the CEO and co-founder of runZero. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.
Similar Content
February 8, 2023
Why an integrations-only approach isn't enough for full asset inventory - Part 3
Your CAASM may not be enough to help you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations for compliance.
January 30, 2023
Speed up pentesting with runZero
runZero may not be the first tool you think of when you talk about penetration testing but we have several ways of helping with reconnaissance. Learn more about the ways runZero can help with your next engagement.
January 18, 2023
Why vulnerability scanners cannot provide comprehensive asset inventory - Part 2
Vulnerability scanning may not be enough to meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just authenticated scanners or installed agents for compliance.