Why EDR solutions can’t provide full coverage for asset inventory - Part 3

(updated ), by Chris Kirsch
icon

This post is part 3 of a series on why runZero fulfills the CISA BOD 23-01 requirements better than other CAASM vendors. If you entered here, consider starting with part 1.

EDR solutions miss unmanaged devices

Let’s dive into another data source security teams typically like to use for asset inventory: endpoint detection and response (EDR) agents.

Theoretically, EDR agents are great because they work as a rootkit on every machine that is important to you. It has access to pretty much any information you may want for your asset inventory.

Spoiler alert: it’s not a good idea to rely on EDR agents alone for asset inventory. EDR agents are built for detecting threats, not fingerprinting the asset.

EDR agents can also only truly detect assets they are installed on. This is a challenge not only for devices that you’ve missed, but unmanaged devices that you don’t have credentials for. It’s also impossible to inventory devices you cannot install an agent on, such as phones, cameras, and switches.

EDR solutions aren’t set up for success with active scanning

Some EDR agents have started to add an asset inventory scanner to their agents. However, what we have seen in the market so far is basic ARP scanning, which only returns the IP address, MAC address, and vendor derived from the MAC address. This is not enough information for the most basic asset inventory programs.

If they were to put a full scanner on each EDR agent, agents would overload the network with scan requests and return non-corporate assets, such as a remote employee’s home environments.

Follow the story

Part four of this story will be published on Wednesday, February 1, so be sure to follow the story. Also, don’t forget to subscribe for regular blog notifications.

Try runZero for free

See how you can comply with CISA BOD 23-01 using runZero.

Get started
Learn more about runZero

Similar Content

February 1, 2023

Passive flow monitoring is expensive and lacks depth for asset inventory - Part 4

CISA BOD 23-01 requires better asset inventory and vulnerability management practices. This six-part series dives into why runZero is the best solution to support your compliance to the new directive.

January 30, 2023

Recon with runZero

runZero may not be the first tool you think of when you talk about penetration testing but we have several ways of helping pentesters with their reconnaissance. Read more to see how runZero can support your recon.

January 18, 2023

Why vulnerability scanners cannot provide comprehensive asset inventory - Part 2

CISA BOD 23-01 requires better asset inventory and vulnerability management practices. This six-part series dives into why runZero is the best solution to support your compliance to the new directive.