Four solutions for building a cyber asset inventory
In today’s hyper-connected world, organizations face a daunting task when it comes to managing and securing their cyber assets. The sheer number of devices connecting to networks makes it difficult to identify and classify every asset accurately. To meet this challenge head-on, organizations need a cyber asset management solution that can provide accurate and up-to-date information about all their assets. An advanced and dedicated approach to asset discovery is required.
So what are the solutions for getting to full asset inventory?
Vulnerability scanning solutions
Vulnerability scanners are really good at vulnerability enumeration–that’s what they’re designed to do. However, they really miss the mark when it comes to quickly discovering assets and building comprehensive asset inventories.
Challenge 1: Vulnerability scanners combine discovery and assessment
Why can’t organizations just use vuln scanners for discovery? Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface this appears to be efficient, it is actually quite the opposite. Vulnerability scanners perform a lot of time-consuming checks, so they’re unable to scan networks quickly. Add in the challenges of strict maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for rapid discovery.
Challenge 2: Vulnerability scanners slow down day 1 response
When security news breaks, organizations need to act quickly, and vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that organizations can search–without rescanning the whole network.
Solution: Complement vulnerability scanners with unauthenticated active discovery to speed up response
Ideally, organizations would have an up-to-date asset inventory they can leverage to gather as much information as possible about assets while waiting for their vulnerability scan results. By complementing vulnerability scanners with an unauthenticated active scanner, organizations can unlock full visibility into their managed and unmanaged devices. This allows for a much more effective response to vulnerabilities on day one.
Endpoint detection and response solutions
Another seemingly viable option for organizations would be their endpoint detection and response (EDR) solution. In theory, EDR agents are a solid option because they can act as a rootkit on all critical machines. These agents have access to the high-fidelity information needed for a comprehensive asset inventory. However, like vuln scanners, EDR solutions are not purpose-built for asset inventory. They’re designed for detecting threats, not fingerprinting assets.
Challenge 1: EDR solutions only know about managed assets
EDR agents can only detect assets they are installed on. But what about assets that organizations can’t install agents on, like phones, cameras, and switches? By using an EDR solution for asset inventory, organizations will lack visibility into unmanaged assets, as well as any assets they don’t have credentials for.
Challenge 2: EDR solutions have limited fingerprinting capabilities
Some EDR vendors have recently started adding asset inventory scanners to their agents. However, these scanners perform pretty basic ARP scanning, which only provides the IP address, MAC address, and vendor. These details barely scratch the surface for the type of information needed for a comprehensive asset inventory program, like hardware details and network context.
Solution: Find coverage gaps and enrich asset data with unauthenticated active discovery
Unmanaged devices present some of the biggest security challenges for most organizations. To stay on top of them, organizations will need the ability to accurately evaluate their endpoint protection coverage. The ability to answer, “Which devices are missing an agent?” is critical when it comes to comprehensive endpoint protection.
Unfortunately, because EDRs can’t discover unmanaged devices, evaluating true coverage is difficult. To work around these challenges, organizations should consider enriching the data collected by agents with asset information provided by unauthenticated active discovery. As a starting point, organizations can compare the list of assets that have been fingerprinted by the active scanner and not sourced by their EDR. This is the most effective approach to get a solid handle on managed and unmanaged assets.
Passive network monitoring solutions
For a long time, passive network monitoring solutions were considered the de facto standard for operational technology (OT) environments. Many believe that passive scanning is the safest and most viable approach for fragile devices. However, over the past decade, organizations have seen their networks evolve from being completely on-prem to being hybrid, and many networks are no longer completely air-gapped. As environments have changed, so too must the technology used to assess and manage them. While passive network monitoring still has its use cases, it isn’t sufficient for comprehensive asset visibility.
Challenge 1: Analyzing network traffic isn’t optimal for fingerprinting assets
Here’s a good analogy for passive analysis: imagine sitting in a room, listening to people talk, but not being able to engage in any of the conversations. What type of information could be gleaned about each person in the room? It would depend entirely on the information they shared–if they shared anything at all. This is true for passive network monitoring solutions. They rely on the communication between devices for information. If devices don’t communicate, the monitoring tool would have very limited information about them.
Now imagine adding the complexity of encrypted protocols. Revisiting the conversation analogy, consider how difficult it would be to gather and interpret information if everyone spoke in coded language. Very limited information could be gathered from them. As network operators try to encrypt more and more traffic, passive methods of fingerprinting assets will become increasingly difficult, if not impossible.
Challenge 2: Passive network monitoring solutions are difficult and costly to deploy at scale
Passive flow monitoring is difficult to set up. It requires tapping into a SPAN port on the networking equipment to get a copy of all network traffic, which is usually a large amount of data that needs to be stored and analyzed. While this may be feasible for data centers or headquarters, it’s challenging for an organization that has a lot of network segments, branch offices, or remote sites.
Solution: Deploy unauthenticated active discovery for full visibility into every environment (even OT)
Choosing between active scanning and passive monitoring can be challenging for organizations as both methods have their pros and cons. The challenges with passive network monitoring prevent it from being able to deliver full visibility into assets across IT, OT, on-prem, cloud, and remote environments. Active scanning has a much better chance of accurate fingerprinting across all environments. An active scanner can talk to all devices on all relevant ports and protocols to interrogate them, whereas analyzing passive network data relies on devices communicating on all open ports and sharing information that may be useful for fingerprinting.
Cyber Asset Attack Surface Management (CAASM) solutions
Comprehensive asset inventory is critical for cybersecurity posture. It helps identify all assets that are connected to the network and assess their vulnerabilities. Cyber Asset Attack Surface Management (CAASM) solutions can help organizations build a comprehensive asset inventory, but they may not be enough on their own.
Challenge 1: Integration-only approaches miss unmanaged assets
Many CAASM vendors claim that unmanaged devices can be solved by leveraging integrations with existing tooling, like vulnerability scanning and EDR solutions. However, since these approaches typically require credentials to gather information from assets, they may not work for rogue, IoT, and OT devices. While an integration-based approach is a good way to discover managed assets, it’s not the most effective for unmanaged ones. As a result, unmanaged devices will continue to fly under the radar.
Challenge 2: Data accuracy relies on the data source
Most CAASMs rely on the rest of the security and IT stack for asset inventory, so the data is only as good as the source itself. Integrations can generally provide a lot of depth about managed devices, but the quality may be inconsistent or inaccurate. Many solutions, like vulnerability scanners and EDRs, are not purpose-built for asset inventory, so their fingerprinting falls below expectations. Instead, they may only include some basic information about the device which isn’t significantly helpful for asset context.
Solution: Complement CAASMs with active discovery
To achieve full asset inventory coverage, organizations should complement CAASMs with active discovery techniques. Active scanning can accurately fingerprint both managed and unmanaged assets without requiring credentials or relying on integrations with other tools. By combining active scanning with an integrations-based approach, organizations get complete visibility into all assets connected to their network.
While CAASM solutions are useful in building comprehensive asset inventories, they must be complemented with active discovery techniques to achieve full asset inventory coverage.
Choose the best combination: an integrations-based approach with active scanning for full asset inventory
While VMs, EDRs, passive monitors, and integration-based approaches may provide some asset inventory capabilities, there are data quality, speed, and completeness issues to consider. Organizations need to build their security and IT programs with a solid foundation first. That requires a comprehensive, complete, and up-to-date asset inventory that is available on demand. Without asset visibility, effective response and remediation will continue to be a challenge for security teams.
Ready to start building your cyber asset inventory? Get started with runZero. No deployment of endpoint agents or credentials needed. Build your inventory in minutes.
Ready to take the next step?
Developed by the creator of Metasploit, runZero is a cyber asset management solution that delivers full cyber asset inventory–quickly, easily, and safely. The solution enriches existing IT & security infrastructure data–from vuln scanners, EDRs, and cloud service providers–with detailed asset and network data from a purpose-built unauthenticated active scanner to discover all types of devices across any type of environment.Get runZero for free
June 8, 2023
The risks of using spreadsheets for cyber asset management
An accurate and full asset inventory is vital for an effective security program. Understand the risks and limits of using spreadsheets to manage cyber assets, and how runZero compares.
May 30, 2023
Why EDR agents are inadequate for cyber asset management
When incident responders find assets that are compromised but can’t find them in the asset inventory, many teams realize that they went down the wrong path; EDR works well for endpoint protection but not asset inventory. Let’s examine why.
April 13, 2023
Asset inventory is foundational to security programs
Asset inventory is the foundation of a strong cybersecurity posture. It is often considered the first step in identifying vulnerabilities and potential risks to your organization’s security.