Your guide to IT asset discovery tools

(updated ), by Chris Kirsch

You need to know what’s connected to your network to manage or secure it. Surprisingly, many system administrators still manually update spreadsheets to keep track of IP addresses, asset inventory, and lifecycle management.

A much easier way to get an accurate picture of your data center, laptop, and IoT infrastructure is to use IT asset discovery tools, which help with network discovery of your IT infrastructure in real time.

IT asset discovery tools typically offer the following functionality:

  • Discover assets on the network
  • Save asset inventory in a database
  • Queries to assist with IT management or cybersecurity
  • Reports on key metrics on dashboards
  • Rules and alerts to notify you as things change

You can either work directly inside an IT asset discovery tool or feed the data into other systems, such as:

  • IT service management solutions (ITSM) for helpdesk ticketing
  • Configuration Management Database (CMDB)
  • IT Asset Management software (ITAM)
  • Security Incident and Event Management (SIEM) systems
  • Keep reading to learn about the factors you should consider when choosing an asset discovery tool for your IT environment.

Keep reading to learn about the factors you should consider when choosing an asset discovery tool for your IT environment.

Seven questions to ask yourself before choosing IT asset discovery software #

Before you decide on an IT asset discovery tool, you may want to ask yourself a few important questions.

1. Do you need to cover routers, IoT, and mobile devices? #

Some IT asset discovery tools are optimized to find managed devices, such as Microsoft Windows desktops connected to your Active Directory. These solutions miss about 10-40% of your network, such as IoT devices, routers, switches, as well as rogue and orphaned machines.

If your asset inventory provider does not include all devices, your service desk won’t be able to reliably troubleshoot networking issues or find assets that pose an IT security issue.

2. Do you need SaaS or on-premises deployment? #

SaaS is typically faster and easier to deploy, but your organization may require you to have sovereignty over your data.

3. Do you need a scalable solution? #

Scanning one /24 subnet is different from scanning larger, distributed networks. Make sure that you are picking a solution that can scale for scanning speed, centralized console, and Terabytes of data processing.

4. Which asset discovery approach will gather the data you need? #

The type of data you need to collect will determine the technical approaches you will need for your situation:

  • Unauthenticated scans can gather a broader set of devices on the network because they do not require credentials to log in to the device. They work well for finding IoT and unmanaged devices, as well as providing a list of open ports on machines. Some of these solutions can find a surprising amount of detail, including operating systems, MAC addresses, software and firmware versions, and hardware models. Definitely try unauthenticated scans to see what they can find.

  • Authenticated scans can get details only available to a logged-in user, such as CPU, RAM, and storage usage as well as software licenses. However, they will drastically underperform for any type of device where the password doesn’t work. If you have IoT, networking, and unmanaged devices, this approach may not provide the visibility you need.

  • Endpoint agents may be able to get some system internals, such as CPU, RAM and storage usage from devices. However, they need to be installed on every device you want to include in the inventory. Endpoint agents cannot be installed on unmanaged devices and they may not work on many IoT and embedded systems, limiting your visibility. If you are planning to use an EDR or MDM agent for your asset inventory, verify your solution actually collects the type of information you need.

  • API integrations can provide some insights into asset inventory. Integrate your asset inventory with your endpoint detection and response (EDR) or mobile device management (MDM) to leverage existing endpoint data.

  • Passive network monitoring can give you insights into the devices on the network by listening to the traffic. This approach doesn’t create additional traffic on the network, but that also means that devices that don’t generate traffic can’t be discovered.

  • Passive asset inventory is much harder to deploy because you have to plug it into the SPAN ports of each network device to collect data. Because data is collected passively, the data quality tends to be lower. Consider this analogy: if you were at a party and listening to other people’s conversations, you’d probably be able to gather some information. However, direct conversations would allow you to ask questions and get answers instead of relying on passive listening. The use of encrypted protocols is also making this approach less and less viable.

5. Do you need to cover information technology (IT) and also operational technology (OT)? #

Operational technology comes in many forms. In its simplest case, it includes badge readers and HVAC systems in regular office buildings. More advanced OT environments include medical devices, telco equipment, and production lines for manufacturing.

The need to cover OT equipment will eliminate several approaches, including authenticated scans, endpoint agents and API integrations. Passive network monitoring is popular in these environments but tends to have low-fidelity results and miss devices that are not communicating. It’s also really hard to deploy in complex or distributed environments because it relies on tapping SPAN ports on your networking gear.

Modern unauthenticated scanning solutions that have been designed with OT equipment in mind can be a great option. Definitely test out the unauthenticated scan on a handful of test devices to ensure that it’s not disrupting operations on fragile devices. Modern scanners tend to be better than legacy implementations.

6. Do you have machines that have multiple IP addresses or change IP addresses? #

Keeping track of devices as they change IP addresses can be difficult for IT asset discovery tools, often producing duplicate entries in the asset inventory. The same is true for devices with multiple network interfaces that are being scanned from multiple vantage points.

To reduce issues with duplicate devices, choose a solution that can deduplicate devices that change IP addresses or have multiple network interfaces.

7. Do you have passwords for all of your assets? #

Authenticated scanning or endpoint agents will require that you have admin credentials for all machines you want to inventory. Most organizations don’t have usernames and passwords for legacy and IoT devices, ruling out this option for many.

Using authenticated scans also increases your security risk because the scanner provides central admin passwords to all IP addresses in the scanning range. If there is even a single compromised asset on the network, the attackers will have the keys to the kingdom to access or ransomware all of your connected devices.

Try unauthenticated active discovery with runZero #

Written by HD Moore, the creator of Metasploit, runZero is an agentless solution that consistently provides surprising and rich levels of detail for an unauthenticated network scanner. Available as both free and commercial editions, runZero provides the fastest and easiest way to see everything connected to the network. Users of the commercial editions can augment scanning data with API integrations, such as cloud hosting, endpoint security, and MDM solutions.

runZero runs on Windows, Mac OS, Linux and BSD without dependencies. Asset tracking of devices that have changed IP addresses or have several network interfaces is possible with runZero. In fact, runZero even shows secondary IP addresses in ranges that were not scanned to help identify network bridges.

  • Free and commercial editions
  • Easy to deploy and use through a central console
  • Safely scans managed and unmanaged IT and OT equipment
  • Supports SaaS and on-premise deployments

Want to take runZero for a spin?

Sign up for a free trial and build your asset inventory in minutes.

Get started
Learn more about runZero
Chris Kirsch
Written by Chris Kirsch

Chris Kirsch is the CEO and co-founder of runZero. Chris started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and Social Engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world’s largest hacker conference.

Similar Content

April 13, 2023

Asset inventory is foundational to security programs

Asset inventory is the foundation of a strong cybersecurity posture. It is often considered the first step in identifying vulnerabilities and potential risks to your organization’s security.

March 13, 2023

The role of asset ownership in the Equifax breach

Equifax lacked adequate cyber asset management practices, including a comprehensive IT asset inventory. As a result, when CVE-2017-5638 was announced, Equifax lacked the ability to effectively take action against the vulnerability.

February 15, 2023

Get to full asset inventory by combining active scanning with API integrations - Part 4

A dual approach is the best way to make sure you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations, agent installs, or passive monitoring for compliance.