As organizations grow and change, it becomes increasingly difficult for IT teams to keep track of what assets exist on their network. The spreadsheet that was accurate yesterday might not be tomorrow. The only way to keep up with the changes is through effective IT asset discovery, which seems really straightforward until you try to do it. Asset discovery plays an important role in networks of every size, ensuring an accurate asset inventory to support effective risk reduction and lifecycle management efforts.
A thorough asset discovery scan can reveal a lot of assets that had dropped off the radar for one reason or another. Maybe some old servers got replaced functionally, but were never fully decommissioned, or a former employee had deployed new assets before departing. Many lost or orphaned assets are a result of mergers, acquisitions, or company reorganization. How many employees are connecting mobile devices to the network so they don't have to use cellular data throughout the day? Those are just incidental examples and don't even begin to address the question of shadow IT.
Unknown risk is unmitigated risk #
To paraphrase an adage that has circulated security teams for years: you can't protect what you don't know about. A 2021 report noted that 69% of organizations "admit that they have experienced at least one cyber-attack that started through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset." An effective asset discovery program addresses the first two, while good IT asset management takes care of the last one.
While the global median dwell time, or the time between compromise and detection, has continued to decrease according to the 2022 M-Trends report from Mandiant, the numbers still show that attackers are often spending weeks in your networks before you know they're there. That dwell time only goes up when an attacker achieves initial access through an unknown or unmanaged asset. While threat mitigation is certainly a major motivation for improving asset security through effective management, early detection and response is just as valuable. As far as asset security goes, management is the key to prevention as well as early detection.
More than just security #
With cybersecurity breaches top of mind lately, it's common to only think about IT practices through that lens. However, effective asset discovery isn't just about being able to secure the assets connected to your network, it also supports IT administration and operations such as IT asset management (ITAM). Patching or updating operating systems and software helps improve security, but it also ensures you have the latest features and fixes. IT teams are also tasked with tracking asset lifecycles, making sure that hardware and software gets updated or replaced as versions become outdated or warranties expire.
Comparing asset discovery approaches #
The question of how to effectively and efficiently discover assets on the network has haunted IT and security teams since the dawn of the ARPANET. The "why" may have changed, but the challenge itself has only grown. There are several methods and IT asset discovery tools that can be used to varying levels of effectiveness. First, let's go over some terminology.
Active versus passive scanning #
The terms "active" and "passive" refer to the scanner's behavior, specifically whether or not it is querying for answers or just observing the activity taking place on the network. Active scanning tools transmit network packets or query local host data and then analyze the responses they receive. On the other hand, passive scanners simply observe the traffic that crosses the network adapter they're configured to listen on.
Authenticated versus unauthenticated scanning #
Scanners can also perform authenticated or unauthenticated scans to gather details about assets. Authenticated scans use provided credentials to attempt to log into the assets and services they come across. Unauthenticated scanning does not spray credentials around the network, instead using fingerprinting algorithms and discoverable data to recognize asset attributes.
Endpoint agents versus network-based scanners #
Whether a scanner is agent- or network-based is an indication of how many instances of the software will need to be deployed. Performing scans with endpoint agents requires software agents to be installed on every asset that will be monitored or scanned. Network-based scanners can scan assets across the network with as little as one installation.
Combining traits #
These three pairs are not mutually exclusive, just about any combination from the three can be found. Each has a purpose, but some solutions tend to be more effective than others. Authenticated scanners and endpoint agents can gather system details, but authenticated scanning sends credentials all over the network and not all assets support endpoint agents. Passive scanning can be helpful for monitoring sensitive assets, but encrypted traffic can't be analyzed and only basic information is gleaned. A combination of solutions can be implemented to address all needs, but as a starting point unauthenticated active network scanning is a great fit for most organizations.
Unauthenticated active network scanning, when performed by a tool with effective network traversal and attribute identification, can gather information about managed and unmanaged assets from across your environment. This solution performs IT asset discovery with a high degree of accuracy and thoroughness, ensuring that your asset inventory is complete. Armed with an up-to-date asset inventory, decisions about asset management and risk mitigation can be made with confidence.
The most effective approach #
runZero uses unauthenticated active network scanning to perform asset discovery across environments of all sizes and compositions. With one or more strategically placed Explorers, runZero can scan your entire network and gather the most accurate asset information available.
runZero consistently provides surprising and rich levels of detail for an agentless unauthenticated network scanner. Available as both free and commercial editions, runZero provides the fastest and easiest way to see everything connected to the network. Users of the commercial editions can supplement scan data with API integrations, including cloud hosting, endpoint security, and vulnerability management solutions.
In addition to our highly accurate fingerprinting capabilities, runZero is able to scan across network segments in order to discover assets you didn't know existed. Leveraging runZero for your IT asset inventory ensures you're armed with the most accurate and complete information about the assets on your network.
