Closing the gap Power your CMDB with CAASM for better ROI


A proactive security program begins with knowing what is on your network through a comprehensive asset inventory. Instead of searching for a fit-for-purpose solution, many organizations use their existing configuration management database or CMDB for asset inventory. On the surface, it makes sense. CMDBs are designed to track data relating to managed IT assets, such as routers, switches, or servers. CMDBs should contain all the configuration items (CIs) needed for IT service management (ITSM), IT asset management (ITAM), or IT operations management (ITOM).

The reality does not live up to the promise, though. According to Gartner, only 25% of organizations achieve meaningful value with their CMDBs. Let’s dig into why and how a cyber asset attack surface management solution can improve the accuracy and fullness of your CMDB data.

CMDBs store data, cyber asset attack surface management discovers assets #

CMDBs track CIs but do not discover anything themselves. CMDBs learn of these CIs through a companion discovery tool which is likely not getting the information you need. Examples of these discovery tools include ServiceNow Discovery, BMC Discovery, and Atlassian Insight Discovery.

On the other hand, a cyber asset attack surface management solution discovers and maintains an accurate inventory of all assets on the network, not just IT but also IoT and OT devices. The rich data it stores on all types of assets goes beyond details relating to IT operational efficiency but also security controls, insecure configurations, vulnerabilities, and more. It’s not to be confused with ITAM, which manages the end-to-end lifecycle of assets, or ITSM, which strives to deliver IT services to end users efficiently.

Default CMDBs discovery tools cover only managed IT assets #

The majority of default CMDB discovery capabilities perform authenticated active scans against managed assets. These scans cover a limited range of devices across the IT infrastructure–including virtual machines, servers, and laptops, all managed IT. By taking the approach of relying on the CMDB’s discovery tools, you miss other critical asset types, including:

  1. Unmanaged devices:
    These devices have slipped through the cracks due to scenarios ranging from staffing changes to updates to business strategy to mergers & acquisitions. Unmanaged devices can take many forms, including shadow IT, rogue devices, and orphaned devices. If you’re only monitoring managed devices, you’re completely overlooking unmanaged devices, so you can’t keep an eye on them. Additionally, they carry with them unknown exposure or risk.
  2. Corporate IoT devices:
    In recent years, the use of IoT devices has skyrocketed in the workplace. With this surge, organizations have even more devices to manage and secure from potential threats than ever before. From internet-connected camera systems and locks to the smart fridge in the break room and temperature and humidity management systems, these can all pose additional opportunities for hackers to fly under the radar to recon the rest of your network. With only a partial view into what’s on the network, you’re missing valuable insight for full protection.
  3. OT devices:
    Businesses in industries ranging from manufacturing and energy to government and healthcare all leverage operational technology (OT) devices. They can include field devices, programmable logic controllers (PLC), and human-machine interfaces (HMIs), vital to these businesses. These devices use real-time operating systems (e.g., Wind River VxWorks), often incompatible with the authenticated scans that log in via WMI or SSH, which you find on time-sharing operating systems like Windows and Linux. Additionally, IT and security teams often intentionally exclude OT devices from active scans because they are prone to disruption. By capturing only a portion of the assets on your network, you’re left with an incomplete asset inventory.

CMDBs aren’t trusted sources for all assets if the data is inaccurate #

Beyond incompleteness, data inaccuracy is also a major concern. If you are relying on your CMDB to be a source of truth, you need to be able to trust the information in it. The data in a CMDB will only be as good as its sources.

According to Gartner, nearly one-third of CMDB challenges stem from data completeness or quality concerns due to how data is entered into the system. There are a few input methods, but the most commonly used are manual entry and authenticated active scanning. While authenticated active scans are relatively accurate for managed IT devices, they often misidentify the hardware. Manual entry, on the other hand, does not scale and is prone to error. In fact, 60% of data manually input by employees is inaccurate.

How good data goes bad

CMDBs’ challenges around completeness and accuracy compound as asset counts continue to rise. If teams struggle to keep their CMDBs up-to-date, accurate, and therefore beneficial, then it’s not a big surprise that, according to Gartner, 80% of CMDB projects have been shown to add no value to the business.

Discover the true cost of CMDBs in the infographic below.

The true cost of CMBDs

CMDBs powered by runZero #

If your investment in a CMDB will come up short in value and ROI, how do we avoid some of these pitfalls and improve the outlook? Use a cyber asset attack surface management solution to inform and guide your CMDB. You can make the most of your investment with both solutions working together.

runZero was purpose-built to combat the challenges and requirements of cyber asset attack surface management, which is not what default CMDB discovery tools were designed to do and why they fall short. Below are the key areas where runZero can improve your CMDB accuracy:

Full Coverage #

While the default CMDB discovery tools are effective at only capturing managed IT devices, runZero performs unauthenticated active scans to safely and quickly provide a complete and accurate asset inventory of all IT, IoT, and OT devices, whether they are managed or unmanaged.

Accurate Data #

Default CMDB discovery tools rely on authenticated scanning or manual entry as their data source, which can misidentify and miss devices not on your corporate network. They are also not purpose-built for asset inventory, so their fingerprinting falls below expectations. runZero’s source of data comes from a combination of API integrations and unauthenticated active scanning, which allows for highly accurate fingerprinting and offers real-time updates and accurate data synchronization automatically for data you can trust.

Quick Time To Value #

Discovery for CMDBs typically requires large, specialized teams following a complex process consisting of many steps for successful implementation. Alternatively, getting started with runZero involves the deployment of Explorers, after which you can run initial scans. You can get started in minutes without the hassle and time of coordinating a large team effort.

An authoritative source of asset data, including IT, IoT, OT #

runZero is a cyber asset attack surface management solution that can help you build complete, comprehensive asset inventories of your managed and unmanaged assets on any network–corporate, cloud, or home–and in any infrastructure, IT, IoT, or OT. Since runZero combines APIs with active scanning, doesn’t require credentials, and has extensive fingerprinting capabilities, it can discover and identify a wider breadth of assets with far more depth. You can integrate runZero seamlessly with CMDBs, like ServiceNow, to enrich their data, or you can leverage runZero as a standalone asset inventory solution.

runZero scales up to millions of devices, but it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices. Find out what’s connected to your network in less than 20 minutes.

Written by Carolynn Mallozzi

Carolynn Mallozzi is a former Senior Customer Advocacy Marketing Specialist at runZero. She brought 10+ years of experience, 4 of which were focused on customer advocacy and highlighting the voice of the customer through content creation, 3rd party review sites, and customer advocacy programs. Carolynn worked with customers in various industries from law to education to security.

More about Carolynn Mallozzi
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

runZero Insights
Using runZero to verify network segmentation
There are many benefits of network segmentation, and fact checking proper implementation can be a difficult, arduous task. runZero is here to help...
Life at runZero
Employee Spotlight: James McNulty
James is our website manager and dynamic SEO strategist! Read on to learn about James' journey on the Marketing team at runZero!
Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved