Why EDR agents are inadequate for cyber asset management
Asset inventory is foundational to security: As a security professional, you need to know what you are being asked to protect. You may currently be relying on data from your endpoint detection and response (EDR) tools to provide their asset inventory. You may even aggregate EDR data with sources via API integrations with other security systems and then enrich the data with unmanaged devices from an unauthenticated scan, an approach typically known as cyber asset attack surface management (CAASM) or cyber asset management.
Theoretically, EDR agents are great because they integrate deeply into the operating system on every important machine. They should have access to any information you may want for your asset inventory.
However, if you’ve found assets that are compromised but can’t find them in the asset inventory, you may have realized that you went down the wrong path. EDR works well for endpoint protection but not asset inventory. Let’s examine why.
Incomplete asset inventory: why EDR agents fall short #
The point of cyber asset management is to establish a comprehensive inventory of all network-connected components, encompassing IT to OT, cloud to remote devices. To ensure a thorough and precise asset inventory, it is imperative to deploy EDR agents, such as SentinelOne or Microsoft Defender for Endpoint, on every device. A striking example highlighting the significance of this practice is a recent finding by runZero, revealing that 38% of assets at a university were lacking EDR coverage.
EDR agents can only know about the assets they are installed on. This means EDR agents miss the following types of devices:
- Unmanaged machines: Some servers, laptops, and desktops that are likely not covered by EDR, either because someone forgot to install it or because nobody knew the machine existed. If your goal is to have EDR on 95% of all machines, you can't also use EDR to measure how many machines you have - it's circular logic.
- Corporate IoT: Offices contain many IoT devices that can't install an EDR agent because the platform is not supported or the EDR agent doesn't support the platform. Think of your printer, IP phone, video conferencing device, thermostat, surveillance camera, and door controller that let you in when you swipe your access badge. All of these are connected to your network.
- Networking gear: Switches, routers, and firewalls typically do not allow for the installation of an EDR agent. Even if you manage them through another system, think about someone bringing their own wireless router because the WiFi is weak in their part of the building. That’s another device missing an EDR agent and one you don’t manage at all.
- OT equipment: Usually, industry-specific operational technology (OT) includes warehouse technology, production lines, biomedical equipment, and energy transmission. A programmable logic controller (PLC) that controls the production-line robot does not support installing an agent.
Challenges in discovering unmanaged devices with EDR scanners #
EDR vendors have known for a long time that they can’t provide a full asset inventory, and they’ve been looking for ways to plug that gap. What most vendors have resorted to is neighbor detection (which goes by many other names).
Neighbor detection typically uses one of the following approaches:
- ARP scan: This is a quick and easy way to find devices on a network. The problem is that it doesn't yield good results. It provides only the IP and MAC addresses of the devices without a lot of additional information on a device. Some vendors derive the device manufacturer from the MAC address, but this is where it stops. Working on layer 2 of the OSI model, it also can't detect devices beyond the nearest switch.
- nmap under the hood: nmap is a well-known and versatile network scanner that was created in 1997. While many know it as a powerful but complex command-line scanner, it is OEM-licensed to many security vendors who need to discover devices on the network. While nmap is a step up, it was built to scan networks for open ports and not to identify the type of asset. In other words, your surveillance camera may be identified as a "Linux device," which is not very helpful when investigating a security incident. nmap has also disrupted some embedded devices, such as printers, PLCs, and Ethernet adapters.
- SNMP scan: SNMP is a protocol that helps read and write configurations to network devices. It can get good information from network devices, providing that you have entered the SNMP credentials for the organization. However, it can't provide any insights into devices other than networking devices, such as phones, printers, and surveillance cameras.
- Ping scan: This method simply pings every IP address in the subnet where the agent resides. It can tell you if a device exists as long as it's responding on ICMP, which may be disabled.
Even with a better scanner, scanning from a random EDR agent is problematic. For example, consider a remote user working from home. With neighbor detection, the corporate asset inventory would soon be populated with their Playstation 5 and their kid’s tablet. Some EDR vendors try to mitigate and only do neighbor detection when there are at least five other EDR agents from the same organization on the same subnet. This has two issues: You miss unmanaged devices in small offices that only have four people, and you add all of the devices from the hotel network where 5 of your colleagues are having a meeting.
Here’s an example of a device detected by neighbor detection of a leading EDR:
|Last Seen||May 17, 2023 23:00:00|
|IP address history||192.168.40.248|
|First seen by||8f284cc1df2e4ab59dc255cfd9ef2d05|
|Seen by platform||Windows|
|First seen||Nov 24, 2022 19:00:00|
|Seen by type||Workstation|
|Seen by count||1|
|Last seen by||8f284cc1df2e4ab59dc255cfd9ef2d05|
And the same device scanned by runZero:
Asset detail comparison: Leading EDR vs runZero #
Let’s compare and contrast what each solution found:
|Seen by sensor/scanner||⏺||⏺|
|Upstream switches & ports||○||⏺|
EDR can provide more depth for managed devices but still misses information.
EDR agents are watching out for unauthorized takeover of machines. It should be able to collect a ton of information on the devices that it’s installed on. However, EDR agents are not made for asset inventory and simply don’t collect much of the information.
For example, EDR agents don’t typically track open ports. They are unable to detect the external attack surface of an asset. This can be valuable information, for example, when RDP is active on a public IP.
Risks and slowdowns due to missing devices #
If you are missing assets in your inventory, you can’t actively manage your security posture. You can only successfully find EOL devices, insecure configurations, and vulnerabilities if you know about all of the devices on your network.
What’s even worse is that gaps in your asset inventory slow you down when you need to move fast: When your incident detection tells you you have a potentially compromised device on a specific IP address. Still, you can’t figure out what that device is. You lose valuable hours while the bad guys get deeper into your network.
This is why an accurate, complete cyber asset inventory is crucial.
CAASM solutions can improve EDR coverage. #
You now understand why EDR alone cannot answer the question of asset inventory by itself. However, it can be part of the solution.
Cyber asset attack surface management (CAASM) solutions combine EDR data with other sources:
Corporate security solutions via APIs: Many CAASM solutions integrate with EDR, MDM, vulnerability management solutions, and even productivity tools such as Google Worksuite to cover all managed devices.
Modern network scanners: Some of the best CAASM solutions also use specialized network scanners optimized for asset inventory to find unmanaged IT and OT devices.
EDR is a necessary component of any cybersecurity defense. Many organizations strive for 95% EDR coverage as a best practice or for cyber insurance compliance. The best way to measure progress towards that goal is to correlate your EDR with a full asset inventory through a CAASM.
A cyber asset management solution that covers assets from IT to OT, cloud to remote devices. #
runZero is a cyber asset management solution that includes CAASM functionality. It combines integrations with EDR and other sources with a proprietary network scanner that is fast and safe even on fragile IoT and OT networks.
runZero scales up to millions of devices, but it’s easy to try. The free 21-day trial even downgrades to a free version for personal use or organizations with less than 256 devices.
July 26, 2023
Going beyond: The cybersecurity tools hindering effective cyber asset management
Each article in this roundup explains the downsides of common tools as they pertain to effective cyber asset management, and how runZero, a complete cyber asset management solution, provides a complete and detailed asset inventory beyond the scope of any tools discussed.
July 18, 2023
The best free network scanners for security teams in 2023
In this article, we compare and contrast several free tools and provide our take on why we believe runZero is best suited for corporate security teams.
July 10, 2023
Why NACs are inadequate for cyber asset management
NACs aren’t the best at asset discovery. Allowing or denying access to the network on Layer 2 is their primary function, but finding everything on your network is a different problem. Let’s examine why.