The first step in securing any organization is to understand what you have. Unless you have a strong understanding of the systems and services on your network, you have no hope of keeping it both secure and usable. You could implement extremely strong controls to lock down everything, but then business operations come to a halt as services are unavailable. But if you don’t put enough controls in place, attackers may run rampant.
The Center for Internet Security’s outlines this in their 20 CIS Controls. The first two controls are defined as:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
Every other control that follows begins with those two. From vulnerability management, to secure configuration standards, to monitoring logs; unless you know what is on the network, you can’t properly apply security controls.
Unfortunately, IT systems are complicated, and change daily. Modern networks and IT environments are often spread over multiple offices, data centers, the cloud, virtualization, IOT, printers, mobile devices, and more. It can be a formidable task keeping track of all the endpoints that touch an organization’s network infrastructure. This becomes even more challenging with Bring Your Own Device (BYOD) policies, and unknown devices that connect to the network on a regular basis. These uncontrolled and unidentified devices increase security, compliance and legal risks to an organization.
Asset Discovery is the process of scanning your networks to discover exactly what systems and services are running. A discovery scan confirms what is actually on the network rather than what you think is on the network, or what was on the network yesterday. Ideally, asset discovery scans should be run as often as possible, to always have the most current information. These scans should allow you to detect:
- Unauthorized (rogue) devices
- New services on existing hosts
- Unsupported operating systems
Commercial vulnerability scanners conduct asset discovery scans as part of the process of scanning the network, but often this is only performed on a quarterly or monthly basis. Other commercial configuration management tools also include asset discovery and management at varying price levels. Open source tools such as nmap can be used to run these scans with the right knowledge and experience.
Secure Ideas has recently introduced Asset Scout as a daily asset discovery service. The service is bundled for free into Network Scout, our vulnerability scanning service, but can also be purchased separately for organizations who only need the daily asset discovery portion. Asset Scout provides a daily export that includes a list of hosts, operating systems, and open ports. This data can be used to compare for day-to-day changes as well as imported into existing inventory management tools.