How to Create a Strong Cybersecurity Asset Management Process
November 9, 2021
| By IANS Faculty
There is no one correct way to build and maintain an asset inventory. Each organization has its own unique set of requirements and constraints that should drive toward a solution, and there are many options for validating and augmenting whatever solution is selected. This piece explains how to use the tools you have in place already, supplemented where necessary, to create a strong cybersecurity asset management process that fits the business and can be maintained over time.
Challenges of Asset Management
Building and maintaining an inventory of systems is difficult. Across all market verticals, organizations of all sizes struggle with this deceptively challenging task. Those with the greatest success rates are organizations that take a multi-pronged approach. Single point solutions – even commercial offerings – often fail because they do not have a broad enough set of discovery options.
Most organizations approach systems inventory by leveraging as many sources as possible. While not an inclusive list, the items listed below are commonly available and for consideration:
- Management systems. Consider using a dedicated inventory/management system like Windows Autopilot. While most organizations use such tools for system deployment, it can also help manage those systems after they have been given to users. For its part, Windows Autopilot is a newer feature within the Microsoft solution set that many organizations have already paid for, but are not using.
- Endpoint agents. Due to compliance requirements, most organizations have several agents deployed to both end-user systems and servers. Organizations can use those agents – which often are placed in the “gold image” of a system – to passively monitor the deployment of new systems when they report into the central management console available in those tools. Agents for AV, endpoint/extended detection and response (EDR/XDR), backup, vulnerability scanning and more can be used in this manner.
- AD. Most organizations use AD to manage their IT fleet. AD has multiple options for finding systems. Typically, teams use group objects to track information about computing assets. When any system is deployed, it typically will be bound to AD. When this happens, the assets will be placed into a default group that can be monitored. Additionally, Windows event logs on choke-point systems such as domain controllers, file shares and other commonly used internal resources will contain telemetry (username, IP address, hostname, etc.), which can and should be actively mined for inventory control purposes.
- Network monitoring. In many environments, actively scanning for systems could be disastrous. Embedded systems can react poorly (sometimes crashing) if the probe request they receive is unexpected. This is common across all market verticals. Instead, passive network observation is strongly suggested. Privacy fears will often prevent organizations from using network-based telemetry. However, for this level of analysis, the IP header is only needed. This is safe from a regulatory perspective because the header contains no sensitive information (such content would only be in the datagram). Tools like NetFlow allow this type of analysis. Other data sources worth mentioning in this context are web proxy, firewall and DNS logs. By necessity, they will contain the IP addresses of the systems generating network traffic.
- Application logs. Centralized (and network-based) applications are how most organizations handle data. The logs – especially the login entries – for such applications are a frequently overlooked source of vital information. In addition to IP, they will often contain client software version (such as user agent string). Other sources worth investigating in this manner are mail server logs, DHCP logs, and vulnerability scanning logs.
Managing Asset Inventory Data
Gathering inventory data from such varied and disparate systems is challenging, however. Organizations should consider:
- Developing a process to deduplicate systems and create a validated “system of record.” An increasing number of organizations are leveraging their SIEM solution for this, which makes sense because a SIEM should have visibility on most of the data elements listed above. Resist the temptation to have multiple systems of record. It will result in confusion.
- Tracking assets by hostname: Because IP addresses change in a DHCP environment, organizations should track assets by the hostname. Dated advice to track via MAC address is still available online, but it was always poor advice and is no longer viable due to MAC address randomization.
- Maintaining and expanding the inventory. Once the effort of building an inventory is complete, organizations must keep it current. This can be accomplished by periodically reviewing the data sets used to build the inventory. But don’t stop there. Because the review is an ongoing effort, for a small amount of additional analysis from these same data sets, you can expand it using information such as software installed, the data a device contains, the users who frequently log into a system and the systems the host typically interacts with? It will pay strong dividends.
Asset Management Tips
When it comes to asset management, one size doesn’t fit all, and force-fitting your needs into a single out-of-the-box platform will likely not get you where you want to be. To help ensure you can track and manage all assets successfully over time consider:
- Leveraging your existing tools: Every organization has tooling that can help with inventory efforts. Inventory these tools/options first.
- Deploying a tool that fills in your gaps: There is a reason there are so many inventory tools; each organization needs a different solution. Select a product only after you have reviewed your existing data sources and pick a tool that provides coverage where you need it most.
- Being cautious of out-of-the-box solutions: While helpful, these tools are not “turnkey” ready. You will always have to do some customization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
Access time-saving tools and helpful guides from our Faculty.