What I expect from IT Asset Inventory

The main problem of vulnerability management, in my opinion, is that it is not always clear whether we know about ALL network hosts existing in our infrastructure or not. So, not the actual process of scanning and the detection of vulnerabilities, but the lack of knowledge what we should scan.

Knowing the total number of active hosts, this must be such a simple and basic thing. But for a large organization, this is not so trivial. To tell the truth, I do not know how to do IT Asset Inventory right. I’m not even sure who should be responsible this. There are so many different technological and organizational nuances. I will mention some of them below.

Who is responsible for inventorying IT assets?

But I can say with confidence that my basic requirement for IT Asset Inventory system will be the completeness of the scope, not the number of collected parameters. The very minimum is just to see that some network host existed and seemed active at some time.

If the system only indicates the existence of the host, but does this for ALL the hosts, we can live with this. We can get metrics for these hosts and understand what we control and what we don’t.

Of course, Asset Inventory, in theory, requires the control of the asset type, version of the Operating System or firmware, installed software, and so on. But if these can be collected by active authenticated scanning, if we know what the hosts we need to analyse. It’s not a big deal.

upd. Now I think that the solution with such minimum requirements is probably more correct to call Asset Discovery, rather than Asset Inventory. Sorry for mixing this terms. But anyway.

On the other hand, Asset Inventory, which collects the most complete set of system parameters, but does this only for some PART of the hosts in organisation, does not give us an idea of the infrastructure and is practically useless.

What do I mean by ALL hosts:

  1. Not only hosts in the domain. I want to see Mac and Linux hosts as well and they are most probably not.
  2. Not only servers. I want to see there all the workstations as well.
  3. Not only hosts on which we can install the agents. I want to see network devices, including printers and everything that has an IP address.
  4. Not only hosts from the places where we can sniff the traffic currently. Do we control ALL traffic in every office btw?
  5. Not only host located on-premises. I want to see information about hosts located on different external hostings as well, including different clouds.
  6. Not only hosts in the networks that we scan actively. Do we know about ALL networks and scan them regularly? Do we have necessary network permissions to scan them?
  7. Not only hosts that are active right now. I want to have information when we saw this hosts active last time.

So, talking about responsibility. Who should make (or implement) such an amazing system? Which can be called Monitoring, CMDB, SIEM, GRC, NGFW, whatever.  Of course, as a security guy, I think IT should do this. 😉

But I understand that IT are mostly interested in stable work and fast implementation of new features. And such stable work can be possible even without centralized system for Asset Inventory. No, really. Sometimes decentralization is better and more flexible. And of course no one will create such system if the main customer of it will be Information Security department, and not the business.

Naturally, IT does not have to make life of Information Security easier. It is even more understandable that giving full visibility over IT Assets to Information Security will make life of IT more difficult and will require large resources for patching and configuring. Because where there is no control usually the ugliest security flaws will be found.

upd. But on the other hand, IT can also benefit from Asset Inventory. If we do not remove unused servers from the IT infrastructure, the maintenance costs will grow uncontrollably. And without Asset Inventory it will be impossible to remove the server simply because it is unclear how critical it is. Maybe, in fact, it is used in some critical processes and if we turn it off, something will be badly broken.

In any case, IT and Information Security teams should be friends, otherwise it will be bad for everyone. 😉