If the term “asset inventory” elicits involuntary yawns of boredom, you’re not looking at the problem from the right angle. You could make an entire career out of a true, living asset inventory. And it can be fun!
Getting on the same page: what exactly is an asset inventory?
First off, let’s level set what we mean by an asset inventory. It’s not just a list of physical assets and their associated IP addresses. In fact, the IP address of a system isn’t enough to identify it definitively. An inventory needs to capture many operational and administrative properties of assets. Those include, but are not necessarily limited to:
- IP address, MAC address, hostname;
- Whether a physical/host system or virtual/guest;
- Services and applications served (not just open ports);
- Owners of the system and services/applications;
- Purpose of the services/applications and authorized roles and users;
- Data stored on the asset, classification of the data, and storage location by data type;
- Behavioral characteristics, such as systems normally communicated with.
Why bother?
An asset connects to a network and generates, processes, receives, and/or transmits data, in one combination or another. It authenticates users and enforces access control policies. It has a business purpose and is managed by a person or group role. All of these facets play into a larger infrastructure, and the properties are interdependent.
To that end, the purpose of an asset inventory is manifold, the fundamental reason being situational awareness.
- Knowing the business purpose informs your identity and access control practice. The purpose of the system, services, and applications should interlock with the roles you setup in your IAM system, and the owners should be in the access approval chain.
- You can better segment your systems in functional enclaves once you understand the storage and flow of data, and the purpose and access needs of systems.
- You can better perform incident response if you have a lay of the land. Root cause analysis is faster and you can more quickly isolate compromised or infected systems—even automatically using orchestration and software defined networking.
- You can write SIEM rules and perform analytics more effectively knowing what is normal for the system, service, application, data, roles, and users
- Compliance with many regulations and contracts requires a knowledge of systems and data. Even without compliance mandates, voluntary practices, such as the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense (a.k.a., SANS top 20), list an asset inventory as the top control activity.
Sounds important, so why doesn’t everybody inventory their assets.
When I ask clients or a room full of security practitioners during a presentation whether they’ve conducted an asset inventory, few medium- to large enterprises can attest to having completed one. This failure is due largely to analysis paralysis: How do I track all the mobile devices? What about the IoT? And shadow IT?
The answer is, just begin. Your asset inventory doesn’t have to be perfect from the start. It’s a journey and there’s much to learn. Your long term goals, such as optimizing your identity and access management program, may not be achievable in your first six months or even year; however, you’re guaranteed to learn a ton about your infrastructure, institutional practices, and user behavior. And you’ll improve your capability to discover and track assets, as well as build an effective tool set.
I’m sold! How do I start?
As it turns out, you already have many of the tools required to perform an asset inventory. Vulnerability scanners are the obvious one, but don’t forget about netflows generated natively by your switching and routing infrastructure, and data from your endpoint protection software. There are also non-technical sources: don’t underestimate the value of relationships with procurement and finance to uncover purchases of equipment, applications, and cloud services.
At some point you’re going to have to tie all these mechanisms together, and that will almost certainly require some open source help and scripting or development resources. Many off-the-shelf asset inventory packages focus on hard assets, provide too much configuration complexity, or are prohibitively expensive for the relatively limited task we’re talking about. Pick your database technology, the programming language to act as the glue, and start sucking in the data, merging, de-duplicating, enriching, and whatever else you aspire to.
Okay, I have a big list of stuff. Now what?
Don’t forget that it’s not just about creating a big ‘ol repository of data—the output product is as important as the input. Who are your customers and what data and format do they want? Do they have tools that require an XML extract? Can they perform queries or do they need you to push the data? Will it just be a management report with pretty charts?
I hope I’ve made the case that an asset inventory is fundamental to a high functioning security program and can be a labor of love; it’s more than a project, and can be a career in itself. I’ve only scratched the surface in this post, so attend my session, Victory in 100 Battles:
How to Perform a Successful Asset Inventory, at InfoSec World 2017, for what I promise will be a fascinating, entertaining, and interactive session. And if you’re not attending InfoSec World 2017, this session is the reason you should (although there are many other great ones, but this one is the best).
About the author: Chris Poulin is an engineer and entrepreneur who built and ran a nationally respected information security consulting firm which provided services from Fortune 500 companies to small-and-medium business. With 25 years in information technology and security, Poulin has successfully managed hundreds of projects in practically all industries, bringing a balance of technical skills and management experience, as well as unique experience from his time in the Department of Defense intelligence community.
