Cybersecurity Asset Management

Time’s role in asset inventory

A critical element when it comes to your asset inventory? Time. 

Take virtual machines and containers, for example. These are spun up and deprecated all the time, and depending on when you check, the counts will differ.  

The same goes for ephemeral devices — or devices that hop on and off the network. Depending on which data sources you use to track these devices, you’ll end up with different answers.   

Even the very characteristics of laptops and servers are constantly changing. This means getting accurate inventory characteristics for these devices requires collecting information from them continuously.  

Simply put, the rate of change of your asset inventory is very fast. This includes the: 

  • Device count 
  • Device characteristics 
  • Conditions you care to track 

How Time Impacts Asset Inventory 

From how and what is collected, to the questions you ask and the answers you receive, the impact of time can be found all across your inventory.   

Take a simple question like, ‘When was a particular device last seen?’. The answer depends on the data source you ask. A device may have: 

  • Been scanned for vulnerabilities two weeks ago 
  • Been authenticated to the domain controller five days ago 
  • Had the EDR agent check into its management console yesterday 
  • Been seen chatting through the firewall two hours ago 

The only way to do comparative analysis to find conditions like active devices with broken security agents is tracking the last seen values across an aggregate of data sources. 

Why Your Asset Inventory’s Trustworthiness is Time-dependent  

Deconflicting a common field of data across multiple data sources for a single device is often dependent on time.  

Take the last used user of the device, for instance. The actual truth for this value is dependent on and relative to when certain agents on the device check into and deliver a resulting answer to their respective data sources. The agent that provided the most recent answer is likely to be the most trusted source. 

What about device characteristics like installed software and vulnerabilities? Installed software and the vulnerabilities on a machine are highly dependent on: 

  • The data sources  
  • When those data sources were last updated  

The vulnerability scan data for a device from four weeks ago will obviously be different from one today. Similarly, endpoint management agents on the device are likely to provide more frequent updates about the device conditions. 

The first seenfirst fetchlast seenlast fetch times for each data source are all impactful factors for how many assets you have in the inventory right now.  

Time also plays a big part in how an inventory might be used. Take the SOC team triaging thousands of alerts daily, for instance. They need inventory that’s complete, near real-time, up-to-date, and contains the utmost context. 

Incident responders often need to query the inventory for device characteristics and conditions that existed in the past. A time-based inventory is also crucial for tracking and trending the progress of your patch and vulnerability management efforts. The same goes for migrations of EDR, EPP, MDM, DLP, and UEM software from one vendor to the next.   

Want to learn how Axonius can help you build and maintain a complete, comprehensive, and contextual asset inventory? See Axonius in action 

By Patrick Kelley 

Axonius is the cybersecurity asset management platform that correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving security and IT teams the confidence to control complexity.

prestitial ad