If the term “asset inventory” elicits involuntary yawns of boredom, you’re not looking at the problem from the right angle. You could make an entire career out of a true, living asset inventory. And it can be fun!
First off, let’s level set what we mean by an asset inventory. It’s not just a list of physical assets and their associated IP addresses. In fact, the IP address of a system isn’t enough to identify it definitively. An inventory needs to capture many operational and administrative properties of assets. Those include, but are not necessarily limited to:
An asset connects to a network and generates, processes, receives, and/or transmits data, in one combination or another. It authenticates users and enforces access control policies. It has a business purpose and is managed by a person or group role. All of these facets play into a larger infrastructure, and the properties are interdependent.
To that end, the purpose of an asset inventory is manifold, the fundamental reason being situational awareness.
When I ask clients or a room full of security practitioners during a presentation whether they’ve conducted an asset inventory, few medium- to large enterprises can attest to having completed one. This failure is due largely to analysis paralysis: How do I track all the mobile devices? What about the IoT? And shadow IT?
The answer is, just begin. Your asset inventory doesn’t have to be perfect from the start. It’s a journey and there’s much to learn. Your long term goals, such as optimizing your identity and access management program, may not be achievable in your first six months or even year; however, you’re guaranteed to learn a ton about your infrastructure, institutional practices, and user behavior. And you’ll improve your capability to discover and track assets, as well as build an effective tool set.
As it turns out, you already have many of the tools required to perform an asset inventory. Vulnerability scanners are the obvious one, but don’t forget about netflows generated natively by your switching and routing infrastructure, and data from your endpoint protection software. There are also non-technical sources: don’t underestimate the value of relationships with procurement and finance to uncover purchases of equipment, applications, and cloud services.
At some point you’re going to have to tie all these mechanisms together, and that will almost certainly require some open source help and scripting or development resources. Many off-the-shelf asset inventory packages focus on hard assets, provide too much configuration complexity, or are prohibitively expensive for the relatively limited task we’re talking about. Pick your database technology, the programming language to act as the glue, and start sucking in the data, merging, de-duplicating, enriching, and whatever else you aspire to.
Don’t forget that it’s not just about creating a big ‘ol repository of data—the output product is as important as the input. Who are your customers and what data and format do they want? Do they have tools that require an XML extract? Can they perform queries or do they need you to push the data? Will it just be a management report with pretty charts?
I hope I’ve made the case that an asset inventory is fundamental to a high functioning security program and can be a labor of love; it’s more than a project, and can be a career in itself. I’ve only scratched the surface in this post, so attend my session, Victory in 100 Battles:
How to Perform a Successful Asset Inventory, at InfoSec World 2017, for what I promise will be a fascinating, entertaining, and interactive session. And if you’re not attending InfoSec World 2017, this session is the reason you should (although there are many other great ones, but this one is the best).
About the author: Chris Poulin is an engineer and entrepreneur who built and ran a nationally respected information security consulting firm which provided services from Fortune 500 companies to small-and-medium business. With 25 years in information technology and security, Poulin has successfully managed hundreds of projects in practically all industries, bringing a balance of technical skills and management experience, as well as unique experience from his time in the Department of Defense intelligence community.