What is IT Asset Inventory?

Asset inventory management means very different things depending on if you are on an IT or cybersecurity team. Understanding the differences will help you realize why cybersecurity teams need their own kind of inventory management – and why it’s critical to ensure asset management is performed in real-time.

What is IT asset inventory?

An IT team maintains an asset inventory to ensure they provide an organization with the IT resources they need in an efficient, cost-effective manner. The asset data stored in this inventory includes location, users, maintenance and support, documentation, performance, licenses, compliance, cost, lifecycle stage and more. IT assets can include:

• Hardware – servers, laptops, smartphones, printers, etc.
• Software inventory – software, software as a service (SaaS), clouds, etc.

While there will be overlap between this type of inventory and that held by security teams, the focus of an audit for security purposes should prioritize an asset inventory of everything internet-facing connected to their organization that could have exposures and risks for attack. This includes hardware, software, devices, data, cloud environments, IoT devices and Industrial Internet of Things (IIoT). That means anything, anywhere in the world, whether on-premises, in the cloud, or co-located.

Why is IT asset inventory important?

There’s a simple way to explain why this is important: SecOps teams need to find and correct vulnerabilities before adversaries find them. Finding these vulnerabilities fully and quickly is challenging in itself. Threats are multiplying and evolving, and modern attack surfaces are sprawling, complex, and growing. Many assets are outdated or configured improperly, and employees accidentally create shadow IT. Additionally, assets belonging to a third-party vendor could connect back and pose a threat to your organization. The issues are endless.

Even just the assumption that an organization knows all of the assets it has is dangerous. On average Cortex® Xpanse™ customers discover 35% more assets than they were tracking. Research from ESG showed just 28% of organizations thought their asset management processes had an inventory more than 75% complete.

Why does asset management need to change?

Asset management has traditionally been based on a manual inventory and created as a point-in-time audit performed monthly or quarterly. However, this comes with some major drawbacks: It is time-consuming and effort-intensive, but to make things worse, all of that effort creates an inventory that is inherently error-filled and quickly out-of-date.

This is especially dangerous because the inventory used by security teams will inform how accurate other processes are. Vulnerability scanners or antivirus/antimalware scanners only scan assets in inventory, so unknown assets mean unfound risks and exposures. Additionally, red teams will have scoping issues because any penetration test or other red team activity requires a single source of truth for all assets.

Modern attack surfaces constantly change and grow more complex by the day, so it is inherently risky to be working from an out-of-date or incomplete asset inventory. This brings up a crucial dilemma. How can you protect something that you don’t even know exists?

How should asset management be performed?

Taking into account the challenges of a modern attack surface, it becomes clear that the keys to asset tracking and maintaining a comprehensive inventory is ensuring continuous discovery and monitoring of all internet-connected assets, whether they are hardware or software, on premise or in the cloud. This asset management approach will provide a single source of truth of assets, regardless of where they are located or if they belong to a partner or vendor.

Security teams should also consider that not all attack surface management (ASM) or asset management software is created the same. A quality ASM solution should help ensure your organization is in compliance. It should also reduce costs by helping to prevent attacks, and should make SecOps more efficient by reducing human effort in finding and mitigating attack surface risks.

An ASM solution should be able to discover exposures, provide the necessary context data to inform who owns the asset and who is responsible for remediating any issues. Even better, those alerts and data should be easily transferred to a security orchestration automation and response (SOAR) tool to automate remediation efforts.

In order to be sure an inventory is complete, asset scans should be performed from the outside in. This perspective is important both because it finds all assets and doesn't rely on other asset management tools or software to provide data, but also because this is the perspective an adversary has of your attack surface.

Threat actors can automate scans of the internet to find vulnerable assets in under an hour. Security teams should manage inventory in a way that matches or exceeds that speed. Modern attack surface management can be that efficient and effective, allowing SecOps to discover, evaluate and mitigate attack surface risks – including those in the cloud and environments belonging to suppliers and merged/acquired companies. ASM also offers risk prioritization, allowing teams to focus on the most critical risks.

Why defenders need asset inventory

A complete and up-to-date asset inventory is crucial for another reason. Adversaries are constantly hunting for a way in – they even have it automated. And they do it fast. They scan the entire internet for vulnerable systems in less than an hour.

Attackers also take advantage of announcements of Common Vulnerabilities and Exposures (CVEs). Once a CVE is announced, they’ll normally search for that vulnerability within 15 to 60 minutes – sometimes even sooner. On March 2, 2021, Microsoft announced vulnerabilities in Microsoft Exchange Server and Outlook Web Access (OWA). Threat actors started scanning for these vulnerabilities within five minutes.

How to manage asset inventory with Cortex Xpanse

Xpanse continuously scans the entire internet to provide a comprehensive asset inventory, helping SecOps to discover unknown assets and monitor and evaluate all attack surface risks.

Exposures found with Cortex Xpanse include:

• Remote Access Services (e.g., RDP).
• Insecure file sharing/exchanging services (e.g., SMB, NetBIOS).
• Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems.
• IT admin system portals.
• Sensitive business operation applications (e.g., Jenkins, Grafana, Tableau).
• Unencrypted logins and text protocols (e.g., Telnet SMTP, FTP).
• Directly exposed Internet of Things (IoT) devices.
• Weak and insecure/deprecated cryptography.
• Exposed development infrastructure.
• Insecure or abandoned marketing portals.
• Assets running software versions with critical CVE disclosures.

Xpanse has other additional features that other ASMs lack. It can be configured according to company policies to reduce noise in alerts. It adds operationalization via integrations and two-way APIs, and it collects both internal and external data to better understand assets. It also rapidly builds new fingerprints/policies according to today’s events in the news.

Plus, Xpanse integrates with tools like Cortex XSOAR to automate handling of alerts. This ensures organizations are building processes that increase resiliency and make future handling of risks and exposures easier.

We suggest further research into asset inventory and ASM. Here are some resources to get you started.

• Cyberattacks Target Unknown Threats
• Secure Your Known and Unknown Cloud Assets
• Additional Xpanse and ASM Content