Maintaining an accurate, up-to-date inventory of devices inside a corporate network has been a longstanding challenge for security and IT teams. The rapid adoption of work-from-home policies, VPN, and IoT are making it even harder.
This post will explore why device inventory is more critical than ever for security, why the current status quo is insufficient, and will offer a new approach to meeting requirements (like the CIS Top 20 Control Number One!) for a complete inventory of devices in your environment.
Why Is Device Inventory So Important?
If a new device successfully connects to an enterprise's corporate network without the appropriate security measures in place, such as endpoint agents, antivirus software, and logging configuration, it creates a hole in the enterprise's security.
The first thing an adversary tries to do when attacking a network is gain control of a device or credentials within the target environment. From there, they can conduct further reconnaissance and move laterally to find valuable data to export or hold for ransom. Unmanaged devices are ripe for exploitation by even relatively unsophisticated attackers.
Having an up-to-date inventory of devices also means that when new vulnerabilities are disclosed, security teams can more easily find out which devices in their environment need to be patched. Without that, old devices that were formerly considered secure may become attractive targets for attackers exploiting newly released information about application or operating system vulnerabilities.
There are many high-profile examples of data breaches that involve the exploitation of an unmanaged, undiscovered device that was introduced to the environment by employees with no malicious intent. One of the world's top space agencies had crucial mission data exfiltrated thanks to a Raspberry Pi that had been introduced to the environment without proper security precautions.
Current Device Inventory Approaches Aren't Timely or Thorough Enough
Timeliness, thoroughness, and management burden are the three biggest challenges to current device inventory approaches. The SANS SOC Survey in 2019 indicated that even the most mature security organizations only have an 80 percent accurate inventory at any given time. Less mature organizations fare much worse. It isn't like they aren't trying, but the effort required to achieve 100% coverage using the current status quo is prohibitive.
The Downfall of Agent-Based and Point-in-Time Agentless Scanning Approaches
Current approaches to device inventory use a handful of mechanisms to create and maintain a list of what hardware exists in the environment, but they fall into two big categories: agent-based and agentless.
Agent-based device inventory requires each device being inventoried to have agent software installed. The agent software then periodically reports information about the device back to a central repository. Agentless approaches typically run periodic scans of the environment, polling the TCP/IP network to find devices that are connected.
In some cases, agentless network scanning approaches are used to discover devices that then have the agent installed. Data gathered this way may also be forwarded to a configuration management database (CMDB) product.
The unfortunate truth about these status-quo approaches is that they still leave blind spots. In the case of agent-based inventory, the security team has to know that a new device is going to connect. That's not realistic in the age of bring-your-own-device and work-from-home policies.
The amount of friction introduced if every single employee-owned device had to have agent software installed before connecting would exact a huge penalty on employee productivity. On top of that, both agent-based and agentless device inventory approaches can cause undue latency since they use compute resources on each device, and consume network bandwidth while transferring that data to the central repository.
In the case of agentless scans, the inventory is only relevant for a brief period of time. Modern enterprise networks are large and dynamic. New devices come online and go offline and are dynamically reassigned IP addresses all the time, and that's to say nothing of the cloud!
Even if you're running scans every three days (the default cadence for one popular scanning software), that leaves a massive time window for attackers to get in, move laterally, and get back out without being caught up in the next scan.
How To Eliminate Blind Spots & Achieve 100% Device Inventory Coverage
Passively monitoring network traffic and extracting details about connected devices is the best approach to maintaining a continuously updated, accurate device inventory without causing performance issues, and without an unsustainable management burden.
Network detection and response (NDR) products are relatively new, and are focused on detecting threats by covertly observing and deeply analyzing network traffic in real time, and using machine learning to precisely detect even stealthy threat behavior and hidden risks.
This passive analysis is also great at discovering and identifying devices! Every device that communicates across the network can be identified by observing its behavior. Furthermore, a ton of detail can be extracted, including operating system, applications in use, users who have accessed the device, and which other devices have communicated with the target device, both inside the environment and across the perimeter to the public internet.
ExtraHop Reveal(x) NDR is capable of providing a continuous inventory of every device connected to the environment without needing agents installed and without causing latency on the network.
Here's a short ~2 minute video showing the detailed level of IT asset inventory that can be extracted from passive network observation alone.