On October 3, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 23-01: Improving Asset Visibility and Vulnerability Detection on Federal Networks. The directive requires that federal civilian executive branch (FCEB) departments and agencies perform automated discovery every 7 days and identify and report potential vulnerabilities every 14 days. Additionally, it requires the ability to initiate on-demand asset discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

To meet these requirements, agencies will need to start with an accurate asset inventory. Most agencies will attempt to leverage existing solutions, like their vulnerability scanners, to build their asset inventories. It seems reasonable to do so, since most vulnerability scanners have built-in discovery capabilities and can build asset inventories. However, they will quickly learn that vulnerability scanners are not up for the task and cannot help them sufficiently and effectively meet the requirements laid out by CISA.

Let’s take a look at why agencies need a solution solely focused on asset inventory, in addition to their vulnerability scanner, if they want to tackle CISA BOD 23-01.

Asset inventory is a foundational building block

Every effective security and IT program starts with a solid asset inventory. CISA BOD 23-01 reinforces that imperative. Specifically, it states, “Asset discovery is a building block of operational visibility, and it is defined as an activity through which an organization identifies what network addressable IP-assets reside on their networks and identifies the associated IP addresses (hosts). Asset discovery is non-intrusive and usually does not require special logical access privileges.”

What does this mean? FCEB agencies looking to meet the requirements outlined by CISA BOD 23-01 must be able to discover managed and unmanaged devices connected to their networks. Internal and external internet-facing assets must be cataloged with full details and context. All within the timeframe outlined by CISA.

So now, the question is why vulnerability scanners can’t be used to meet the requirements laid out in the directive.

The challenges of asset inventory with vulnerability scanners

As the number of devices connecting to networks continues to grow exponentially, agencies need to stay on top of these devices; otherwise, they could provide potential footholds for attackers to exploit. However, common issues like shadow IT, rogue access, and oversight continue to make it difficult to keep up with unmanaged devices. BOD 23-01 highlights the importance of identifying unmanaged assets on the network. That’s why the need for a fully comprehensive asset inventory is the key to adequately addressing the directive.

So, why can’t vulnerability scanners deliver on asset inventory? Most vulnerability scanners combine discovery and assessment together, resulting in slower discovery times, delayed response to vulnerabilities, and limited asset details. As a result, most agencies are left wondering how they can do a better job building their asset inventories.

Combining discovery and assessment slows everything down

Vulnerability scanners typically combine asset discovery and assessment into one step. While on the surface, this appears to be efficient, it is actually quite the opposite. In regards to asset discovery, CISA BOD 23-01 specifically requires that FCEB agencies perform automated discovery every 7 days and identify and initiate on-demand discovery to identify specific assets or subsets of vulnerabilities within 72 hours of receiving a request from CISA.

Because vulnerability scanners leverage a lot of time-consuming checks, they’re not able to scan networks quickly enough. Add in the complexity of highly-segmented networks and maintenance windows, and it is nearly impossible to effectively utilize vulnerability scanners for discovery and meet the timing requirements outlined by CISA.

Under the new directive, assessing the potential impact of vulnerabilities becomes even more urgent. Agencies will need to perform on-demand discovery of assets that could be potentially impacted within 72 hours, if requested by CISA. When security news breaks, agencies need to respond as quickly as possible, but vulnerability scanners slow down the process. In a scenario like this, it would be more efficient to have a current asset inventory that agencies can search–without rescanning the network. This is particularly useful if agencies know there are specific assets they need to track down, they can query their existing asset inventory to identify them immediately.

For example, let’s say a new vulnerability is disclosed. Vendors will need some time to develop the vuln checks, and agencies will need to wait for the vuln checks to become available. Once they’ve been published, agencies can finally start rescanning their networks. Imagine waiting for the vuln check to be released, and then delaying the rescan due to scan windows. Without immediate insight into the potential impact of a vulnerability, agencies are playing the waiting game, instead of proactively being able to assess the risk.

How agencies can speed up discovery

So, what can agencies do? Let vulnerability scanners do what they do best: identify and report on vulnerabilities. Complement them with a dedicated solution that can automate and perform the discovery of assets within the timeframe set by the directive. In order to accomplish this, the asset inventory solution must be able to quickly and safely scan networks without a ton of overhead, be easy to deploy, and help security teams get ahead of new vulnerabilities.

Agencies need to have access to their full asset inventory, on-demand, so they can quickly zero in on any asset based on specific attributes. This information is invaluable for tracking down assets and investigating them, particularly when new zero-day vulnerabilities are uncovered. When the new zero-day is announced, agencies can find affected systems by searching across an existing asset inventory–without rescanning the network.

Meet CISA BOD 23-01 requirements with a dedicated asset inventory solution

It is increasingly evident that decoupling discovery and assessment is the most effective way to ensure that agencies have the data needed to accelerate vulnerability response and meet the requirements outlined in the directive. Because let’s face it: vulnerability scanners are really good at vulnerability enumeration–that’s what they’re designed to do. However, they really miss the mark when it comes to discovering assets and building comprehensive asset inventories. Because vulnerability scanners combine discovery and assessment, they aren’t able to scan entire networks quickly, and at times, they don’t fingerprint devices accurately.

As a result, many agencies are wondering how to meet the requirements outlined in CISA BOD 23-01 if they can’t depend on their vulnerability scanner for discovery. Agencies will need to start looking for a standalone asset inventory solution that is capable of performing unauthenticated, active discovery, while also enriching data from existing vulnerability management solutions.

How runZero can help a
gencies focus on asset discovery

runZero separates the discovery process from the vulnerability assessment stage, allowing agencies to perform discovery on-demand. Because runZero only performs discovery, it can deliver the data about assets and networks much faster than a vulnerability scanner. Customers have found that runZero performs scans about 10x faster than their vulnerability scanner, allowing them to:

• Get a more immediate day one response to new vulnerabilities.
• Gather as much information as possible about assets while waiting for vulnerability scan results.

That means, while waiting for vulnerability assessments to complete, agencies can already start digging into their asset inventory and identifying assets that may be impacted by a vulnerability. runZero regularly adds canned queries for assets impacted by newly disclosed vulnerabilities and highlights them via Rapid Response. Users can take advantage of these canned queries to instantly identify existing assets in the inventory that match specific identifiable attributes. For example, querying by hardware and device type can narrow down assets to a specific subset that may be affected by a vulnerability. All of the canned queries can be found in the Queries Library.

All in all, runZero is the only asset inventory solution that can truly help FCEB agencies stay on top of their ever-changing networks. By decoupling asset discovery from vulnerability assessment, agencies will gain visibility and efficiencies, while meeting the requirements set by CISA BOD 23-01.

What’s new with runZero 3.3?

• Extended visibility into Google Workspace
• Queries for Google Workspace users and groups
• Fingerprinting for Google assets
• Identification of OpenSSL services
• Improvements to the runZero Console

Extended visibility into Google Workspace

runZero 3.3 furthers the visibility into your Google ecosystem through a new integration with Google Workspace. runZero Professional+ users will be able to sync Google Workspace asset details from mobile devices, endpoints, and managed Chrome systems, while runZero Enterprise users will also be able to sync Users and Groups. Once the integrations are configured, users can view, search, analyze, export, and alert on attributes from both Google Workspace and Google Cloud Platform.

One of the key reasons to leverage the runZero integrations is to get better insight into the scope of your environment and completeness of coverage since MDM and IAM platforms can’t provide any insights into devices that haven’t been onboarded. To identify assets on your network that aren’t onboarded to Google Workspace, use the query source:runZero AND NOT source:googleworkspace. Conversely, use this query to find assets from Google Cloud Platform or Google Workspace that have not been scanned by runZero yet: (source:gcp OR source:googleworkspace) AND NOT source:runzero. These queries can help you keep pace with unmanaged and disconnected assets.

The integration also pulls in many Google Workspace attributes to give you comprehensive asset visibility. This could include attributes like when a device was last synced, whether a device has a password enabled or is encrypted, or whether it supports the use of a work profile. The Recent Users list in the asset details can also provide insight into device ownership and usage. You can filter for a specific user by using the @googleworkspace.mobile.email attribute for mobile devices or the @googleworkspace.chromeos.recentUsers attribute for ChromeOS devices. To find mobile devices that aren’t locked with a password try the query @googleworkspace.mobile.devicePasswordStatus:="Off", or use @googleworkspace.mobile.encryptionStatus:="Not Encrypted" to find ones without encryption enabled. The wildcard operator also lets you find results with a range of OS versions, such as using @googleworkspace.endpoint.osVersion:="MacOS 12.% to find Google Workspace assets running macOS Monterey.

runZero offers unmatched active network scanning, while also integrating with an ever-growing list of data sources so that you have a complete asset inventory at your fingertips. To get started, set up a connection to Google Workspace or Google Cloud Platform.

Queries for Google Workspace users and groups

runZero Enterprise users can leverage the new queries tailored for the Google Workspace integration to quickly find and alert on accounts that match particular parameters, in addition to being able to run searches in the Users and Groups inventories. Identify administrator accounts, suspended accounts, and accounts without MFA to improve IAM efforts and better protect your environment. These queries are included in the Query Library and can also be used to create alerts.

Run queries about Google Workspace users or create an alert rule to find assets of interest.

Fingerprinting for Google assets

runZero includes fingerprints for the metadata returned by the Google integrations, including Google Cloud Platform and Google Workspace. This will help provide the most accurate operating system and hardware data about the assets in your inventory.

In addition to Google fingerprints, runZero has also improved fingerprinting coverage of Microsoft 365 Defender assets and SNMP devices. Additional support was added or improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Identification of OpenSSL services

In preparation for the OpenSSL vulnerability announcement, runZero released remote, unauthenticated fingerprinting for OpenSSL 3 services, allowing our users to get ahead of the mitigation process prior to the vulnerability details becoming public. This capability has since expanded to detect even more TLS implementations and track the TLS stacks in use on each asset. runZero users can find OpenSSL endpoints using the query product:openssl, in the assets, services, and software inventories.

The server-side exposure only applies to services that process client certificates. runZero already performs checks for this, even though it is not a common configuration. To identify services running OpenSSL 3.0.x variants that may be vulnerable to exploitation, use the following query in the service inventory search: _service.product:"OpenSSL:OpenSSL:3" AND tls.requiresClientCertificate:"true".

Improvements to the runZero Console

The 3.3 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the Explorers, Sites, Organizations, and Your team pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

The release also extends the availability of the All Organizations view. All users now have a view that will show them the results from all of the organizations that they have access to. The available permissions in that view reflect their per-organization permissions so that they can manage resources just like they would when viewing a single organization.

Release notes

The runZero 3.3 release includes a rollup of all the 3.2.x updates, which includes all of the following features, improvements, and updates.

New features

• runZero Professional and Enterprise customers can now sync assets from Google Workspace.
• runZero Enterprise customers can now sync users and groups from Google Workspace.
• The “All Organizations” view is now available to restricted users with a filtered scope.
• User interface tables were revamped for Organizations, Sites, Explorers, and Teams.
• Live validation is no longer required for Qualys VMDR and InsightVM credentials.
• Fingerprint updates.

Product improvements

• The subnet utilization report now supports filtering by site.
• CSV export of assets now includes the same hostname information as the inventory view.
• Up-to-date ARM64 builds of the standalone scanner are now available.
• The account API endpoint for creating organizations now accepts the argument types documented.
• Merging two assets now correctly updates the date of the newest MAC address for the resulting asset.
• Disabling all scan probes now disables the SNMP probe.
• Service Provider information is now displayed with a default domain before SSO settings are configured.
• Explorers are now ordered alphabetically on the scan configuration and connector configuration pages.
• runZero users logging in via SSO are now presented with the terms and conditions acceptance dialogue.
• A new tls.stack attribute that tracks the TLS software provider and version has been added for assets and services.
• A new canned query for OpenSSL 3.0.x with client certificate authentication has been added.
• The scanner now reports OpenSSL versions via TLS fingerprinting.
• The scanner now reports Tanium agent instances on the network.
• The scanner now reports additional detail for SSLv3 services.
• The search keywords has_os_eol and has_os_eol_extended are now supported on the Assets and Vulnerabilities inventory pages.
• The “last seen” link to the most recent scan details has been restored on the asset details page.

Performance improvements

• Improved performance when scanning from macOS hosts that have certain EDR solutions installed.
• Improved performance of Intune integration when importing a large number of users and devices.
• Scan task processing speed has been improved for SaaS and self-hosted customers.
• The baseline memory usage of Explorers has been reduced.
• Error handling of misconfigured fingerprints has been improved to reduce Explorer and scanner crashes.

Fingerprinting changes

• Improved fingerprinting coverage of Microsoft 365 Defender for Endpoints assets.
• Improved fingerprinting coverage of SNMP devices.
• Tanium agent detection now sets the edr.name attribute.
• Added fingerprinting of OpenSSL, GnuTLS, and Windows TLS stacks, including version when possible.
• Apple ecosystem OS fingerprint updates.
• Additional support added-or-improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Integration improvements

• The AWS integration now includes an option to delete AWS-only assets that were not seen in the most recent import.
• The Qualys integration now includes an option to import unscanned assets and is disabled by default.
• Processing speed for large Qualys imports has been improved.
• GCP credentials can now be configured to import assets from multiple projects.
• The error message indicating that an AWS integration credential has insufficient permissions has been improved.

Bug fixes

• A bug that could prevent the use of third-party credentials when using TLS thumbprints or the insecure connection option with a public URL has been resolved.
• A bug which sometimes prevented GCP imports from completing has been fixed.
• A bug in how Service Inventory searches were launched from the Asset details page had been resolved.
• A bug that could prevent TLS probes from completing has been resolved.
• A bug that could prevent updating site metrics has been resolved.
• A bug that could prevent the Intune integration from completing long-running tasks has been resolved.
• A bug that could prevent the GCP integration from returning all assets has been resolved.
• A bug that could result in a recurring integration running again before the previous task finished has been resolved.
• A bug that could prevent importing assets from Microsoft Intune has been resolved.
• A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
• A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
• A bug that could cause broken asset links has been resolved.
• A bug that could cause missing service data for services with conflicting virtual hosts has been resolved.
• A bug that could cause inaccurate user counts for imported directory groups has been resolved.
• A bug that affected tooltip display has been resolved.
• A bug that prevented “open in new tab” navigation using middle/right click has been resolved.
• A bug that could prevent Azure AD imports has been resolved.

What’s new with runZero 3.3?

• Extended visibility into Google Workspace
• Queries for Google Workspace users and groups
• Fingerprinting for Google assets
• Identification of OpenSSL services
• Improvements to the runZero Console

Extended visibility into Google Workspace
runZero 3.3 furthers the visibility into your Google ecosystem through a new integration with Google Workspace. runZero Professional+ users will be able to sync Google Workspace asset details from mobile devices, endpoints, and managed Chrome systems, while runZero Enterprise users will also be able to sync Users and Groups. Once the integrations are configured, users can view, search, analyze, export, and alert on attributes from both Google Workspace and Google Cloud Platform.

One of the key reasons to leverage the runZero integrations is to get better insight into the scope of your environment and completeness of coverage since MDM and IAM platforms can’t provide any insights into devices that haven’t been onboarded. To identify assets on your network that aren’t onboarded to Google Workspace, use the query source:runZero AND NOT source:googleworkspace. Conversely, use this query to find assets from Google Cloud Platform or Google Workspace that have not been scanned by runZero yet: (source:gcp OR source:googleworkspace) AND NOT source:runzero. These queries can help you keep pace with unmanaged and disconnected assets.

The integration also pulls in many Google Workspace attributes to give you comprehensive asset visibility. This could include attributes like when a device was last synced, whether a device has a password enabled or is encrypted, or whether it supports the use of a work profile. The Recent Users list in the asset details can also provide insight into device ownership and usage. You can filter for a specific user by using the @googleworkspace.mobile.email attribute for mobile devices or the @googleworkspace.chromeos.recentUsers attribute for ChromeOS devices. To find mobile devices that aren’t locked with a password try the query @googleworkspace.mobile.devicePasswordStatus:=”Off”, or use @googleworkspace.mobile.encryptionStatus:=”Not Encrypted” to find ones without encryption enabled. The wildcard operator also lets you find results with a range of OS versions, such as using @googleworkspace.endpoint.osVersion:=”MacOS 12.% to find Google Workspace assets running macOS Monterey.

runZero offers unmatched active network scanning, while also integrating with an ever-growing list of data sources so that you have a complete asset inventory at your fingertips. To get started, set up a connection to Google Workspace or Google Cloud Platform.

Queries for Google Workspace users and groups
runZero Enterprise users can leverage the new queries tailored for the Google Workspace integration to quickly find and alert on accounts that match particular parameters, in addition to being able to run searches in the Users and Groups inventories. Identify administrator accounts, suspended accounts, and accounts without MFA to improve IAM efforts and better protect your environment. These queries are included in the Query Library and can also be used to create alerts.

Run queries about Google Workspace users or create an alert rule to find assets of interest.

Fingerprinting for Google assets
runZero includes fingerprints for the metadata returned by the Google integrations, including Google Cloud Platform and Google Workspace. This will help provide the most accurate operating system and hardware data about the assets in your inventory.

In addition to Google fingerprints, runZero has also improved fingerprinting coverage of Microsoft 365 Defender assets and SNMP devices. Additional support was added or improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Identification of OpenSSL services
In preparation for the OpenSSL vulnerability announcement, runZero released remote, unauthenticated fingerprinting for OpenSSL 3 services, allowing our users to get ahead of the mitigation process prior to the vulnerability details becoming public. This capability has since expanded to detect even more TLS implementations and track the TLS stacks in use on each asset. runZero users can find OpenSSL endpoints using the query product:openssl, in the assets, services, and software inventories.

The server-side exposure only applies to services that process client certificates. runZero already performs checks for this, even though it is not a common configuration. To identify services running OpenSSL 3.0.x variants that may be vulnerable to exploitation, use the following query in the service inventory search: _service.product:”OpenSSL:OpenSSL:3″ AND tls.requiresClientCertificate:”true”.

Improvements to the runZero Console
The 3.3 release includes several changes to the user interface to improve the performance of the runZero console. The tables on the Explorers, Sites, Organizations, and Your team pages now perform and load faster. This will let users query and sort the results in tables more efficiently, getting to the answers they need faster.

The release also extends the availability of the All Organizations view. All users now have a view that will show them the results from all of the organizations that they have access to. The available permissions in that view reflect their per-organization permissions so that they can manage resources just like they would when viewing a single organization.

Release notes
The runZero 3.3 release includes a rollup of all the 3.2.x updates, which includes all of the following features, improvements, and updates.

New features

• runZero Professional and Enterprise customers can now sync assets from Google Workspace.
• runZero Enterprise customers can now sync users and groups from Google Workspace.
• The “All Organizations” view is now available to restricted users with a filtered scope.
• User interface tables were revamped for Organizations,
• Sites, Explorers, and Teams.
• Live validation is no longer required for Qualys VMDR and InsightVM credentials.
  Fingerprint updates.

Product improvements

• The subnet utilization report now supports filtering by site.
• CSV export of assets now includes the same hostname information as the inventory view.
• Up-to-date ARM64 builds of the standalone scanner are now available.
• The account API endpoint for creating organizations now accepts the argument types documented.
• Merging two assets now correctly updates the date of the newest MAC address for the resulting asset.
• Disabling all scan probes now disables the SNMP probe.
  Service Provider information is now displayed with a default domain before SSO settings are configured.
• Explorers are now ordered alphabetically on the scan configuration and connector configuration pages.
• runZero users logging in via SSO are now presented with the terms and conditions acceptance dialogue.
• A new tls.stack attribute that tracks the TLS software provider and version has been added for assets and services.
• A new canned query for OpenSSL 3.0.x with client certificate authentication has been added.
• The scanner now reports OpenSSL versions via TLS fingerprinting.
  The scanner now reports Tanium agent instances on the network.
• The scanner now reports additional detail for SSLv3 services.
• The search keywords has_os_eol and has_os_eol_extended are now supported on the Assets and Vulnerabilities inventory pages.
• The “last seen
  ” link to the most recent scan details has been restored on the asset details page.

Performance improvements

• Improved performance when scanning from macOS hosts that have certain EDR solutions installed.
• Improved performance of Intune integration when importing a large number of users and devices.
• Scan task processing speed has been improved for SaaS and self-hosted customers.
• The baseline memory usage of Explorers has been reduced.
• Error handling of misconfigured fingerprints has been improved to reduce Explorer and scanner crashes.

Fingerprinting changes

• Improved fingerprinting coverage of Microsoft 365 Defender for Endpoints assets.
• Improved fingerprinting coverage of SNMP devices.
• Tanium agent detection now sets the edr.name attribute.
• Added fingerprinting of OpenSSL, GnuTLS, and Windows TLS stacks, including version when possible.
• Apple ecosystem OS fingerprint updates.
• Additional support added-or-improved for products by Apache, Aruba, Avaya, Axon, Cisco, CyberPower, Debian, Eaton, Epson, Fortinet, Fujifilm, Geist, Hikvision, Lexmark, Oracle, Sato, Sony, Vivi, and VMware.

Integration improvements

• The AWS integration now includes an option to delete AWS-only assets that were not seen in the most recent import.
• The Qualys integration now includes an option to import unscanned assets and is disabled by default.
• Processing speed for large Qualys imports has been improved.
• GCP credentials can now be configured to import assets from multiple projects.
• The error message indicating that an AWS integration credential has insufficient permissions has been improved.

Bug fixes

• A bug that could prevent the use of third-party credentials when using TLS thumbprints or the insecure connection option with a public URL has been resolved.
• A bug which sometimes prevented GCP imports from completing has been fixed.
• A bug in how Service Inventory searches were launched from the
• Asset details page had been resolved.
• A bug that could prevent TLS probes from completing has been resolved.
• A bug that could prevent updating site metrics has been resolved.
• A bug that could prevent the Intune integration from completing long-running tasks has been resolved.
• A bug that could prevent the GCP integration from returning all assets has been resolved.
• A bug that could result in a recurring integration running again before the previous task finished has been resolved.
• A bug that could prevent importing assets from Microsoft Intune has been resolved.
• A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
• A bug that could prevent importing assets from Microsoft 365 Defender has been resolved.
• A bug that could cause broken asset links has been resolved.
• A bug that could cause missing service data for services with conflicting virtual hosts has been resolved.
• A bug that could cause inaccurate user counts for imported directory groups has been resolved.
• A bug that affected tooltip display has been resolved.
• A bug that prevented “open in new tab” navigation using middle/right click has been resolved.
• A bug that could prevent Azure AD imports has been resolved.

Unmanaged devices are the Achilles heel of any asset inventory. Shadow IT, rogue, or orphaned devices are easy targets for the adversary to gain potential footholds onto the network.

The obvious question is: which discovery approaches are the most effective at finding unmanaged devices?

Why are unmanaged assets harder to find?

First, we need to examine why unmanaged devices are so difficult to find. Let’s break it down:

• Shadow IT devices: DevOps teams spin up machines but without central governance. Many discovery approaches need inputs to know where to look. So knowledge of these devices does not propagate to the rest of the organization.
• Rogue devices: As the name suggests, someone intended for these devices to remain under the radar and evade standard discovery techniques. Otherwise, they would only have remained rogue for a short time.
• Orphaned devices: Many discovery approaches require tuning or fresh inputs to keep the inventory current. Without caretakers to ensure the necessary calibration, orphaned devices become unmanaged assets that fall out of the asset inventory if they were ever there in the first place.

What has been tried and failed

So what are the traditional approaches to finding assets, and why do they fall short?

Endpoint agent (or just “agent”)

This approach requires installing software on every device which gathers excellent detail. This method only works with managed IT assets. After all, the device is known and probably managed if you can install software on it. So this approach does not address the bane of asset inventory–unmanaged assets.

Authenticated scans

This active scanning methodology uses one or more scanners to log into every device that responds within an IP range. Once logged in (typically via SSH or WMI), the scanner gathers excellent detail about the device. Similar to the previous method, the device is known and probably managed if you already know the credentials to get on it. So, once again, this approach only really works with managed IT assets.

Passive network monitor

This technique deploys one or more appliances on a network to eavesdrop on network traffic, including chatter from unmanaged assets. The setup requires sending network traffic to the appliance(s) by either reconfiguring one or more switches to span or inserting one or more taps into the network. Where in the network you make these changes matters. Eavesdropping at a network “choke point” is ideal since it ensures visibility into all traffic. For all the work involved, you, unfortunately, get little detail. Suppose an asset rarely talks on the network or is terse. In that case, there’s little data to work with, leading to imprecise or inaccurate fingerprinting. As more devices encrypt traffic, the fingerprinting accuracy gets worse.

API import

Solutions that generate asset inventories from API imports do not discover assets independently. They rely on the rest of the security and IT stack to cobble together an inventory. Completeness and accuracy depend on data quality from those sources. API import solutions will miss unmanaged assets and produce vague fingerprinting.

Unauthenticated scans

This final approach uses one or more scanners to actively scan for information from every device within an IP range. Unlike authenticated scans, these scanners do not attempt to log in to machines. Unauthenticated scans can discover unmanaged assets, even without prior knowledge. Since it’s an active scan rather than a passive monitor, it can interrogate the devices to gather much more information for accurate fingerprinting. The one shortcoming of this approach lies with sensitive devices. These assets tend to be older or low-powered, often found in operational technology (OT) environments, and may be disrupted by aggressive scanning.

New reasons for an old problem

So which approach works best for unmanaged assets? First, it’s worthwhile to understand how this state of asset inventory came to be. There was a time when security just needed to protect the corporate office. Over the past 20 years, the following trends started or magnified, leading to a divergence of environments. In some cases, these environments teem with unmanaged assets. Others permit the deployment of unmanaged assets. Still, others allow assets to become unmanaged more easily.

• More IoT devices: Network-enabled cameras and smart speakers are recent phenomena.
• Convergence of IT and OT: OT networks have been overlaid onto IP networks to improve manageability and, in many cases, come under the purview of IT.
• Move to the cloud: Many organizations see the cloud as a transformational journey to lower cost and increase speed & agility.
• Rise of DevOps: Software development and operations teams have adopted a methodology of shared ownership, automation-at-scale, and rapid feedback resulting in dynamic attack surfaces, particularly in the cloud. Unfortunately, there isn’t always governance in this area.
• More M&As: Each year in the 2010s, there were more than 2x the large M&As than each year in the 2000s.¹ When you take on a new company, you take on all its unknowns and risks too.
• Work from home: Pressures around talent shortage gave rise to a growing WFH trend that compounded due to the pandemic.

Against this backdrop of divergence of environments, there has been a convergence of responsibilities onto security teams. During this same time, organizations have improved their security posture around managed IT assets in on-prem environments. Assets outside this scope have become more attractive targets.

What works

Given these challenges, let’s look at the approaches that will work the most effectively.

Start with unauthenticated scans

Unauthenticated scanning is the only possible starting point–inherent limitations in the other four disqualify them as options. If only we could use an unauthenticated active scanning approach that avoids disrupting sensitive devices.

Mix in a security research-based approach

The missing ingredient is to couple a well-designed scanner with a security research-based approach. Such a recipe conducts discovery from the perspective of the adversary, someone who actively avoids disrupting devices and leaving digital footprints during recon. The scanner must use properly-formatted packets, which ensures the best chance of “good” behavior from a device and allows tuning of scan parameters, including overall and per-host scan rate. Just as important, the scanner must fingerprint as it scans, adapting the scan behavior as it learns asset details.

Zero unmanaged assets

This unauthenticated scan and security research-based approach has proven practicable in thousands upon thousands of real-world networks distributed over various environments: IT, IoT, OT, cloud, and remote. St
art a runZero trial to see for yourself.