The Inner Circle

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

Hi Alex,

tee you're right about this. Complicating this attempt to get awareness of inventory of digital devices is BYOD. As for tools, UEM or MDM or application containerization tools.

i think it's not just a tool thing, but also understanding what is valuable and important/critical to the company/organization. This knowledge of hardware/software assets,  where data resides, who's got access then you're able to target resource allocation to what reduces risk. I

I think these inventories is not just a list of assets but the deeper insight is what's your risk surface. I would guess these frameworks, standards, regulations is more than just a list.

i hope this helps you out.

Romeo  

------------------------------
Romeo Ayalin II
------------------------------

Original Message:
Sent: Nov 10, 2023 05:22:11 AM
From: Alex Sharpe
Subject: Asset Inventory for Devices

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

Getting simply a list of devices on the network, it is not a "huge" challenge, a lot of tools will be able to either scan the network, probe devices and based on the signature provide the list of devices connected. Other method less intrusive it will be by sniffing the traffic on core switches through port mirroring and based on traffic packet, MAC addresses, etc., creating list of devices on network. Neither one is 100% accurate but certainly it is possible to achieve a relatively high degree of accuracy assuming  that the profiles exist from tools end. Assumption is that the device is a network enabled and it is active during scanning. Where I personally find challenging is mapping of the location of such devices, it is good having an inventory at hand, but how to know where device abc is physically connected is another challenge. I am sure that few folks will point me to network tools such as CISCO DNAC which can map to a degree based on TelecomRoom, Switch-stack, switch port or AP, etc., but the assumption is that there is accurate such information and unfortunately, most often than not, it is not the case. 

P.s full disclosure, I am talking for a complex environment that has thousands of IPs and hundreds of different device types, IoT, etc.  

------------------------------
Skerdi Cerga
Chief Technology Officer
Trillium Health Partners
------------------------------

Original Message:
Sent: Nov 10, 2023 05:22:11 AM
From: Alex Sharpe
Subject: Asset Inventory for Devices

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

Good question. Some of our ZT workgroup vendor informational presentations (e.g. Gigamon, BYOS that were recorded and shared in the main ZT Circle group) featured network scanning capabilities to help assemble asset inventories.  Lately there's also been some buzz around AI-enabled tools being able to help with such tasks.

------------------------------
Erik Johnson CCSK, CCSP, CISSP, PMP
Senior Research Analyst
Cloud Security Alliance
[email protected]
------------------------------

Original Message:
Sent: Nov 10, 2023 05:22:11 AM
From: Alex Sharpe
Subject: Asset Inventory for Devices

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

The approach that I use both at my current and previous company stems from IT Asset Management tooling you might have in place for Software Asset Management (SAM). Might be worth seeing if you have some people internally who already have the data. 

------------------------------
Alastair Pooley
CIO
Snow Software
------------------------------

Original Message:
Sent: Nov 10, 2023 05:22:11 AM
From: Alex Sharpe
Subject: Asset Inventory for Devices

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------

Alex - Would you mind expanding on that thought? 

> The need for inventories is one of the trends in regulations, standards, and frameworks

Why do you say this? 

> How to build that inventory for devices is less mature than more traditional types of assets

Can you differentiate or provide some examples of what you'd consider "traditional types of assets" versus "devices"? 

------------------------------
Vasu Nagendra
------------------------------

Original Message:
Sent: Nov 10, 2023 05:22:11 AM
From: Alex Sharpe
Subject: Asset Inventory for Devices

Any suggestions on tools or techniques for building a device inventory?

The need for inventories is one of the trends in regulations, standards, and frameworks. How to build that inventory for devices is less mature than more traditional types of assets. It would be great to get everyone's opinion.

Thank you in advance.

------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------