Developing a mature endpoint-focused IT asset management program

Asset tagging

Once your organization has committed to a standard naming convention, you’ll need to consider how your users and IT will physically identify each system. While this may be less important for assets bolted into a network rack in a datacenter, you’ll want to make it easy to identify laptops and desktops, especially when you are buying hundreds or even thousands of identical systems. Here are some suggestions:

1. Use a label or sticker on each device assigned out to users.
2. Make the hostname easy to identify. This will be incredibly helpful to your IT help desk when users are calling in and need to identify the computer that needs technical support.
3. Consider using a barcode, QR code, or RFID that ties back to your central management solution.
4. Consider using a tool, such as BgInfo (see screenshot below), that overlays the hostname on the user’s desktop after logging in. This will help make it apparent to users as well as administrators using remote management tools, if applicable.

Asset tracking

You need a technical solution that keeps track of all of your assets. While some organizations capture more data points than others, there are some standard things that should be documented in every organization:

• Device make
• Device model
• Device OEM serial number
• Hostname and/or asset tag
• Assigned user
• Assigned user’s team & department
• Physical location of asset
• Status
• Purchase date
• Warranty expiration date for physical devices/subscription expiration date for cloud-hosted virtual devices

Optional details to enrich your asset tracking:

• MAC address(es)
• IP address(es) for endpoints with static or reserved IPs
• Internal ticket numbers associated with the endpoint
• Manufacturer service records associated with the endpoint
• Contact details for the assigned end user
• Decommission/recycling records
• Non-endpoint devices, such as firewalls, switches, WAPs, printers, docking stations, and other peripherals

Asset lifecycle management

Consider the lifecycle of a computer in an enterprise environment:

1. Procure the computer
2. Unbox and physically set up the machine
3. Image/onboard the computer with all appropriate software
4. Provide the computer to the end user
5. Normal end-user operations
6. Maintenance
7. Endpoint reimaged
8. Endpoint becomes a spare, without being assigned to a user
9. Reassignment to a new user
10. Asset is with IT ops and ready for decommissioning
11. Endpoint is recycled

If an organization keeps a laptop for five years, then that endpoint could easily be handed off to a dozen or so people. It’s important for an organization to keep records of every time an asset changes hands. For some organizations, this isn’t just best practice, but a regulatory requirement. ISO27001, FedRAMP, ITIL, and NIST SP 800-53 are a few examples of regulatory standards that require well documented change controls.

Policy and process

I’ve seen organizations successfully manage their IT asset inventory with inexpensive solutions and I’ve seen companies fail while paying for highly sophisticated SaaS products. To me, success is found in humans following a standard process. The tracking process and people behind a solution are more important than the platform used to carry it out. This mantra can be applied to a wide variety of technical processes in need of data consistency and accuracy. Here are some considerations when building a policy:

• Who is responsible for updating and maintaining the asset tracking system? Is it a person or a team?
• Are you applying the principle of least privilege when giving access to this system? The person(s) who can view it may get knowledge of sensitive information, such as terminations, issuance of new equipment, and reductions in force.
• How do employees inform the person or team in charge of this process that equipment has changed hands?
• Is there a need to periodically revalidate some or all of the asset database for accuracy and currency?
• Are there any regulatory requirements to report the status of asset tracking or any deficiencies that were identified?
• Where is the written procedural documentation located? Is it saved in a central location where it can be easily accessed by the employees who need to refer to it?
• How are physical endpoints recycled? What sort of coordination or collaboration is needed with your E-waste vendor? If your organization requires serialized certificates of destruction (COD) and proof of service (POS) for your hard drives, is this something that should be captured in your tracking system too?

The tracking process and people behind a solution are more important than the platform used to carry it out.

Collaboration between IT ops and security

How do security teams know when endpoints have been deployed or decommissioned? In many orgs, IT and security are segregated, with different sets of access and permissions. Security may only have access to EDR inventories, while IT has visibility into Active Directory and other network appliances. Here are some considerations:

• While IT ops may be responsible for managing the asset tracker, giving the security team permissions to view the IT asset inventory will allow security to run audits internally without as much IT involvement.
• Consider posture-checking solutions before devices are allowed access to corporate networks. You can enforce endpoints to have the company managed EDR agent installed before being granted access to a privileged network. This will reduce the number of unsecured assets that sit outside of the security team’s purview.
• The zero-trust security model suggests that users should authenticate to applications, not only networks. Posture checking can also be applied to applications and identities. Consider using solutions like Okta’s Device Assurance to ensure that devices are fully enrolled in all IT and security platforms before granting them access to sensitive systems. This will minimize the risk of unmonitored endpoint access to privileged data.
• Automate communications from the security team to IT ops when an endpoint is involved with an incident. If an endpoint is placed in quarantine and connections to the network are severed, it’s important to let IT know. The user may need a new computer issued immediately while the security team investigates threats on the user’s old system.

Asset management use cases within Red Canary

Although Red Canary is not an IT asset management solution, we have many features that help security professionals make sense of their inventory and automate common security tasks:

Auto-decommission endpoints that haven’t checked-in within a set amount of time

Customers who want to keep their Red Canary endpoint inventory clean may consider using an automation that will decommission endpoints that haven’t checked-in in a while. Administrators may want to consider setting different conditions for servers vs. workstations vs. endpoints that regularly come on/offline.

Use reporting tags on your critical assets

Many organizations want to make it easy for their security teams to identify and respond to critical assets. Red Canary customers can take advantage of the Reporting tags feature. Consider using these on tier 0 systems like domain controllers, Exchange servers, and key production servers. Reporting tags can be used as trigger conditions for Automate (Red Canary’s SOAR platform), filter criteria for inventory sorting, and display an identifier on threat timelines.

Alert when specific endpoints come online

If an endpoint involved with a threat or a larger security incident has gone offline, defenders will want to know when the endpoint comes back online so response actions can be taken. Consider how your organization would want to handle a stolen laptop; an automation trigger and playbook could be incredibly helpful to both IT ops and security teams.

Alert if critical asset has not checked-in

If the EDR sensor on a critical server has stopped checking in, organizations should be alerted right away so that they can troubleshoot. Defenders do not want to lose visibility on servers that are crucial to production. Use the following automation to get alerted when endpoints with a specific reporting tag haven’t checked-in in 24 hours.

Auto-inform IT teams when an endpoint they manage is involved with a security incident

When an endpoint is involved in a security incident, IT should be notified for several reasons. After security defenders isolate the endpoint and the system can no longer access the network, how does IT know to not waste their time troubleshooting it? How does IT ops (or whoever owns the IT asset inventory) get notified that the end user’s system requires replacement or re-imaging? Notifying IT system owners that their endpoints are impacted by security incidents is a must that can be automated via the Red Canary platform:

Conclusion

In conclusion, organizations should understand the critical role of a mature endpoint-focused IT asset management program. I want to emphasize the importance of comprehensive asset discovery, standardized naming conventions, effective tagging and tracking, and well-documented change controls. While organizations should acknowledge the value of technical solutions, it’s arguably more important to focus on the success that hinges on humans following standard processes. This standard process should define how IT ops and security teams collaborate. And don’t forget, Red Canary can be used to augment and aid security professionals in inventory management and security task automation.