The first step towards creating a more secure environment is knowing what needs to be protected. To develop an effective asset inventory security program, there are several principles to follow. Firstly, you need to determine the sources of your asset information. Once this is done, you can gather and combine the data into a single table using a unique ID. This table will serve as your asset list, which is a powerful tool for security. You don’t necessarily need expensive software to create an asset list; a few reports and a repeatable method to compile them will suffice. By following these principles, you can develop an asset inventory security program that will help protect your organization’s valuable assets.

Asset inventory security

• Why care about your assets?
  • You cannot protect what you cannot see.
  • If you do not know an asset exists, you cannot know it is secure.
• Why does it matter?
  • Rogue devices often have vulnerabilities and may not be part of the patch management process.
  • They are typically unmanaged, making it difficult to determine what access they have on your network.
  • If there was an incident involving these rogue devices, you may not be able to determine what happened.
  • You are likely not collecting any logs from these devices for your SEIM.
  • These are your soft underbelly; they are what attackers go after.
• How does it help in decreasing risk?
  • By identifying all assets and ensuring they are properly managed, you can decrease risk and increase security.
• Why do I care about these rogue devices?
  • If these bullet points sound familiar to you, you probably have high risk via unmanaged devices!

Step 1 – Active Directory Asset Inventory

Active Directory (AD) is a directory service developed by Microsoft that provides a centralized location for managing and authenticating users, computers, and other network resources within an organization. AD can also be used as an asset management data source, providing a wealth of information on the devices and users on the network. By integrating AD with an asset management system, an organization can gain visibility into the hardware and software assets on the network, as well as the users associated with those assets.

AD can be used to collect information such as computer names, operating systems, installed software, and user accounts, which can then be used to build a comprehensive asset inventory. AD can also be used to track the status of devices, including when they were last logged onto the network and whether they are currently online or offline. This information can be invaluable in identifying unauthorized devices or devices that are no longer in use.

Overall, using AD as an asset management data source can provide an organization with valuable insights into their network and assets, helping to improve security and streamline asset management processes.

1. Using powershell to get data from active directory
   • https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer?view=windowsserver2022-ps
   • This article has your get-adcomputer syntax, the properties you may want, or how you can use “*” to get all properties
   • You can have it search for specific naming conventions, OU locations etc.
   • You can use “*” to get all computer objects or all properties
2. After you get the properties you want. You need to pipe to a select-object
   • https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/select-object?view=powershell-7.2
   • This is important to understand, there is a link below that puts it all together, do not worry.
3. Now that your powershell gets the list you want, you need to export it. CSV is my example. If you plan on using Splunk or Excel later to merge, use CSV
   • all you have to do is add a pipe and an export command to any PowerShell to send the results to a csv
     •  | Export-CSV C:\ADcomputersAssetList.csv
   • This link goes to a vendor site that wants you to buy something. But it is almost exactly what you’d want to use. Just add properties you want or any additional switches.
     • https://www.netwrix.com/how_to_export_computer_list_from_ad.html
   • If you want to export other non csv things, this should help
     • https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/out-file?view=powershell-7.2
4. Now you have a csv or a file with the list of computer objects from your active directory. This free and you can totally just start with this list as your asset inventory. Below we will discuss how to combine with other data sources, but if your starting from 0, this list will often times have your critical assets you want to start with.

Step 2 – Azure AD Asset Inventory Security

Azure Active Directory (Azure AD) can be used to obtain an asset inventory list by providing a centralized location to manage user identities and devices. Azure AD can automatically discover and register devices that are joined to the organization’s network, including both Windows and non-Windows devices. It can also integrate with other Microsoft services, such as Intune, to provide additional device management capabilities. By leveraging Azure AD, organizations can gain visibility into all devices and software on their network, helping to ensure that their environment is secure and up-to-date.

How to make an asset inventory from Azure AD

1. Log into Azure AD and follow the guide below to get to your list of computers. There is a link at the top to download the csv
   • https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
2. You can add/remove columns, but if you want more flexibility, use PowerShell
   • https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureaddevice?view=azureadps-2.0
3. Like above, adjust your flags and export to CSV or file of your choice
4. Now you have a list of assets from Azure AD.

If you have also made a csv report of Active Directory objects AND you have this Azure AD report, many computers are the same. But are the attributes all the same? It might be valuable to combine the two with a unique ID and merge the data together. That way all data is in one place. If you only do that at this point, you’d have a really good start to your asset list!

Step 3 – How to make an asset list

EDR/AV Endpoint Security asset list

Endpoint security software is a powerful tool that can be used to generate data for an asset inventory list. By monitoring the devices on the network and collecting information such as device names, operating systems, installed software, and user accounts, endpoint security software can provide a comprehensive view of the hardware and software assets on the network.

To use endpoint security software for asset inventory purposes, it is important to first configure the software to collect the necessary data. This may involve configuring policies and settings to ensure that the software is collecting the right information and reporting it back to a centralized management console.

Once the software is properly configured, it can be used to generate an asset inventory list that provides a detailed view of the devices and software on the network. This list can be used to identify unauthorized devices, track device usage and status, and ensure that all devices are properly configured and meet security standards.

In addition to providing asset data, endpoint security software can also be used to enforce security policies and access controls. By leveraging the software’s capabilities to detect and prevent threats, organizations can ensure that their devices are protected from cyber attacks and that sensitive data is kept secure.

Overall, endpoint security software is a powerful tool that can be used to generate data for an asset inventory list, providing organizations with valuable insights into their network and assets. By leveraging this data, organizations can improve their security posture and better protect their critical assets.

Asset Inventory – Mobile devices

Gathering asset inventory information for mobile devices can be a complex and challenging process that requires a high degree of expertise and attention to detail. Mobile devices such as smartphones and tablets are becoming increasingly prevalent in the workplace, and it is essential for organizations to maintain a comprehensive asset inventory to ensure that all devices are properly secured and managed.

To gather asset inventory information for mobile devices, organizations must first identify the data sources that are available. This may include device management software, mobile device management (MDM) platforms, and other tools and technologies that are designed to manage and monitor mobile devices.

Once the data sources have been identified, organizations must determine how to collect and integrate the data into a centralized asset inventory system. This may involve configuring the data sources to report information such as device models, operating systems, and installed software, and then using this data to build a comprehensive inventory of mobile devices.

However, mobile devices can be particularly challenging to manage, as they often connect to a variety of networks and may be used by employees for both personal and work-related purposes. This can make it difficult to track and monitor devices, and to ensure that they are properly secured and managed.

Asset Inventory – Anything Else?

When it comes to generating an asset inventory list, open source scanning tools can be a powerful and cost-effective option. There are several tools available that can help organizations to scan their networks and identify all devices and software that are in use. Some of the most popular open source scanning tools include:

• Nmap: A powerful network mapping tool that can be used to identify all devices on a network, including their IP addresses, operating systems, and open ports. Nmap is a good choice for organizations that need to quickly identify all devices on their network.
• OpenVAS: A vulnerability scanning tool that can be used to identify security vulnerabilities in devices and software. OpenVAS is a good choice for organizations that need to identify and prioritize vulnerabilities in their assets.
• Snort: An intrusion detection system that can be used to identify and respond to network threats. Snort is a good choice for organizations that need to monitor their network traffic and identify potential security incidents.
• Wireshark: A network protocol analyzer that can be used to capture and analyze network traffic. Wireshark is a good choice for organizations that need to identify network performance issues and troubleshoot network problems.
• Nessus Home – Nessus Home is a free version of the popular Nessus vulnerability scanner that can be used to scan up to 16 IP addresses for vulnerabilities and generate an inventory list.
• Zenmap – Zenmap is a free, cross-platform network scanning tool that includes a graphical user interface and can be used to scan for open ports, running services, and potential vulnerabilities.

Each of these tools has its own strengths and weaknesses, and organizations should choose the tool that best meets their needs based on their specific requirements. However, by leveraging these open source scanning tools, organizations can improve their asset inventory process and better protect their critical assets.

Step 4 – Combine the asset data

#1 Using Microsoft Excel to create an asset list

If you’re looking to use Microsoft Office 365 (O365) for free, creating a Microsoft account is the first step in the process. To get started, simply follow these general instructions:

• Go to the Microsoft account sign-up page
• Enter your personal information, including your name, email address, and password
• Verify your email address by clicking on the link in the verification email that you receive
• Once your email is verified, you can access O365 for free by logging into your Microsoft account and navigating to the O365 portal

Now you will want to get your data into the sheets in Excel. Copy paste usually works fine. After your data is in Excel and in the different sheets you need to figure out what primary key you are going to use. Options for asset ID primary key below

• Hostname
• IPv4 Address
• IPv6 Address
• MAC Address
• Serial Number
  • NOTE: Depending on your data. You might have to nest the merging of the datasets. For example, merge a report of seral numbers together with a report with a MAC address so the two can be associated before merging with a larger report

Use this technique to combine the data into one sheet.

https://www.got-it.ai/solutions/excel-chat/excel-tutorial/lookup/join-tables-with-index-and-match

After the index match magic you are left with one sheet, one list of assets and all the attributes gathered from multiple sources.

#2 Using Splunk to make an asset list

Splunk has a free option you can use! So you could index up to 500mb a day of asset reports if you wanted to. But there is something even easier. Splunk csv lookups. There are endless methods with Splunk, but using splunk lookups for an asset list is a super easy way to get started.

• Splunk Free information
  • https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/MoreaboutSplunkFree
• Splunk Lookups
  • https://docs.splunk.com/Documentation/Splunk/9.0.1/Knowledge/Aboutlookupsandfieldactions
• Splunk Install – search for the latest install/download of Splunk enterprise. Install instructions below
  • https://www.splunk.com/en_us/resources/videos/installing-splunk-enterprise-on-windows.html

With Splunk installed, follow these steps to get your Splunk asset inventory started

1. On your Splunk computer, open the Splunk folder /etc/apps/search/lookups
2. Copy and paste all your different csv asset inventory reports you gathered from all of the systems into the lookups folder
3. Open Splunk search, type | inputlookup AssetReport-1-Filename.csv
4. Insert the filename of YOUR asset report, whatever you called it for the italicized
5. Then run the search, this should pull in all of the contents of the CSV file into your Splunk results

Follow these steps to combine multiple csv files in Splunk using a primary key value

1. To pull in all the data from from all the csv’s into your Splunk search first inputlookup your first file
   • | inputlookup AssetReport-1-Filename.csv
2. Then append the second csv, append=t means append=true
   • | inputlookup AssetReport-1-Filename.csv | inputlookup append=t AssetReport-2-Filename.csv
3. You can keep this going and add all of your csv’s
   • | inputlookup AssetReport-1-Filename.csv | inputlookup append=t AssetReport-2-Filename.csv |inputlookup append=t AssetReport-3-Filename.csv | inputlookup append=t AssetReport-4-Filename.csv
4. Use these techniques to rename and merge fields to make sure you have a primary key in each data set. This is important, this is the field we will be merging all of the data on
   • Renaming Splunk fields-
     • https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rename
   • Merging Splunk fields
     • https://splunkonbigdata.com/usage-of-splunk-eval-function-coalesce/
5. Now that we have a primary key in each data set in our search results. We will call ours IPaddress Time for stats… I mean magic
   • | inputlookup AssetReport-1-Filename.csv | inputlookup append=t AssetReport-2-Filename.csv |inputlookup append=t AssetReport-3-Filename.csv | inputlookup append=t AssetReport-4-Filename.csv | stats values(*) as * by IPaddress
   • This takes all the data from all the csv files and combines all the fields together into one row against the primary key used in the stats command. IP address info from multiple systems can now be merged and reviewed together in one row.
   • You might have to do some further filtering to clean up the data and define your table values. But it should be a merged list!

Step 5 – Asset Inventory Security Complete

In conclusion, creating an accurate and up-to-date asset inventory list is essential for maintaining a secure environment. By leveraging tools like active directory, endpoint security software, network/vulnerability scanning tools, and MDM solutions, organizations can effectively identify all devices and software on their network and monitor them for potential security incidents. These tools can help organizations to proactively manage their assets, identify vulnerabilities, and respond quickly to potential threats. While the process of creating and maintaining an asset inventory list may seem daunting, the benefits of doing so are well worth the effort. By staying on top of your asset inventory, you can improve your overall security posture and better protect your organization from cyber threats.

In addition to the aforementioned tools, organizations can also utilize Splunk lookups and Excel index match functions to combine data from different sources and create a comprehensive asset inventory list. Splunk lookups allow organizations to extract data from various sources, such as Active Directory or endpoint security software, and map it to a common identifier. This enables organizations to consolidate data from multiple sources into a single list. Similarly, Excel index match functions can be used to combine data from different Excel spreadsheets or CSV files. By using these techniques to combine data, organizations can create a more complete and accurate asset inventory list, making it easier to manage and monitor their devices and software.