CSA CCM UEM-04
Endpoint Inventory

Maintaining an accurate and up-to-date inventory of all endpoints that store and access company data is a crucial security control. This includes not just traditional computers like desktops and laptops, but also mobile devices like smartphones and tablets. Having visibility into your complete endpoint fleet helps ensure appropriate security controls are consistently applied.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. The CSA CCM provides a comprehensive set of cloud security controls mapped to industry standards. It's a great resource for any organization using cloud services. For more on managing endpoints, check out the AWS documentation on Systems Manager.

Who should care?

This is relevant for:

  • IT asset managers responsible for tracking hardware and software inventory
  • Security teams who need to ensure consistent controls across all devices
  • Compliance officers validating adherence to data protection standards

What is the risk?

Without a complete endpoint inventory, you face several risks:

  • Unmanaged devices connecting to company data without proper security controls
  • Inability to identify vulnerable devices in the event of a new threat or required patch
  • Lack of visibility if a device is lost or stolen with sensitive data
  • Challenges demonstrating compliance with regulations that require device tracking

While an inventory alone doesn't prevent issues, it's a foundational capability that enables effective endpoint security management.

What's the care factor?

For most organizations, this should be a high priority control to implement. Especially if you have a mobile workforce, BYOD policy, or deal with regulated data. The effort to create and maintain an endpoint inventory is relatively low compared to the security benefits it enables. Don't wait until after an incident to try to figure out what devices you have in the wild.

When is it relevant?

An endpoint inventory makes sense for nearly any organization, with a few exceptions:

  • Very small companies with just a handful of devices that rarely change
  • Fully virtualized environments where traditional endpoints don't apply
  • Extremely locked down "zero trust" approaches where device itself is irrelevant

But for the vast majority of typical enterprise environments, endpoint inventory should be standard practice. It becomes even more critical with remote workers, BYOD, and cloud adoption.

What are the trade offs?

The main cost is the time and effort to initially create the inventory and keep it updated. You'll need processes to track new devices, changes, and ones that get decommissioned. Some organizations see this as a burden, but it's really just a basic IT management best practice.

There can also be some end user friction in terms of installing agents, tagging devices, getting added to inventory systems, etc. But again, this is pretty minimal and can be worked into standard onboarding flows.

How to make it happen?

Here's a high-level process to implement endpoint inventory:

  1. Define scope - Determine which types of devices need to be inventoried. Include traditional endpoints (desktops, laptops, servers) but also mobile (smartphones, tablets), and IoT/OT where applicable.
  2. Select tools - You'll need an inventory management system. This could be part of enterprise tools like SCCM or JAMF. Many EDR security products also include inventory capabilities. Or you can use a dedicated product like Asset Panda or Snipe-IT.
  3. Deploy agents - For company-owned devices, install the inventory agent during initial provisioning. Use your standard software deployment tools and include it in images. For BYOD, require installation at enrollment and recheck periodically.
  4. Configure scanning - Setup a recurring scan schedule to detect new devices on the network. This could be a periodic Active Directory / LDAP sync, network scanner, Authenticated Scan, etc. Basically some way to catch rogue devices that don't have an agent.
  5. Tune & refine - The first full scan will likely surface some gaps, especially legacy and non-standard devices. Track those down, tag them, and get them under management. Look for opportunities to optimize and automate the inventory keeping process.
  6. Monitor & maintain - Review the inventory regularly to ensure accuracy. Validate as part of employee on/offboarding. Audit periodically. Make reviewing the endpoint inventory a standard part of your security team processes.

Specific implementation will vary based on your environment and tooling, but those are the key steps. The goal is a reliable, up-to-date inventory of all your endpoints.

What are some gotchas?

A few things to watch out for:

  • Agent compatibility - Make sure your inventory agent or scanner supports all the device types, OSes, and versions in your environment. Test thoroughly.
  • BYOD enrollment - Have a plan for how to handle employee-owned devices, both for initial enrollment and off-boarding. Balance security with privacy concerns.
  • Network segments - If you have segmented or air-gapped networks, you may need multiple inventory tools and processes to get full coverage. Don't forget cloud and virtualized infrastructure.
  • Ephemeral devices - Beware short-lived assets like containers that spin up and down frequently. You may need to track them differently than persistent VMs.
  • Permission issues - The agents or scanners will need sufficient permissions to collect device info. This usually means local admin rights on Windows and sudo on Linux. Work with IT to ensure least privilege.

What are the alternatives?

While an agent-based inventory is usually the most reliable, there are some other approaches that can supplement it:

  • Network scanning - Tools like nmap can help discover devices on the network, but can't provide as much detail as an agent
  • Passive traffic monitoring - Solutions like Cisco Stealthwatch can profile devices based on network telemetry, helpful for unmanaged assets
  • Cloud APIs - Most IaaS/PaaS providers have APIs you can use to pull the latest list of provisioned cloud assets
  • EDR integration - If you already have an endpoint detection and response platform, see if you can leverage it for basic inventory

The key is having some authoritative source of truth for your full endpoint fleet. How you assemble it is less important than ensuring it's complete and current.

Explore further

  • CIS Control 1: Inventory and Control of Enterprise Assets
  • CIS Control 2: Inventory and Control of Software Assets
  • CIS Control 16: Account Monitoring and Control
  • CSA CCM AIS-01 Application & Interface Security - Application Security
  • CSA CCM IVS-11 Infrastructure & Virtualization Security - Segmentation & Segregation
  • CSA CCM IVS-21 Infrastructure & Virtualization Security - Equipment Identification
  • CSA CCM IVS-22 Infrastructure & Virtualization Security - Equipment Maintenance
  • CSA CCM IVS-23 Infrastructure & Virtualization Security - Asset Inventory and Management
  • CSA CCM STA-01 Supply Chain Management, Transparency and Accountability - Data Quality and Integrity
  • CSA CCM TVM-08 Threat & Vulnerability Management - Vulnerability Prioritization
  • CSA CCM TVM-09 Threat & Vulnerability Management - Vulnerability Remediation

For a deeper dive, check out the CIS Benchmarks which provide extensive technical hardening guidance for various OSes and software. NIST 800-53 also has some great info on endpoint inventory as part of a larger security program.

Blog

Learn cloud security with our research blog