Everything I Know About Asset Inventory, I Learned From Taylor Swift... - Justin Scarpaci

all right uh hello everyone I'm Justin scarpasi and welcome to everything I know about ass inventory I learned from Taylor Swift um the Justin's version first off if you're familiar with you know Taylor Swift she recorded I think three albums now um to get basically back her original rights to her music and everything like that so in those those versions all the songs have Taylor's version after them I figured I'd get ahead of that problem if anyone tries to steal this talk I just do Justin's version now and then don't have to worry about that later um just real quick about me I am not local to Pittsburgh I think you know from the audience perspective uh at

least if the he from Scranton is the furthest away I've got him beat um I live in Columbia South Carolina although I'm originally from about an hour away in Youngstown Ohio so people familiar with Youngstown anyone yeah yeah there we go um as it says there I'm a husband father you can see my better half of my family or better two-thirds of my family there with my wife and my three-year-old son Chase um a little bit about me so I started off kind of in this whole thing one you know Taylor and I have been at our respective crafts about the same amount of time she's had a little bit more financial success probably than me but I

definitely have more challenge coins and cotton t-shirts than she I would assume has um so um but I started off in the Marine Corps I was what if anyone's familiar with the Marine Corps I was 2651 signals intelligence um after that I went to work as a contractor for the U.S Air Force specifically U.S Air Force Central Command and protected our networks in the Middle East and Southwest Asia from Good Old Sumter South Carolina is where shop is where the asset and ask is located um so since that time in about 2015 I was part of the early team at Carbon black so I joined there um you know in kind of the early hyper

growth stages everything like that um folks familiar with carbon black in here okay I was there for seven years and then last year I kind of joined up with a lot of my former carbon black folks including our co-founder and CEO JJ guy at a company called sevco security anyone familiar with cefco security him or I'm sure it'll be less ants hey okay we got we got a few um so cefco security what we are is an asset intelligence platform so we look at asset inventory problem every day good thing about it is we have as a cloud platform we have a lot of data around what we can observe in our customers I'll be sprinkling some of

that in today along with Taylor Swift lyrics so it's not going to be all data there will be some fun uh but yeah that's that's what I currently do is I work as a technical strategist at sevco security um the we hack Health there this is a if anyone's not familiar with it this is kind of a community started by Ben canning and Dave Kennedy it's around health and fitness it's targeted specifically at you know infosec professionals so there's all different sides of it there's a Discord server there's just hashtag lead hack Health on Twitter but what we do is we motivate each other to get better from a health and fitness perspective and everything

like that so if that's something that interests you if you're interested in starting your fitness journey or health Journey check it out

really not probably not the biggest Swifty in this room and I'm maybe not even a Swifty at all what I am is someone who has enjoyed Taylor's music since the very early days um I you know admire her as an artist a respecter her success is you know inarguable she's you know just an amazing talent I am not a singer or a dancer I actually wrote in the abstract that there would be no singing so you don't have to worry about that if any of you want to sing you're welcome to like sing along or come up it's it's up to you on that I'm also not Swift on security so there's the one here is uh

this is probably one of the oldest and largest infosec accounts out there and I think it used to actually be you know infosec Taylor Swift is what they call themselves I don't know who this person is but they're really good and I also kind of respect them as a practitioner and an artist it's a very entertaining account and a lot of really good information on there so how did I get here yo beginning to Pittsburgh is I-77 to I-79 so that's not even a slot but um how did I get here to this topic and it's definitely a little bit of unusual topic um well there are stories everywhere right so you can see a few things on

this slide here you can see for one um you know it's larger than 50 countries GDP so the Federal Reserve did some economic analysis around it the tour has generated five billion dollars in Revenue in local economies across here it's a big news story last week on that um one of my co-workers actually lived in Nashville when Taylor Swift came to town there and he kind of posted on one of our slack channels hey this you know they're Swifty's everywhere I can't even like leave my apartment because he lived near the venue there um and a colleague of mine Jeremiah and I uh kind of went back to replying with that with just Taylor Swift song titles

like you need to calm down and and so on and there so from that I knew I was coming to besides Pittsburgh to meet up with some of the we hack Health Community those two things kind of coming together I had a dream so my dream was I was here giving this talk just like I am right now so um I woke up first thing I did is slacked the dream to myself so I wouldn't forget it and submitted the talk a few days later so um one thing I'll call out is yeah you know this the stairs tour that picture there that's actually you know Heinz Field I think it's accurate sure now but I still

call it Heinz Field I guess the largest crowd they've ever had in that stadium was when Taylor Swift was in town they had over 73 000 people in that stadium and she sold out multiple nights so again it's everywhere right so that's that's how I got to Taylor Swift how I got to asset inventory um that's a probably more relevant topic to this audience but also a lot less interesting one so it really kind of all started back in 2016 finishing up grad school at Penn State you'll notice this slide has a little bit different color scheme than the rest of the deck that's because I couldn't just put red on a Penn State slide it just Penn State and red didn't

feel right at all so I know this audience would appreciate that um but you know when I worked for the Air Force One of my jobs there was as a cyber intelligence analyst on a hunt team there so I was very interested in cyber threat intelligence that's kind of at this period of time when I was in grad school I was transitioning out of that going to work at Carbon black so for My Capstone project I was focused on Cyber threat intelligence and really what I wanted to get out of it going in was just understanding why more folks weren't using it and especially why they weren't using it more effectively maybe they pay for a threat Intel feed or

something like that but are they really actually getting something out of that so that was kind of where I started the process ended up being you know a uh and this will put everyone to sleep if I go through the full form of it but um a series of qualitative interviews so I sat down asked open-ended questions to folks from large organizations small organizations folks that work at MSP mssps folks that work in you know different roles in organization csos practitioners so on and what I did which you can see sort of on the upper right there is I then went through transcribed these interviews and coded the responses in there to pick out emerging themes and

Concepts from the research so this is qualitative research that then I turned kind of into quantitative by coding it it's called grounded Theory approach so you don't go in with basically what you're wanting out of it you're using the responses from the folks to come up with an emerging theme or model from it so from that um you know ultimately what I ended up developing was the thing on the lower right here the Cyber threat intelligence implementation model kind of hard to see it's a little bit on purpose because that's a whole other talk so we won't be going through this cyber threat intelligence implementation model today if you're interested in that I'll put the paper out on my GitHub um it's fine

I'm willing to share with anybody but it's not what we're going to go through today what we are going to talk about a little bit is the first step of it so in talking to these folks kind of the first thing and if you were to use threat intelligence environment that you needed was to know yourself and I kind of broke that down into two sub steps in that one of that is knowing your business right what's important to your business and what's great is there are eye sacks and things out there that are specific to certain verticals that actually can even get threat intelligence that is specific to your industry um but it's beyond just you know your

industry it's knowing your business knowing what's important to your business how your business functions what's your architectures like what normal is essentially so that's one half of it the second part is knowing your security tools and security controls in our infrastructure so one of the things I did as a cyber threat intelligent analyst is when I got different types of threat Intel reports and so on is I would model them in our environment now it's not I was going in and you know doing a emulation exercise or something like that but I was just kind of looking at hey what would we have that would maybe block this right what would this what would what would be

kind of the path that they would have to go through in our Network and what might get in somebody's way if this attacker came after us right um so those two things like I said that's kind of getting to know yourself a whole other talk but that's kind of what got me interested in really an inward focus in security so I'm not the only one I was actually really excited at RSA 2023 Kevin mandia he definitely didn't copy me because he's one of the Titan is tightens to this industry if you're not familiar with him but he said something that I was just like yes he said the threats will change all the time don't ever forget the advantage

that you do have you should know more about your business your systems your topology your infrastructure than any attacker does this is an incredible Advantage anyone disagree with that anyone or how many people feel like they do know their environment better than any attacker would hey great um yeah a couple of you guys here so you you should right the problem is because we've been so focused a lot of times on the external what's you know the latest threats that are out there and all that stuff we don't take a lot of time to look at ourselves right so my kind of thinking on that is the threats change constantly and unpredictably you might be able to know what's

happening today or yesterday but you can't know what's happening tomorrow and really when it happens tomorrow today that a lot of that should be your vendors problem right so endpoint security like crowdstrike they should be the ones that are really looking at that pushing detections into the product or prevention rules and so on um and yet any number pick any vendor out there right so what I kind of think is you know a lot of your time might be better spent looking at yourself because you now have so many companies out there that are competent looking at external thoughts and I'm not saying that crowdstrike or any vendor out there will stop every attack right nobody's saying that but

I'm just saying from an investment time um you may want to look in a different direction a little bit so it says here you know you should know what your organization looks like and what change looks like in there and it's kind of when I think about this a lot I think about um fans used to put out a poster and maybe they still do called no normal find evil and a lot was on that was hey this process should have this parent process and it should have this child process or whatever so you can kind of get an idea how Windows is supposed to work and from that you could find evil um the same thing can apply to anything

pretty much but the problem is a lot of folks jump straight to find evil and don't take the time to know normal so it's a lot easier to find evil and this was kind of the whole inspiration for Sam's putting that out if if you know what normal is right so and that that's applicable in a lot of different ways um my opinion is asset inventory is a great place to start in this right knowing what you have and then it goes really kind of beyond that as you'll see here pretty soon is kind of the first step in in being able to to know normal so asset inventory I'm going to talk about really kind of two different

things today so one of those is the characteristics of what an asset inventory looks like so I'm not telling you what an ass inventory product should look like or like a specific methodology for doing an asset inventory there's a lot of different ways to do it most of them are valid a lot of them are homegrown can be so it's really what are the characteristics of if you you were to build this or if you were looking at a tool to do this for you what should it do what should it look like um the graphic you'll see there that's actually from Civic Security's website you can see that one's a little bit more complex because again that's what we do

every day it's a little bit beyond what we're going to talk about today but you know that's publicly available if you're interested in that um on the right you know the importance of it so I talk about you know compliance Insurance overall security program in there and this actually picture on the right is from and maybe hard for you to see but this is from property casualty 360. so it's a Property and Casualty Insurance trade website or something like that right and they're the ones writing about the importance of asset security asset inventory and cyber security seems kind of weird but both from a compliance and an insurance perspective asset inventory has been step one in most compliance Frameworks

for a long time they've kind of known the importance of it I don't know that it's actually really been done right in a compliance framework but um now injurers are kind of starting to look a little bit more at that of hey you know if you are wanting to get Cyber insurance or renew it and stuff this is one of the things you need to have and they're they're getting into that with a lot of different controls right now but that's you know kind of what we're starting to see there is compliance is shipping shifting just from you know regulatory Frameworks to a little bit of the insurance there too and it's important to your overall security

program and I'll explain plenty of times talking about the number of aspects that would be important for you but it's gonna be a little bit different for everybody right so all right so at this point you're probably like where is Taylor Swift I thought this is going to be a Taylor Swift you had one slide a while ago and then you've been talking about grad school and everything else um so now we will actually get to some Taylor Swift we'll start off um well she's telling us about the importance of your asset inventory being comprehensive here right so she says I got a long list of X levels lovers they'll tell you I'm insane but I've got

a blank space baby and I'll write your name so this blank space this is these are all the assets you maybe don't know about and that's because a lot of times when folks have tried to approach this problem again you know maybe it's they have some compliance need to do it or something like that they are pulling an inventory um maybe from active directory or something like that but you have more than just an inventory in your environment and not none of them probably know about everything unless it's a very small environment or something right um so when I say there existing controls are inventories of assets so some of them are kind of even unconventional so

you don't just think about it as directory services like active directory things like endpoint security patch management uh even slack can be an inventory of assets as there is users using slack all sorts of things like that if if it consumes a service from passes through or is managed by something that's a potential source of inventory for you so if you go down this path of building an asset inventory you might have to think outside the box a little bit to be fully comprehensive um the problem with these like I said one source is they don't know what they don't know so sometimes um yeah we'll get something like folks will think of an asset Discovery tool

something that scans your network but what about remote users what about the DMZ what about some subnet there that you know somebody changed the firewall rule on and all of a sudden that scanning tool can't reach it or something like that right um any source and that's not picking on asset Discovery it's a very good source of inventory but it is just that it's an inventory it's not an inventory of inventory it's not comprehensive so kind of my view on it is the more sources you have the more comprehensive you can be the more and the way we show this you know a lot of times in a Venn diagram is just showing the overlap in

what each Source tells you so in order to do this this is kind of the bad news slide this is the hard part um when you start working with multiple sources of inventory they're not going to be in the same format um and you can kind of see the first example there if you've ever done this as a spreadsheet exercise or something like that you've probably encountered this just with something like mac address you may have something that isn't delimited at all um might have something that's colon limited might have something that is Dash delimited so those three things on the second bullet there those are all the same Mac address but they're displayed three different ways right and

it can get you know time stamps all sorts of different things it's not just Mac addresses like that a lot of things are in different formats and converting between those is going to be kind of one of the problem and what you have to do is kind of pick one and normalize all the sources on that the other thing is there is some difference in values so you'll see even between say like uh active directory and Azure ID they will report the same version of Windows 10 in two different ways so one is the actual Windows 10 0 1904 to 1889 Microsoft speak is it what it says in Azure ID in active directory it may just be Windows 10 Enterprise and

other sources might be something else right so again trying to figure out how you're going to match those things up there that's a lot of times kind of the hard part so you know looking at this you know that's kind of where I would say like wreck my if it says wreck my plans this is where you go in you're thinking hey I'm going to do an asset inventory this is gonna be fast easy this is kind of what might wreck your plans and and take you know your weekend or something like that but um don't be scared off by it it's definitely something you can do and once you do it once anything you do once you

can do again a asset inventory should be repeatable so I've been using the term and asset inventory and by that I don't mean it's an exercise that you do one time it's a thing that you have you have an asset inventory it's not like we did this in a spreadsheet 12 months ago and that's probably still the same today environments are Dynamic um they change all the time they change your environment probably looks different at 7am than it does at 4pm because different people are online at different times different users are using different things at different times so the more frequent you can do this the more confidence one in kind of the state of those assets and two in the

comprehensivity of the uh of the inventory right so it might be that you have folks in one office that isn't online at 7am because well one because they're a normal person they'll start at 7am and two because maybe they are located in San Francisco and that's 4 a.m there right so um those type of things are again when you're thinking about this the more frequent the more confidence you can have in it um you know and again going back to Taylor's wisdom there you know a lot of cases you know these assets are playing hide and seek with you a little bit um I kind of mentioned some of the problems in doing a scan or something like that

but just in general this time frame there and maybe something's popping on popping off some even like workloads or ephemeral things like that so again you'll learn a lot if you do this repeatedly oh so that was you know only a few characteristics um but they're very important uh characteristic factors inventory I could probably do a lot more on that but I think those are probably the top three I would say if you were to build an asset inventory function or you know something to that effect that you should focus on um now I'm going to move into kind of the importance of asset inventory or some of the things you can do with an

asset inventory this should be you know a little bit better idea of the value from that so first one is kind of the the straightforward one right it's me hi I'm the problem it's me you know at tea time everyone agrees like when folks think about ass inventory it's usually hey I want to identify all the assets that I have right basic use case but that's really just kind of where it starts um and when I say assets you notice I'm not saying devices I'm saying assets a lot it's because devices can be you know assets can be devices users software a number of different things devices is probably where we spend most of the time

but there's a lot of different things like that but you know even in the asset identification kind of phase of things it's not just hey what do I have how many are there you know give me a number it's about what are the characteristics of these things you know where where are they located what other tools are deployed to them what state like what version of the operating system when's the last time they were patch those things are kind of some of the things I'm going to get to in your second but it's still part of that asset identification is the presence and state of that asset right so this is kind of where most asset inventories stop right

hey I did my spreadsheet exercise I gave my auditor her number and now I'm good right but it shouldn't so um typically the next you know traditional kind of use case folks think about is Rogue devices so hey what if what if somebody comes in to my environment and plugs in you know like a pineapple or something like that or you know whatever kind of Rogue device you can think of in there how do I know about that um so yes an asset inventory can help you with that but the bad news a little bit is you probably have a lot of Rogue devices in that things that are as it says there are seven you know in our state of the

cyber security attack surface report that we put out uh in March we found you know across probably almost a million endpoints 70 percent of all assets you know existing in a corporate Network didn't have any Enterprise Source in them so for that that's things that are kind of an indicator that this is something that's managed like an endpoint security or a patch management or directory service those are things that kind of give you an indicator this is managed device in the inventories we saw there from pooling sources like active scanning tools or DHCP or whatever can do discovery about 17 of those weren't that now thing about that is it doesn't mean that you have 17 actual Rogue devices like

that you have to go and cut out of your network tomorrow a lot of these things are supposed to be there um most of these aren't you know really Rogue at all they're the Xbox in the break room they're um the projector that runs Android 7 for some reason or something about there it's all these things that you don't know about and really to get into finding those true true Rogue devices it's worthwhile to spend a little bit of time to know the things that are supposed to be there right um because a lot of those things don't change frequently and when they do change you should know about them right um so again one of the benefits of it is

that no normal find evil let's see what's on the network and then see as it changes over time and there so it's definitely valid to pursue it's probably not the best it's probably not where I'd start and it's definitely not a fast easy win in most cases um but yeah the Taylor Swift quote you know kind of speaks itself there I'm not gonna to read that one but you know um you can kind of see how it's related in there uh so compliance I'd kind of already mentioned that a little bit um again this is kind of one of the main things that brings people to asset inventory is hey I'm subject to x-compliance framework I listed enough

that would fit into that space right there I could have probably covered the whole sliding of blinds Frameworks that list asset inventory either directly as a requirement or tangentially as basically something that um would align to a compensating control like an endpoint security or something like that for PCI DSS so asset inventory is important to compliance but it shouldn't be the only reason you pursue asset inventory so I have I had to there A lot of times when I talk to folks that are new to this what they will kind of say is you know um yeah I like I've done an asset inventory before one time because I had to we we put in a spreadsheet and then

the auditor went away and it was okay but I will tell you that you don't want to be on the list of names with your name in red and underlined when you're working with an auditor right so it's kind of good to be a little bit ahead of that and think ahead of them with that now fortunately we've kind of been off the hook in the past because asset inventory was a difficult thing to audit um you know as I mentioned insurers are trying a little bit now to do that um because they're tired of paying out things that weren't like you know accounted for or configured properly all that stuff they kind of want to make

sure that whoever they're insuring is actually you know operating at a decent level but uh you know folks that have done this in the old way a lot of times have been you know fortunate or unfortunate depending on your perspective to not been a held account for the inventory not being comprehensive or functional essentially so this jumps you know into clients I mentioned the compensating controls right and I mentioned PCI DSS you know does it have AV installed and is Av set to auto update um and so on this is something you can pull out when you build your asset inventory from those controls so if endpoint security is a source for you that you're building this

asset inventory from you can kind of get an idea on if things are missing endpoint protection now you can't do that if endpoint security is your only source because it doesn't know what it doesn't know right but if you see that endpoint security you know is this device isn't in your endpoint security inventory but it is in your patch management or it is in directory services or it is on in DHCP or something like that that's where you can find these gaps so we look at this data probably quarterly at sevco put out again a report the state of the cyber security attack service report which I'll link to at the end but if you're curious where these

numbers came from but in that report we see about 19 of all it assets are missing endpoint protection we see 27 are missing or uncovered by patch Management Solutions had one scenario where we worked with a customer that had bought a new patch management solution deployed it out everywhere and kind of turned off what they were doing before SCCM or something like that you know they moved away from it and in looking at their environment we kind of like hey these devices over here are near patch manager it turned out when they rolled out the new tool they missed their entire DMZ so that was like a very much like we're going to get off

the call right now and go fix this thing because we don't know the last time the DMZ was patched um but it's easy to mix things in you know different enclaves in your environment and that's essentially what happened there and again like I said that goes back to individual tools don't know what they don't know they can learn from each other and that's really what an asset inventory is about in there um the other thing I'll say is you know the uh if you are taking on a new project let's say you're buying you know a new backup management solution or a patch management solution or new endpoint security product and stuff people love to buy tools they do it all the time

um you know what I say to that is back up what protect what like if you don't know what you have one how do you know how many license to buy you're probably just going to buy too many so you make sure you have enough two um which vendors like that by the way but you probably your your budget doesn't like that um two um you know how do you know when you're done rolling out your backup management solution how do you know the denominator and that percentage of hey I'm at 100 like how do you know what that actual denominator is how do you know it's you know you're saying you're at 50 or 50

devices what if you have 100 so now you're at fifty percent done not a hundred percent done um so again kind of gets in the importance within Taylor Nails it right um when you're doing this from an approach of understanding different controls and getting that you know the controls kind of understand you know whether you belong with them or not so very good advice there um stale assets so actually use a few different terms for this but I'll just use stale acid in here to kind of keep it simple and stuff um the quote on this is actually kind of perfect because the time frame we use for determining something is a stale device is

um it hasn't it appears in an inventory but not in any others and the device hasn't reported in for more than 30 days so we hadn't seen each other in a month when you said you needed space What like why hasn't this device checked in in 30 days um kind of an important thing to know because one maybe it was thrown in a lake or something like that um two maybe it was decomed was it all the way decomp did you actually roll it out of all of your life all the different things that it had licenses applied to it or something like that you might still be paying for licenses for this device that no longer exists right

so reclaiming that stuff and they're deregistering that it's one thing that comes apparent when you do this um the other thing is you know what if it's just a broken agent or something like that um and Catherine in the last call uh talk in here on the same track kind of talked about you know sometimes attackers will go in and just disable you know disable the agents that somebody's using for endpoint security or sometimes even just sinkhole the comms like back to the you know so that can't phone home all that stuff that does happen um You probably in that case you know we we'd kind of consider that an orphan device um you probably want to know about that

earlier than 30 days but still it's 30 days is better than what most folks would know in that scenario right now and I saw it in her talk because she asked to raise hands if you monitor for if your EDR tool is checking in regularly and most folks weren't um and I throw up some numbers in there on what we see for it is you know essentially when we say is licensed it's basically it's present in these inventories but it's not actually checking in and using the product so another one here um historical data so I mentioned earlier that it should be repeatable right asset inventory is a function it's not a spreadsheet it's something that

you should do regularly um the you know kind of importance in that is that historical data and it's for a few reasons one you know it can help you you know during an incident investigation and it's not just security incident it's any incident right an outage something like that is understanding you know hey when did this version of you know uh Sentinel one get rolled out in my environment what was the first device had it when did it go live everywhere when did it get you know into that when did this device that is having the problem first show up in my environment right like these are kind of the questions a lot of times you end up

asking yourself in in an instant investigation you don't necessarily know it offhand but if you're doing this function regularly you can know that stuff right you can know the change over time in your environment and you use that change over time to identify different Trends in there to find broken processes so if you start seeing you know users that are still present in some of your user inventories that don't work there anymore and you kind of maybe know that because they're like workstation went bye-bye or they haven't logged into something else but they're still an active user in slack and you're still paying for license for that or something like that that's a broken off-boarding process that's

something you can go and fix um and you know that's not the only process but there's a lot of different ways you can do that so hopefully if you do this you can have that historical data and when you go back and look at this you can see your assets standing in a nice dress staring at the sunset with red lips and Rosy Cheeks so hopefully that's the state you get to not everyone may get there but um you know I don't want you just to look back at this data you know because something bad happened but maybe you can look back at it fondly and say yes my processes are working another one here and this is a pretty

contentious one so this is where I say from Picture To Burn uh your friends go tell your friends that I'm obsessive and crazy when I have this discussion sometimes with customers or Partners um you know they'll say and vulnerability management is usually what kind of Sparks this is hey you there's too many there's too few devices here this isn't enough like you're not hitting you're not pulling everything in and there's a few different reasons for that right so a vulnerability management product or any network based tool and stuff um if not properly configured often count devices that aren't there the classic one we see a lot of times is folks configure Scopes in their vulnerable

management management product and think we're good right that's all the subnets we have but sometimes there are things that get in the way of a vulnerable management pool being able to reach those networks and we all have these great firewalls now a lot of times it'll gratuitously answer two requests in there so from the vulnerable management products perspective it says yeah something answered here so that's you know that's a device it's there um I've seen it in our data sometimes where we pull this from those products and you have a response that's basically just an IP address on you know slash 24 network of 0 through 255 which you're like that's pretty you know I'd probably you know

usually you don't have all that taken up and especially not zero and 255 um responding as part of a scan um the other one is kind of sometimes they count them twice and this happens really in two main ways one is many things especially servers have multiple Nicks those Nicks are on different networks when you scan you set up these Scopes and there's a Nick on this network there's a Nikon different network and I've already mentioned product a lot of times that's two devices so depending on you know like I said one that may cause you to overestimate what you have if you're using that as your authoritative source of inventory the other one is if you're paying a service

provider to do vulnerability management for you and they charge you per device they might be double charging you or triple charging you depending on number next for the devices that you have in your environment so just something to keep keep in mind is that's one way that'll happen the other one is scan types so most modern vulnerability management products have an agent that they can deploy out there they can do you know over the network scans as well authenticated or unauthenticated and they'll a lot of times it's configured to do both right so you'll get pulled back a scan from the agent that's on these machines and an over the network scan in there again that's not two

devices so in a lot of cases one of the things you're doing when you're looking at this inventory especially if you're pulling in a network-based tool is maybe de-duplicating those things in your inventory there because they may pop up with that um so again that one makes you makes you understand that you have actual coverage that your scans are working so that kind of first use case there is you know you don't nobody wants to scan a fire like maybe for certain specifically for a firewall you don't want to just get a gratuitous answer from a firewall that's not actual vulnerability management coverage and also accuracy and cost right like um budget is tougher now than for most

folks then it's been in a few years and stuff that's definitely a question worth asking is hey are we getting what we paid for on with us

um you know this is kind of one of those things here of um I'd say kind of approach this with caution right so if you go down this path um and I hope at least some of you do it's definitely worthwhile to pursue but I say you know approach it with caution um and this is actually for security this is generally good advice especially when you're working and I think most folks here are on the security side but it applies both directions when you're working with the it Ops side of the house I've worked places where it's almost an adversarial relationship between those two and what you don't want to do is go get all this data and

stuff come into a meeting and they're like but you're taking shots at me like it's Patron and I'm just like damn it's 7 A.M you know you don't want to Blind Side on this what you want to do is you want to work with them you want to develop a program explain to them look this isn't a blame game I'm not trying to call anybody out here what I am trying to do is I'm trying to pursue this asset inventory and good thing is they have a lot of really good resources and a lot of really smart people to help you with it um of I'm going to use this to you know to get different findings of things

hopefully fix those findings and then audit our process to continue to make sure that those processes work and from that it kind of it ties back to the inward Focus I started out with right this is a component of that it's a very important one but you should be thinking a lot about how can I build in my home field advantage right what would make it hard for an attacker in my environment and asset inventory maybe isn't to the point of making it hard for them but it definitely can do things to not make it as easy for them because there's nothing easier than something that is on your network that doesn't have any sort of

protection on it hasn't been patched in forever and you know it's kind of just sitting there right ripe for the picking for somebody on the offensive side so key points you know I kind of hit on all these but again know yourself inward Focus asset inventory is essential to that inward focus and maybe it's not where it stops it's kind of where it starts normalizing and correlating data is the hard part of doing an asset inventory but once you do it you can kind of do it again and you should it should be continuous um there are many ways it can help that's kind of what that whole section was about is what can it do for you

um all those things there um and again approach the problem with humility probably you actually might be wrong on some of this data at first you may say hey this is a broken process and it turns out it's not but you know again go in with not and again good advice for anything don't go in trying to blame somebody throw them under the bus you know we're all on the same team security is a team sport you should approach it with humility and do that so thank you everyone for coming thank you for everyone online um as it says there it was enchanting to meet you all I know is I was enchanted to meet you I'd be glad to meet anybody

who wants to come up and talk about this afterwards or stop me in the hallway or chase me down the escalator or anything like that um but if you want to chase me down virtually instead these are all the different ways you can reach me um and I do also list wehack.health that's the domain on there for that if you're interested in you know approaching a community that's similar to b-sides as a community approach to security is a community of Health and Wellness so thank you everyone

thank you