Introducing Sevco Unified Inventory

After more than a year in private deployments, we are releasing Unified Asset Inventory to the general public. Sevco’s Unified Asset Inventory connects via APIs to your existing sources of device inventory, imports and correlates their inventory to create a unified view of all devices in the connected sources.

The result is an unparalleled, and previously unavailable, understanding of your devices and their actual configuration. It allows companies to identify areas where actual configuration deviates from expected configuration, providing checks and balances against processes and technology that often fails. This enables IT and Security Operations teams to not only remediate the deviations but also discover and address procedural deficiencies to stop them from happening again.

 

(Click to see a product overview.)

The State of Industry

As an industry, we are collectively coming to the realization that accurate asset inventories are foundational to the security & efficacy of existing procedures.  Security breaches are increasingly not because your endpoint security tools weren’t good enough, but because they just weren’t there. Endpoints aren’t getting patched not because your patch tools aren’t good enough, but because the tools just aren’t installed.

According to the report, the risk of not having [an asset] inventory “makes it difficult to ensure systems are patched in a timely manner and are being regularly scanned for security vulnerabilities.” Having an asset inventory is “paramount” from a security standpoint, because an organization can only defend the assets it has identified. How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach, US Senate, report page 25, pdf page 29 [pdf]

[H]osts susceptible to major new vulnerabilities tend to also still be defenseless against many older vulnerabilities. That finding is a bit of a double-edged sword in that, while it seems to suggest that patching is working, it also suggests that asset management may not be [working]… vulnerabilities are likely not the result of consistent vulnerability management applied slowly, but a lack of asset management instead.  Verizon 2020 Data Breach Investigations Report, “Asset Management,” page 25 [pdf]

At the foundation of all these challenges is a deceptively simple challenge: a current and complete inventory of enterprise devices.  Your security endpoint agent will tell you how many devices it is installed on.  How many machines should it be installed on?  That is a number no one knows.

To be fair, this is not a new insight.  For decades, nearly every IT & Security program has included “an accurate inventory of enterprise assets” as a foundational control.  It’s control one in the CIS Top 20. The NIST CSF starts with “Identify.ISO 27001 A.8.1.1 requires an “always up to date inventory.”  However, as an industry we are recognizing the processes & products we’ve relied on for years are no longer good enough.

There are three trends driving change: 

  • The increasing complexity of enterprise computing: Asset discovery tools have not materially changed in > twenty years, while computing has been revolutionized.  Between the introduction of mobile devices, the explosion of cloud computing, the degradation of the enterprise perimeter and the SaaSification of enterprise applications, the enterprise network has changed dramatically, but our tools have not kept pace.
  • The increasing importance of security within IT: the transition of criminal activity from running drugs to digital crimes has shifted the impact of security breaches from an annoying negative externality to a critical business risk
  • The increasing importance of IT to every business: digital transformation means effective IT is no longer a matter of cost efficiency, but central to every business’s survival.

It may seem a bit much to tie relatively-pedestrian asset inventory to such major trends, but you will not find any Super Bowl Championship teams that are not excellent at the basics of blocking and tackling – and continue to exercise those basic techniques at every single practice.  You cannot continue to manage your asset inventories “the way it’s always been done.”

The Challenge

Across the world, more and more companies are recognizing these challenges and investing their resources into improving their asset inventories to get to that deceptively simple number: how many devices do we have?  The realization usually starts within the security teams, as they work to ensure their endpoint security agents are fully deployed, but can’t find how many endpoints it should be on. The conversation spreads into IT Operations, as they realize the challenge and grapple with a question no one has ever asked before.  The broader organization together realizes the difficulty and considers solutions.

In some places it’s addressed with manual procedures in what rapidly turns into spreadsheet hell and an expensive, time-consuming and unscalable approach.  In other places, it becomes an internal DIY project that grows in cost & complexity as teams recognize the difficulty correlating data from disparate systems.  In other places, they’ve grudgingly adopted sub-optimal tools because they feel there are no alternatives.  Some are still seeking solutions.

None feel confident in their network’s readiness.

Sevco’s Approach

The key challenge is not a lack of data about assets, it’s that we have too much asset data and they all report slightly different totals. Go ask your Active Directory, patch management, vulnerability management and endpoint security teams how many devices are live in the organization and you’ll get a different answer from each.

Perhaps you have also invested in a platform that promises asset inventory as part of their value – usually based on either an active network scanner, a passive network sniffer or an endpoint agent.  You’ll find they each give a different number, too.

None of those sources are wrong, they just each have a different, incomplete subset of the true total.  

Sevco takes a different approach: we integrate with each of these inventory sources via APIs.  We import their knowledge of inventory, correlate it with what the others sources report and publish a single, consolidated report – with robust controls to visualize, search, filter and sort the results.

For example, here is a screenshot of a company with four configured sources: on-premise AD, Azure AD, InTune and Sentinel One:

 


Each source reports a different number of total devices. In the upper right, you see the total number of devices from the currently selected sources: about 20% more than any single source.  Where does that 14,320 total come from?  It is the superset of unique devices in those three sources. Just below this selector is the venn diagram that displays the relationship between the devices in these three sources:

 

 

Of those 14,320 devices, there are 545 in Active Directory but not running Sentinel One.  (That’s a 97% deployment efficacy rate, which is significantly above average.)

The devices are presented in a table to the right with device metadata and a source heatmap.  Each row represents a device and each column an inventory source.  If a color is in the cell, it means we’ve observed that device in that source.  The brighter the color, the more recently it was observed. On hover, we display the time since the observed last activity:

 

Of course, navigating hundreds or thousands of search results requires additional controls and filters.  At left are search results facets, both displaying the distribution of top attributes across the current result set.  Clicking these filters the results. At top is a query builder to filter results with arbitrarily complex boolean logic.  Put those pieces together and you get this:

 

 

The result is a console that is deceptively simple and incredibly powerful.  If you and your team are ready to take command of your devices, give us a call.