ds-1 High priority Device Security / Device Security

An inventory of authorized hardware and software assets is maintained

You cannot protect what you do not know exists. An asset inventory is the foundation of every other device security control. Unknown devices on your network are unpatched devices. Unknown software is unmonitored software. CISA's guidance is clear: organizations that lack an asset inventory consistently have higher rates of undetected compromise and longer attacker dwell times.

3h estimated effort

asset-inventory device-management mdm visibility

Implementation steps

1

Build a hardware asset inventory

Create and maintain a list of all devices authorized to access your network: laptops, workstations, servers, network equipment, and mobile devices. For each device, record: device type, owner or assigned user, operating system, and management status (MDM enrolled or not). Cloud-based MDM solutions can automate discovery for managed devices.

jamf microsoft-intune kandji google-workspace
2

Maintain a software inventory for critical systems

For servers and production systems, maintain a list of installed software, including versions. This enables rapid vulnerability assessment when a new CVE is disclosed. Container and IaC deployments make this easier since software manifests are part of the code. For endpoints, MDM solutions can report installed applications.

jamf microsoft-intune aws-systems-manager osquery
3

Alert on unknown or unauthorized devices

Configure your network monitoring or MDM solution to alert when an unrecognized device connects to the network. Any device not in the inventory should be investigated. This is particularly important for production network segments.

jamf microsoft-intune aws-guardduty cloudflare-gateway