IT Asset Inventory for Security: Building a Complete, Accurate Asset Register

Most organizations have some form of asset inventory -- a spreadsheet, a CMDB, or a procurement record -- but it is incomplete, stale, or missing the security context needed to prioritize risk.

Common failure modes:

The two-track approach:

A reliable asset inventory requires both active discovery (sending probes to enumerate assets) and passive discovery (observing network traffic to identify assets that do not respond to probes):

• Active discovery: Nmap, Tenable Nessus, Qualys, Rapid7 -- sends packets to enumerate listening hosts and services; catches everything that responds on the network
• Passive discovery: Network traffic analysis (Zeek/Bro, ExtraHop, Darktrace) -- identifies assets by observing communications without sending probes; catches assets that block ICMP and port scans, and IoT/OT devices that are fragile under active scanning

Asset attributes required for security:

Every asset record needs at minimum:

Nmap for network discovery:

# Fast host discovery (ping sweep -- no port scan)
nmap -sn 10.0.0.0/8 -oG hosts.txt

# Service and OS detection on discovered hosts
nmap -sV -O --top-ports 1000 -iL hosts.txt -oX scan-results.xml

# Aggressive scan with scripts (use only on authorized networks)
nmap -A -p- 10.0.1.0/24 -oX full-scan.xml

# Export to CSV for import into asset inventory
nmap -sV --top-ports 100 10.0.0.0/8 -oX - | python3 nmap-to-csv.py

Scan frequency guidelines:

Vulnerability scanner as discovery tool:

Nessus, Qualys, and Rapid7 InsightVM can be used in discovery mode to enumerate assets as a first pass, then scan discovered assets for vulnerabilities. This collapses two steps into one:

Tenable.io: Settings > Sensors > Linked Scanners > [Scanner] > Network Discovery
  - Enable "Discovery" scan type on your full RFC 1918 range
  - Schedule weekly
  - All discovered assets automatically appear in your asset database

Agent-based discovery for remote and laptop assets:

Network scanning misses laptops that connect via VPN from home or are rarely on the corporate network. Deploy lightweight agents (Tenable Nessus Agent, Qualys Cloud Agent, or Microsoft Defender's device inventory) that report asset information regardless of network location.

Cloud assets are the largest source of inventory gaps in modern organizations. Developers provision resources directly via CLI or Terraform, bypassing traditional IT procurement workflows. Cloud assets must be discovered via provider APIs, not network scanning.

AWS asset discovery:

# List all EC2 instances across all regions
aws ec2 describe-instances --query 'Reservations[*].Instances[*].[InstanceId,State.Name,InstanceType,PublicIpAddress,Tags[?Key==`Name`]|[0].Value]' --output table --region us-east-1

# Export all resources via AWS Config (comprehensive, cross-service)
aws configservice describe-configuration-recorders
aws configservice list-discovered-resources --resource-type AWS::EC2::Instance

# Use AWS Systems Manager Inventory for detailed OS/software data
aws ssm describe-instance-information --output table

Multi-cloud asset inventory with Steampipe:

Steampipe is an open-source tool that queries cloud provider APIs using SQL:

-- All EC2 instances with their security groups and public IPs
SELECT
  instance_id,
  instance_state,
  instance_type,
  public_ip_address,
  tags->>'Name' as name,
  region
FROM aws_ec2_instance
WHERE instance_state = 'running'
ORDER BY region;

-- Azure VMs
SELECT name, location, os_disk_os_type, power_state
FROM azure_compute_virtual_machine
WHERE power_state = 'running';

CSPM as asset inventory:

Cloud Security Posture Management tools (Wiz, Orca, Prisma Cloud) maintain real-time asset inventories as a byproduct of continuous cloud scanning. If you have a CSPM tool deployed, export its asset list as the authoritative source for cloud assets and sync it with your CMDB.

Tagging strategy for cloud asset context:

Cloud assets without tags are unattributable to owners or business functions. Enforce mandatory tagging via cloud policy:

AWS: Service Control Policy (SCP) to deny resource creation without required tags:

• Environment (Production, Staging, Development)
• Owner (email or team name)
• CostCenter
• Criticality (Critical, High, Medium, Low)

Azure Policy: Built-in "Require a tag and its value on resources" policy GCP: Organization Policy Constraints for label enforcement

A Configuration Management Database (CMDB) is the authoritative record of IT assets and their relationships. ServiceNow, Freshservice, and BMC Helix are common enterprise CMDBs. The challenge: CMDBs are accurate at initial population and degrade rapidly without automated refresh.

CMDB data quality problems:

• Assets decommissioned in reality but still marked active in CMDB
• New assets provisioned without CMDB records
• IP addresses reassigned without updating CMDB
• Software versions not updated after patching

Automated CMDB refresh approach:

1. Discovery tool integration: Tenable, Qualys, and Rapid7 all provide CMDB connectors for ServiceNow. Scan results automatically update CMDB records -- IP addresses, OS versions, and open ports are refreshed with each scan.

2. Cloud provider sync: Use ServiceNow's Cloud Management or a custom integration via ServiceNow's Import Sets to pull cloud assets from AWS Config, Azure Resource Graph, and GCP Asset Inventory on a daily schedule.

3. Reconciliation workflow: Run a weekly reconciliation report:

   • Assets in CMDB but not found by scanner in 30 days: flag for decommission review
   • Assets found by scanner but not in CMDB: auto-create stub record, assign to network owner for enrichment
   • Assets with mismatched OS versions: auto-update CMDB from scan results

Asset criticality scoring:

Criticality should be based on business impact, not just technical characteristics:

Criticality = MAX(
  Data sensitivity score,      -- Does it store/process PII, PCI, PHI?
  Availability impact score,   -- How many users/processes depend on it?
  Regulatory scope score,      -- Is it in PCI/HIPAA scope?
  Attack path score            -- Is it externally exposed or adjacent to crown jewels?
)

Critical assets (score 4): payment processing, authentication infrastructure, customer databases High assets (score 3): production application servers, internal admin tools Medium (score 2): internal servers, development systems Low (score 1): workstations, printers, non-production systems

Your asset inventory is incomplete without external visibility -- the assets attackers see before they reach your internal network.

External Attack Surface Management (EASM):

EASM tools continuously discover your organization's internet-exposed assets by scanning from the outside, the same way an attacker would:

What EASM finds that internal tools miss:

• Forgotten subdomains still pointing to decommissioned infrastructure
• Cloud storage buckets with public access (S3, Azure Blob, GCS)
• Development or staging servers exposed to the internet
• Expired SSL certificates on internet-facing services
• Services running on non-standard ports
• Third-party SaaS instances registered with your domain

Shadow IT discovery:

Shadow IT (SaaS tools employees use without IT approval) creates asset inventory gaps and data residency risks. Discovery methods:

1. CASB/SSE proxy: Intercept web traffic to identify SaaS destinations; Netskope and Zscaler categorize 40,000+ cloud apps
2. DNS query analysis: Analyze DNS logs for corporate devices resolving SaaS app domains
3. Browser extension inventory: Policy-enforce browser extension lists via Chrome Enterprise or Intune; extensions are often untracked cloud app connectors
4. OAuth app audit: Review which SaaS apps have been granted OAuth access to corporate email and file storage accounts (Google Workspace and Microsoft 365 both provide this in admin consoles)