Blog
Cybersecurity Awareness Month – You Had Me With Data
Read More
When the dust settles, will your assets be the good, the bad, or the vulnerable?
In a constantly evolving hybrid environment, asset visibility is a living problem, dynamic, distributed, and difficult to control. Every endpoint, IoT device, container, and cloud workload expands your attack surface, and every blind spot introduces a potential attack vector. The foundation of cybersecurity is knowing what exists, where it lives, its posture and who controls it.
According to the Center for Internet Security (CIS), the first two controls — Control 1: Inventory and Control of Enterprise Assets, and Control 2: Inventory and Control of Software Assets form the core of cyber defense. These foundational technical controls, often left to “best effort”, are essential for every other layer of defense to function.
• CIS Control 1 requires maintaining a complete, accurate, and actively managed inventoryof all hardware assets connected to your network, regardless of location or ownership.
• CIS Control 2 extends this requirement to software, operating systems, applications, libraries, and containers ensuring each asset runs only authorized, secure, and up-to-datecode.
Without accurate inventories, vulnerability scanning, EDR coverage, and configuration compliance are unreliable at best. You can’t patch and maintain what you don’t know exists.
The Good assets are visible, managed, and governed. They’re enrolled in endpoint management systems, covered by vulnerability scans, logged in a CMDB, and regularly validated against security baselines such as CIS Benchmarks or STIGs. Every asset has an owner, a purpose, and telemetry confirming its current state.
The Bad assets exist outside of organizational control; rogue servers, shadow IT, unmanaged BYOD devices, orphaned VMs, or forgotten cloud instances. These systems evade monitoring and patch management, and they often represent the entry points attackers attempt to exploit first.
The Vulnerable assets are at least known, but they remain exposed. They appear in discovery scans and inventories, yet contain unpatched CVEs, configuration drift, or outdated software components. Unlike Bad assets which exist completely outside visibility and governance—Vulnerable assets are within reach of remediation. One strategy is to prioritize these assets first for corrective action because they represent known, addressable risk with the data and control paths already available to fix them. This can be especially effective since Bad assets often require discovery, ownership identification, and validation before remediation can even begin.
Modern asset management requires continuous discovery, not static inventories.
Adopt discovery through multiple telemetry sources such as network scans, DHCP logs, cloud APIs, EDR agents, and vulnerability scanners. Feed these into a centralized aggregator that reconciles discovered assets with authorized records in your CMDB or MDM platform.Solutions such as Axonius have out of the box integrations to aggregate, correlate, and orchestrate responses based off asset intelligence such as what’s listed above. Clients have alsobuilt homegrown solutions but unless there is constant development and maintenance, the data can quickly become unreliable. It’s ultimately a build-versus-buy decision that will differ based on each organization’s architecture, resources, and operational maturity.
To maintain continuous visibility, organizations should automate the detection of unauthorized devices. When a new MAC address, VM ID, or instance ID appears, alert or quarantine until it’s registered. Integrate APIs from AWS Config, Azure Resource Graph, or GCP Asset Inventory for cloud visibility. For on-prem environments, use NAC (Network Access Control) to enforce device registration before granting access.
Track measurable indicators of CIS Control 1 and 2 effectiveness:
• Asset discovery coverage
• Unauthorized device detection time
• Agent deployment coverage
• Patch compliance
• Software inventory accuracy
Building visibility isn’t a one-time project; it’s an engineering discipline. Organizations that rigorously execute the fundamentals, inventory, validation, and control elevate their maturity from reactive defense to proactive assurance. In the end, your defenses are only as strong as your ability to see every asset, every change, and every risk in real time.
