Safeguard 2.2 builds on inventory management by enforcing the principle that only approved and supported software should exist within the enterprise environment. Unauthorized or unmaintained applications can become significant liabilities, often introducing unpatched vulnerabilities or violating licensing and compliance obligations. This safeguard requires organizations to classify all software as either authorized or unauthorized, ensuring that only software meeting business, technical, and security standards is permitted to execute. Unsupported or end-of-life software must either be upgraded, isolated with compensating controls, or documented through a formal exception process. The objective is to remove uncertainty—security teams should always know which software is trusted and which is prohibited. Enforcing this standard eliminates many attack vectors, including outdated plug-ins, freeware utilities, and legacy applications that persist unnoticed long after their business purpose has expired.
Operationalizing this safeguard involves combining policy, automation, and governance. Policies should clearly define criteria for approval, such as vendor reputation, update frequency, and alignment with enterprise architecture. Technical enforcement may use application allowlisting, group policy settings, or endpoint protection tools to block execution of unauthorized code. Software asset management platforms can integrate with vulnerability scanners to detect unsupported applications automatically, prompting administrators to take action. Documentation of exceptions, along with associated risk acceptance statements, ensures transparency and accountability. Routine reviews—monthly for larger organizations—verify that authorization statuses remain accurate and that decommissioned software has been removed. Over time, this disciplined approach not only strengthens security but also improves performance, standardizes environments, and reduces maintenance costs. Limiting execution to authorized software represents a powerful example of proactive defense: by narrowing the attack surface before adversaries strike, organizations achieve resilience through control rather than reaction.
Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
Episode Transcript
Asset Discovery Methods, where we continue exploring the first CIS Control by focusing on how to find and track every device that connects to your environment. Discovery is the engine that keeps your asset inventory accurate, comprehensive, and trustworthy. Without it, you risk relying on outdated or incomplete records that leave unseen vulnerabilities waiting to be exploited. This episode explains the major discovery approaches available—from passive listening to cloud integrations—and how to combine them into a continuous, low-friction process that gives you full visibility across your enterprise.
(00:37):
The goal of asset discovery is to balance accuracy, coverage, and efficiency. Accuracy ensures that discovered devices are correctly identified, categorized, and associated with real owners. Coverage ensures that no segment of your environment, whether on-premises or cloud, goes unmonitored. Efficiency keeps the process lightweight so it does not overwhelm systems or administrators. The best programs achieve near-real-time awareness without disrupting network performance. A mature discovery program runs quietly in the background, identifying changes as they happen and feeding verified data directly into the authoritative asset inventory.
Passive network listening is one of the oldest and most reliable discovery methods. It involves deploying sensors or network taps that observe traffic flowing across switches, routers, or firewalls. These devices listen for patterns—such as MAC addresses, hostnames, or operating system fingerprints—to detect systems communicating on the network. Passive discovery offers the advantage of zero intrusion (01:17):
it does not send packets or require credentials. However, it only detects assets that generate traffic, so silent or offline devices may be missed. Used alongside active scans, it provides valuable coverage, especially in dynamic or sensitive environments where probing is discouraged.
(01:59):
Dynamic Host Configuration Protocol, or D H C P, lease logs are another rich source of discovery data. Every time a device connects to a network and requests an IP address, it leaves a trace in D H C P records. Collecting and analyzing these lease logs allows you to identify new or transient systems automatically. Reservations and lease durations can reveal devices that appear frequently or rarely, offering clues about their roles and legitimacy. Integrating D H C P data into your asset management workflow provides a continuous, low-cost feed of discoveries with timestamps that help track how long each device remains active on the network.
(02:40):
Switch tables and wireless controllers extend this visibility to network infrastructure. Switches record which MAC addresses are active on each port, and wireless controllers log connected devices and signal strength. Polling this information through simple network management protocols provides near-real-time awareness of physical connections. By combining switch and wireless data with D H C P logs, you can pinpoint exactly where each device connects and whether it belongs there. This capability is especially useful for identifying rogue access points, unauthorized hubs, or devices that appear in unexpected physical locations.
(03:18):
Mobile Device Management, or M D M, platforms create another discovery layer for phones, tablets, and laptops. Enrollment lists from these systems show all registered devices, their users, and compliance status. M D M data helps fill the gap left by traditional network scanning, since many mobile devices operate over cellular networks rather than internal Wi-Fi. Integrating these enrollment lists ensures that mobile endpoints, even those connecting remotely, remain visible within your enterprise asset inventory. This inclusion prevents blind spots caused by the growing number of personal and remote devices accessing business resources.
(03:58):
Cloud environments require specialized discovery methods that connect directly to provider interfaces. Most major cloud platforms—such as Amazon Web Services, Microsoft Azure, and Google Cloud—offer application programming interfaces, or A P Is, that list accounts, instances, and services. These A P Is can feed real-time data into your asset inventory, allowing you to detect new virtual machines, storage buckets, or network components as they appear. Because cloud assets can spin up or down in minutes, automated A P I-based discovery is essential for maintaining visibility. This process also helps verify that all accounts follow corporate policy and that shadow resources are identified before they accumulate risk.
(04:43):
Directory joins and certificate enrollments offer subtle but powerful discovery opportunities. Whenever a device joins an Active Directory domain or requests a security certificate, it leaves a verifiable record. Monitoring these events provides confirmation that assets are connecting through authorized channels. Directory and certificate data can also highlight systems that authenticate incorrectly or fail to renew credentials, signaling potential misconfigurations or unauthorized access. Incorporating these logs into your discovery process adds depth by linking network presence with identity management records, enriching both accuracy and traceability.
(05:22):
Vulnerability scanners play a dual role in discovery and validation. Authenticated scans—those that log into systems—can gather hardware identifiers, operating systems, and configurations. Even unauthenticated sweeps reveal live hosts and open ports. Scheduling these scans regularly ensures that dormant or unmanaged devices do not persist unnoticed. Because scanners typically operate on a set schedule, their results complement real-time methods like D H C P or A P I feeds. When their data is merged into your inventory, each new scan refreshes and verifies the completeness of your asset list, closing gaps that passive methods might miss.
(06:04):
Merging, deduplicating, and normalizing identifiers is how you turn raw discovery data into a usable inventory. Different tools describe the same asset in different ways—by IP address, MAC address, serial number, or hostname. Automated reconciliation rules combine these fragments into single, authoritative records. Normalization ensures that device types and naming conventions remain consistent. Deduplication removes clutter, preventing one system from appearing multiple times under slightly different identifiers. Together, these steps transform fragmented data streams into an organized, trustworthy source of truth.
(06:43):
Scheduling daily delta scans with alerting mechanisms keeps your visibility continuous. Delta scans focus only on changes—new devices appearing, old ones disappearing, or attributes that have shifted. Alerts notify administrators immediately when unauthorized assets surface or when known systems go missing. These daily updates make the inventory a living document that reflects the current environment rather than last month’s state. Automation at this stage reduces manual effort and ensures that no significant change goes unnoticed between full reconciliations.
(07:18):
When unknown devices appear, an investigation and quarantine process ensures they do not pose undue risk. The procedure should begin by verifying network source, ownership, and purpose. If the device is legitimate, assign it to an owner and add it to the inventory. If not, isolate it from production networks until its origin is confirmed. Quarantining unknown assets prevents potential compromise while allowing investigation to proceed safely. Document each incident, including disposition and lessons learned, so future detections can be handled faster and with greater precision.
(07:54):
A comprehensive discovery process uses multiple data sources to ensure nothing is overlooked while minimizing overhead. Selecting the right combination depends on your scale, architecture, and available tools. Begin small—perhaps with D H C P logs and periodic scans—and expand toward automation and integration as maturity grows. By layering passive, active, and cloud-based methods, you create a continuous, self-correcting system that maintains an accurate inventory of enterprise assets. With this visibility firmly established, you are ready to explore how Control 2 extends these principles into the software realm, ensuring that the applications running on your assets are just as well-managed as the devices themselves.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.