Theme

Description (As given in NCSC website)

How Endpoint Central comes into picture

Risk Management

Understanding and managing cyber risk depends on assets being accounted for. If assets are allowed to slip under the radar, it will not be apparent if appropriate security controls are missing, resulting in unmanaged risks

Endpoint Central has a vulnerability age matrix and vulnerability severity summary, which can provide rich insights about patch implementation. Besides, Endpoint Central also provides comprehensive reports on vulnerable systems and missing patches in your IT.

For information systems, Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more.

Managing legacy

All software and hardware eventually becomes out of date. Continuing to use products beyond that point involves increased risk or increased costs to mitigate those risks. Asset management can help organizations identify when systems will reach the end of support and plan. Our Obsolete products guidance can help further with managing legacy assets.

Endpoint Central can help admins track high-risk software such as outdated software, peer-to-peer software, unsecure remote sharing software, and eliminate them.

Endpoint Central also can scan for Windows 11 incompatible devices and help the management plan for hardware upgrade.

For detailed write up on how Endpoint Central helps with managing and securing legacy devices, refer here.

Identity and Access Management

Being able to identify users and devices is necessary in order to implement an effective identity and access management system. Asset management can help ensure all users and devices have unique identities, and can also help identify resources that need access controls applied. See our Introduction to identity and access management for more detail.

Endpoint Central enables organizations to adopt principle of least privilege, offering robust endpoint privilege management. This includes application-specific privilege controls and just-in-time access for end users.

It enforces conditional access policies to ensure that only authorized users can access critical business systems and sensitive data.

For IT administrators and security operations teams, Endpoint Central enhances console security through role-based access control (RBAC) and multi-factor authentication (MFA).

Vulnerability and patch management

One of the best defenses possible for cyber systems is to ensure they don’t contain known vulnerabilities, as these are easy attack points. Having accurate information on hardware and software assets provides the basis for ensuring available updates are applied and knowing where to scan for vulnerabilities. It’s also useful to be able to quickly answer questions such as “does vulnerability X affect us?” whenever high impact vulnerabilities are announced. Please see our Vulnerability management and Vulnerability Scanning Tools and Services guidance for more information on this topic.

Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.

For all information systems, Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more.
 

Monitoring

Some threats cannot be prevented, so it's important that you have the ability to detect and investigate potential compromises, subsequently mitigating any threats. An effective monitoring capability depends on having access to the right data. Asset management can help you identify relevant data sources and enrichment information that may be needed for your monitoring capability. Our Introduction to logging for security purposes and Logging and protective monitoring guidance can help further.

Endpoint Central has comprehensive reporting capability. Apart from providing deep insights about endpoint estate, it can also be used for governance and auditing purposes.
For auditing critical computers having sensitive applications, User Logon reports can help admins track users' access to critical endpoints.

Endpoint Central also provides detailed audit reports containing access requests for popular blacklisted applications.

A DPO Dashboard has rich insights on Bitlocker status, vulnerable system status, firewall status and much more.

Incident management, response, and recovery

Knowing your assets and determining which are most critical to your organization helps you plan for, respond to, and recover from incidents. By ensuring nothing important is missed and having the right information available, you will be able to act quickly and minimise disruption. 

Endpoint Central can quarantine endpoints that exhibit suspicious behavior and, after a thorough forensic analysis, can be deployed back into production.

Others

Most business operations depend on some aspect of asset management. This includes IT operations, financial accounting, managing software licenses, procurement, and logistics. While they may not all need the same information, there will be some overlap and dependencies between the respective requirements. The security aspect should not be considered in isolation or as the primary consumer of asset information, so integrating and coordinating asset management across your organization will help reduce or manage any conflicts between these functions.

With Endpoint Central, admins can analyze software usage duration and the number of times the software is used. With these insights, they can make informed decisions on software purchases while also determining peak usage trends in their IT.

Endpoint Central has a license management feature to assess if you have adequate software licenses for your users.

Also, it allows the admins to keep a tab on soon-to-expire and expired software licenses.

Components

Description (As given in NCSC website)

How Endpoint Central comes into picture

Asset discovery

Use tools to scan your environment for new, modified or removed assets on a regular or continuous basis. This helps to maintain an accurate inventory of your assets and could be used to detect unauthorised changes to your environment.

Endpoint Central uses its agents to fetch the complete details of the inventory present in your IT.

Refer to the types of Inventory scans leveraged by Endpoint Central for monitoring your IT.

Admins can configure Inventory Alerts in case of any unauthorized changes taking place inside your IT network.

Authoritative source of information

Maintain a record of assets that everyone agrees reflects the environment. Consider normalising and consolidating asset information to avoid duplication and make it more accessible. This ensures that collected information can be used effectively by all stakeholders, and does not require additional effort to validate.

Endpoint Central has comprehensive reporting capability. Apart from providing deep insights about endpoint estate, it can also be used for governance and auditing purposes.

Accurate source of information

Asset information should be collected regularly to ensure it is kept up to date and a ‘confidence’ score or ‘last seen’ timestamp recorded, to reflect how stale or uncertain the information is. It may be appropriate to collect server information once a week because changes are infrequent, but desktop information may be needed once a day for configuration accounting or vulnerability management.

Computers managed by Endpoint Central report to their server every 90 minutes once, or whenever a user logs on or when the endpoint is turned on.

For a comprehensive status on their endpoint estate, admins can schedule the inventory scan based on their flexibility.

The inventory details are applicable for desktops, laptops, servers, mobile devices, IoT devices, and more.

Availability of asset information

Ensure asset information is made accessible to support the relevant use cases in your organisation. A Configuration Management Database (CMDB) could be a significant component in your asset management solution, however this may need to be supported by a range of tools to facilitate the collection, processing, storage and use of asset data across your organisation. This ensures that collected asset information can be used productively.

Endpoint Central integrates seamlessly with ManageEngine ServiceDesk Plus which augments and enriches Endpoint Central's asset management capability.

Human factors

It has conditional access policies to validate authorized users to access business critical systems and data.

Automation

Automated mechanisms should be used to update asset records wherever practical. Ideally, tools should record asset information in response to changes in the environment instead of detecting changes after they’ve happened. New projects should be encouraged to incorporate automated asset management from the start, to avoid technical debt as systems develop or get abandoned over time. This helps ensure accurate records are maintained and updates are less likely to be missed or forgotten, while also reducing the ongoing cost and effort required.

Admins can configure Inventory Alerts in case of any unauthorized changes taking place inside your IT network.

Completeness

Comprehensive visibility

Identify how your organisation will use asset information and ensure sufficient details about your assets are collected to support these use cases. For example, knowing versions for all the software installed on your machines helps identify a much wider range of vulnerabilities than just knowing the operating system version. Where certain details may be difficult or costly to capture, consider whether these could be captured less frequently or retrospectively, alongside other mitigations such as network separation. This helps ensure that asset data can be used effectively and does not become unusable as a result of gaps in collection.

Endpoint Central asset collection is comprehensive. As mentioned in the description, it can collect various versions of software available in the network. 

Not just that, it can also provide patches for 1000+ software applications, apart from identifying vulnerabilities. 

Change detection

Ensure changes in asset information are recorded and use multiple data sources to identify inconsistencies. For example, a new spotted device on the network with no corresponding device management enrolment. This helps to identify unauthorised changes to your environment and helps in the investigation of security incidents.

Admins can configure Inventory Alerts in case of any unauthorized changes taking place inside your IT network.

Endpoint Central's Scope of Management serves as your single source of truth for all computers managed in your IT estate. In case a new computer is added or deleted in your Active Directory or Workgroup, admins can configure settings to notify them of the same.  

Confidentiality

Consider the sensitivity of asset data collected. Apply appropriate protections and access restrictions, while ensuring relevant use cases are supported. For example, all users should be able to look up the assets they are responsible for, but arbitrary bulk queries should be prevented. Consider monitoring access to asset data for possible signs of reconnaissance. This ensures that asset data can be used effectively for a range of use cases while making it hard for potential attackers to find useful information.

Enterprises could leverage Endpoint Central's RBAC capabilities.  A seperate administrator could allocated for asset management module in the Endpoint Central, while disabling access for rest of the modules.

Similarly, admins/ technicians having access to other modules of Endpoint Central may be restricted to access asset management module.

Registration before use

Asset information should be collected before, or at the time of, first use. This may be enforced through process and detection capabilities. For example, certificate identities should only be issued for registered assets, preventing unregistered devices from authenticating to other systems. This reduces the risk of shadow IT being created by making it hard for unregistered assets to enter and persist in your environment.

Endpoint Central's Scope of Management serves as your single source of truth for all computers managed in your IT estate. In case a new computer is added or deleted in your Active Directory or Workgroup, admins can configure settings to notify them of the same.

Endpoint Central has provisions for registering and management of BYOD devices.

Asset classification

Consider defining and using categories to classify assets. This should be aligned with your risk management approach. For example, classifying systems based on the sensitivity of information they process, or whether they support critical business functions. This can help identify relevant security controls for each asset and monitoring for compliance with security policies.

Endpoint Central has multiple ways of classifying assets:

Endpoint Central's Custom Group feature enables the admins to logically segregate critical systems of their convenience so that they can manage and secure them effectively.

One way is classifying them based on system health policies - whether they are healthy, vulnerable, or highly vulnerable.

Endpoint Central has System Quarantine feature, which can quarantine systems based on OS patches, Software installed / uninstalled, Vulnerabilites detected, etc.