Unmanaged devices pose a significant challenge for many organizations. These devices can be anything connected to a network but not actively managed by IT or security. These assets usually aren't captured in an asset inventory and can take many forms, such as shadow IT, rogue assets, and orphaned assets. Because security teams struggle to discover them, these devices fly under the radar and create potential footholds into a network.
What could happen if these devices are left unmanaged? Let's take a look at five reasons why you should care about unmanaged devices.
Reason 1: Unmanaged devices are often the first foothold for attackers.
Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These outliers are great entry points for an attack because they tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don't have anybody managing them. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.
Reason 2: Unmanaged devices hinder incident investigations.
Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. There was a case where an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command-and-control (C2) server. However, the SIEM and CMDB didn't have any record of the IP on the network, nor did the vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With an asset inventory that tracks Internet of Things (IoT) devices, the analyst would have quickly resolved this incident. They could have also found other devices that share the same make and model to see if they were using default credentials.
Reason 3: Accidental network bridges bypass firewalls.
In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn't identified ahead of time.
Reason 4: Rogue devices complicate governance of security controls.
Proper governance dictates that every device has security controls. It's impossible to figure out coverage gaps without knowing all of the devices on the network. To zero in on your gaps, you need to start with a full asset inventory. Then, you can overlay data from security controls and look for gaps in the inventory. Some common things to look for are Windows machines missing CrowdStrike (or EDR agents).
Reason 5: End-of-life devices are potentially vulnerable.
Manufacturers often no longer provide functional and security fixes for these end-of-life (EOL) devices, making them much riskier and more difficult to secure if something goes wrong. If unmanaged devices are not inventoried, security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.
Solving for Unmanaged Devices
Solving for unmanaged devices starts with a full asset inventory that delivers in-depth details about every asset on your network, including managed and unmanaged ones. Full asset inventory requires active, unauthenticated discovery, which doesn't assume any prior knowledge of network-connected devices, such as credentials to authenticate into devices and endpoints. Instead, it focuses on discovery capabilities that are research-driven to find and surface every network-connected asset, whether managed or unmanaged. This approach can be complemented through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.
Getting a handle on unmanaged assets is critical for any security program, and with a solution built around active, unauthenticated discovery, finding your unmanaged assets will finally be possible.
About the Author
Chris Kirsch started his career at an InfoSec startup in Germany and has since worked for PGP, nCipher, Rapid7, and Veracode. He has a passion for OSINT and social engineering. In 2017, he earned the Black Badge for winning the Social Engineering Capture the Flag competition at DEF CON, the world's largest hacker conference. Currently, Chris is the CEO of runZero (www.runzero.com), a cyber-asset management company he co-founded with Metasploit creator HD Moore.