How runZero finds unmanaged devices on your network

, by Pearce Barry
icon

Unmanaged assets are connected to the network, but lack an identified owner and may exist outside the visibility of those responsible for the network. These devices can pose real security risks to a company or organization for numerous reasons, such as running older vulnerable operating systems or software, using insecure protocols, or having nefarious intent. Plus, they can be difficult to discover or locate, sometimes using unmanaged subnets within a network.

Arising from both intentional and inadvertent situations, unmanaged assets can be classified into several categories, including:

  • Orphaned - Assets that lost their original owner but are still present on the network
  • Shadow IT - Devices/systems that are connected to the network without permission

Transient devices, such as portable, mobile, or IoT devices that “come and go” on the internal network, including bring your own device (BYOD), might be better categorized as “unmanageable” rather than “unmanaged” and can also be easily discovered via runZero scanning.

Let’s take a look at how runZero is able to locate unmanaged devices on your networks.

Peek under the hood of our scan engine

At runZero, we intentionally built our offering around unauthenticated, active scanning, while complementing our technology through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices. To start, let’s dig into our scanning capabilities. Our built-from-the-ground-up scanning logic in runZero Explorers and scanners will reach out to elicit a response from devices connected to the network. Replies received from our scan traffic are then captured for processing.

Benefits to our approach

No prior knowledge required: Our active, unauthenticated scanning approach doesn’t assume any “prior knowledge” of network-connected devices (e.g., credentials to authenticate into devices, deployed agents on managed devices, etc.), rather our network discovery capabilities are research-driven to find-and-surface every network-connected asset, whether managed or unmanaged.

Highly configurable: Our scans allow you to go beyond basic subnet and speed settings. You can tune scans for specific ports or protocols that you want to know about, which can help quickly locate unmanaged devices that are running unsafe or company-prohibited protocols.

Standard packets: All of our scanning packets, including probes and port/service querying, is done using standard packets to keep things safe. We never send malformed or otherwise unusual packets.

Research driven: We use applied research to maximize scan result discoveries while still utilizing a “safe approach” for interacting with devices. This helps avoid any unexpected or unwanted side effects that are sometimes seen with other active scanning solutions, particularly when scanning ICS/OT and other traditionally sensitive devices/endpoints.

Comprehensive inventory of internal assets

A comprehensive asset inventory is not complete unless you know about the assets that aren’t managed by your organization. Here are some ways that runZero can help you zero in on assets you may not know about.

See your RFC 1918 coverage

runZero’s scans can help surface unmanaged subnets in your internal network, which may harbor a bunch of unmanaged devices. Our RFC 1918 scan capability can cover the entire IPv4 internal network address space (more than 21 million addresses), checking all potential places unmanaged devices could be hiding in your network. We’ve also developed a “subnet sampling” option as an informed approach to focus on statistically-likely-to-have-devices subnets so that the RFC 1918 scan runs in shorter time while still providing good coverage.

The interactive RFC 1918 coverage report presents discovered data in an easy-to-consume layout to show which subnets have been scanned, and includes additional data for unscanned subnets which might be active based on devices leaking secondary network interface information. This report allows you to “drill down” into subnets by clicking them to view discovered asset details within an address block.

runZero scan report

Find unmapped assets

Unmanaged devices on your network can also surface in runZero as an unmapped asset. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques runZero uses for remote MAC address discovery. Unmapped assets could be unmanaged assets, but could also be managed assets that were not included in the scope of a particular scan. You can get a visual overview of where unmapped assets appear on your network via the switch topology report, with each switch showing the number of assets (including unmapped assets) attached to it. A single click on a switch with unmapped assets will bring up a “View unmapped assets” link to the associated unmapped MACs report, which provides MAC details and the switch port the asset is connected to. This is potentially helpful for further investigation.

runZero report switch topology

Search for devices missing agents in runZero

runZero uses applied research to identify other agent technologies that may be required on assets managed by your company or organization. You can find unmanaged assets that are missing these agents via runZero inventory queries. The following query example will surface any Windows assets on the network that are not running an Avast agent:

os:Windows and not edr.name:Avast

You can also search for unauthorized operating systems or applications on your network, which can be indicative of an unmanaged asset. For example, if all or your Windows systems are only allowed to be running Windows 11 or Windows Server 2022, you can create a query to surface any potentially unmanaged Windows assets not running these recent versions:

os:Windows and not (os:"Windows 11" or os:"Windows Server 2022")

Track unmanaged assets with tags

Tags are another runZero mechanism that can be used to surface unmanaged assets and also help “keep on top of” current asset ownership. This requires a bit of work up front to tag all managed assets, but requires little maintenance once in place.

Stay on top of unmanaged assets with alerts

Alerts are a powerful way to leverage queries into timely notifications in-app or via email or webhook. For example, we can build alerts for any of the queries used in this article. Rules are checked when a scan completes, and for any rule that evaluates as “true”, an alert can be generated. Check out our “Tracking asset ownership with tags” article to learn how to set up an alert rule.

Comprehensive inventory of external assets

Internal networks aren’t the only places unmanaged devices may exist. A public-facing web server could become orphaned, or a bad actor could DNS spoof/hijack a lesser-used company domain to redirect traffic to a phishing site they control. With just a domain name or ASN number set in the scan configuration, runZero can resolve the associated external-facing URLs and IP addresses to scan. And our hosted zone scanners can seamlessly run the scan, removing the step of installing an external-facing Explorer.

Uncovering unmanaged assets through integrations

At runZero, we understand the power of “better together”, and our development teams have been busy adding support for many product and service integrations. Some of these integrations can be leveraged to surface unmanaged assets in your network.

For example, let’s say your organization uses SentinelOne on all managed macOS assets. One day an employee connects their personal MacBook to the corporate network without authorization: a macOS device without SentinelOne installed. You can create a runZero inventory query to surface this asset (and any others like it):

os:macOS and not source:SentinelOne

As another example, let’s say your company uses Microsoft Intune on all managed Windows 10 and Windows 11 assets. You can create a runZero inventory query to surface any Windows 10 or Windows 11 assets connected to your network that are not known by your Intune integration:

((os:"Windows 10" or os:"Windows 11") and not source:Intune

Prefer to surface your runZero-discovered assets, managed and unmanaged, via another tool? We offer integrations for several popular services, including ServiceNow and Splunk, allowing you to leverage the power of runZero’s best-in-class discovery and asset fingerprinting with other applications.

Zero unmanaged assets

Getting a handle on unmanaged assets is important, but it can feel like “one more thing” to do in an already-lengthy list of responsibilities. At runZero, we’ve done our homework through research and development to make finding your unmanaged network assets quick and easy.

Get runZero for free

Do you know about the unmanaged assets on your network? Find them with runZero.

Get started
Join our team

Similar Content

November 22, 2022

CISA BOD 23-01 requires asset visibility and vulnerability detection as foundational requirements

CISA released the BOD 23-01 in an effort to stengthen the national security posture with new asset inventory and vulnerability management requirements. Read more for our take on these requirements and see how runZero can help you comply.

November 3, 2022

Which discovery approach works best for unmanaged devices?

Unmanaged devices are the Achilles heel of any asset inventory. Shadow IT, rogue, or orphaned devices are easy targets for the adversary to gain potential footholds onto the network. Which discovery approaches are the most effective at finding unmanaged devices?

October 18, 2022

Why unmanaged devices are a challenge for IT and security programs

Why do unmanaged devices matter? We discuss the importance of knowing about the unmanaged devices on your network, highlight some issues stemming from unmanaged devices, and how runZero can help you find them.