How runZero finds unmanaged devices on your network


Unmanaged assets are connected to the network, but lack an identified owner and may exist outside the visibility of those responsible for the network. These devices can pose real security risks to a company or organization for numerous reasons, such as running older vulnerable operating systems or software, using insecure protocols, or having nefarious intent. Plus, they can be difficult to discover or locate, sometimes using unmanaged subnets within a network.

Arising from both intentional and inadvertent situations, unmanaged assets can be classified into several categories, including:

  • Orphaned - Assets that lost their original owner but are still present on the network
  • Shadow IT - Devices/systems that are connected to the network without permission

Transient devices, such as portable, mobile, or IoT devices that “come and go” on the internal network, including bring your own device (BYOD), might be better categorized as “unmanageable” rather than “unmanaged” and can also be easily discovered via runZero scanning.

Let's take a look at how runZero is able to locate unmanaged devices on your networks.

Peek under the hood of our scan engine #

At runZero, we intentionally built our offering around unauthenticated, active scanning, while complementing our technology through integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices. To start, let's dig into our scanning capabilities. Our built-from-the-ground-up scanning logic in runZero Explorers and scanners will reach out to elicit a response from devices connected to the network. Replies received from our scan traffic are then captured for processing.

Benefits to our approach #

No prior knowledge required: Our active, unauthenticated scanning approach doesn’t assume any “prior knowledge” of network-connected devices (e.g., credentials to authenticate into devices, deployed agents on managed devices, etc.), rather our network discovery capabilities are research-driven to find-and-surface every network-connected asset, whether managed or unmanaged.

Highly configurable: Our scans allow you to go beyond basic subnet and speed settings. You can tune scans for specific ports or protocols that you want to know about, which can help quickly locate unmanaged devices that are running unsafe or company-prohibited protocols.

Standard packets: All of our scanning packets, including probes and port/service querying, is done using standard packets to keep things safe. We never send malformed or otherwise unusual packets.

Research driven: We use applied research to maximize scan result discoveries while still utilizing a “safe approach” for interacting with devices. This helps avoid any unexpected or unwanted side effects that are sometimes seen with other active scanning solutions, particularly when scanning ICS/OT and other traditionally sensitive devices/endpoints.

Comprehensive inventory of internal assets #

A comprehensive asset inventory is not complete unless you know about the assets that aren't managed by your organization. Here are some ways that runZero can help you zero in on assets you may not know about.

See your RFC 1918 coverage #

runZero’s scans can help surface unmanaged subnets in your internal network, which may harbor a bunch of unmanaged devices. Our RFC 1918 scan capability can cover the entire IPv4 internal network address space (more than 21 million addresses), checking all potential places unmanaged devices could be hiding in your network. We’ve also developed a “subnet sampling” option as an informed approach to focus on statistically-likely-to-have-devices subnets so that the RFC 1918 scan runs in shorter time while still providing good coverage.

The interactive RFC 1918 coverage report presents discovered data in an easy-to-consume layout to show which subnets have been scanned, and includes additional data for unscanned subnets which might be active based on devices leaking secondary network interface information. This report allows you to “drill down” into subnets by clicking them to view discovered asset details within an address block.

runZero scan report

Find unmapped assets #

Unmanaged devices on your network can also surface in runZero as an unmapped asset. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques runZero uses for remote MAC address discovery. Unmapped assets could be unmanaged assets, but could also be managed assets that were not included in the scope of a particular scan. You can get a visual overview of where unmapped assets appear on your network via the switch topology report, with each switch showing the number of assets (including unmapped assets) attached to it. A single click on a switch with unmapped assets will bring up a “View unmapped assets” link to the associated unmapped MACs report, which provides MAC details and the switch port the asset is connected to. This is potentially helpful for further investigation.

runZero report switch topology

Search for devices missing agents in runZero #

runZero uses applied research to identify other agent technologies that may be required on assets managed by your company or organization. You can find unmanaged assets that are missing these agents via runZero inventory queries. The following query example will surface any Windows assets on the network that are not running an Avast agent:

os:Windows and not

You can also search for unauthorized operating systems or applications on your network, which can be indicative of an unmanaged asset. For example, if all or your Windows systems are only allowed to be running Windows 11 or Windows Server 2022, you can create a query to surface any potentially unmanaged Windows assets not running these recent versions:

os:Windows and not (os:"Windows 11" or os:"Windows Server 2022")

Track unmanaged assets with tags #

Tags are another runZero mechanism that can be used to surface unmanaged assets and also help “keep on top of” current asset ownership. This requires a bit of work up front to tag all managed assets, but requires little maintenance once in place.

Stay on top of unmanaged assets with alerts #

Alerts are a powerful way to leverage queries into timely notifications in-app or via email or webhook. For example, we can build alerts for any of the queries used in this article. Rules are checked when a scan completes, and for any rule that evaluates as “true”, an alert can be generated. Check out our “Tracking asset ownership with tags” article to learn how to set up an alert rule.

Comprehensive inventory of external assets #

Internal networks aren’t the only places unmanaged devices may exist. A public-facing web server could become orphaned, or a bad actor could DNS spoof/hijack a lesser-used company domain to redirect traffic to a phishing site they control. With just a domain name or ASN number set in the scan configuration, runZero can resolve the associated external-facing URLs and IP addresses to scan. And our hosted zone scanners can seamlessly run the scan, removing the step of installing an external-facing Explorer.

Uncovering unmanaged assets through integrations #

At runZero, we understand the power of “better together”, and our development teams have been busy adding support for many product and service integrations. Some of these integrations can be leveraged to surface unmanaged assets in your network.

For example, let’s say your organization uses SentinelOne on all managed macOS assets. One day an employee connects their personal MacBook to the corporate network without authorization: a macOS device without SentinelOne installed. You can create a runZero inventory query to surface this asset (and any others like it):

os:macOS and not source:SentinelOne

As another example, let’s say your company uses Microsoft Intune on all managed Windows 10 and Windows 11 assets. You can create a runZero inventory query to surface any Windows 10 or Windows 11 assets connected to your network that are not known by your Intune integration:

((os:"Windows 10" or os:"Windows 11") and not source:Intune

Prefer to surface your runZero-discovered assets, managed and unmanaged, via another tool? We offer integrations for several popular services, including ServiceNow and Splunk, allowing you to leverage the power of runZero’s best-in-class discovery and asset fingerprinting with other applications.

Zero unmanaged assets #

Getting a handle on unmanaged assets is important, but it can feel like “one more thing” to do in an already-lengthy list of responsibilities. At runZero, we’ve done our homework through research and development to make finding your unmanaged network assets quick and easy.

Written by Pearce Barry

More about Pearce Barry
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Life at runZero
Employee Spotlight: James McNulty
James is our website manager and dynamic SEO strategist! Read on to learn about James' journey on the Marketing team at runZero!
Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..
runZero Insights
Celebrating Women’s History Month with trailblazers & innovators
It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved