Which discovery approach works best for unmanaged devices?


Unmanaged devices are the Achilles heel of any asset inventory. Shadow IT, rogue, or orphaned devices are easy targets for the adversary to gain potential footholds onto the network.

The obvious question is: which discovery approaches are the most effective at finding unmanaged devices?

Why are unmanaged assets harder to find? #

First, we need to examine why unmanaged devices are so difficult to find. Let’s break it down:

  • Shadow IT devices: DevOps teams spin up machines but without central governance. Many discovery approaches need inputs to know where to look. So knowledge of these devices does not propagate to the rest of the organization.
  • Rogue devices: As the name suggests, someone intended for these devices to remain under the radar and evade standard discovery techniques. Otherwise, they would only have remained rogue for a short time.
  • Orphaned devices: Many discovery approaches require tuning or fresh inputs to keep the inventory current. Without caretakers to ensure the necessary calibration, orphaned devices become unmanaged assets that fall out of the asset inventory if they were ever there in the first place.

What has been tried and failed #

So what are the traditional approaches to finding assets, and why do they fall short?

Endpoint agent (or just “agent”) #

This approach requires installing software on every device which gathers excellent detail. This method only works with managed IT assets. After all, the device is known and probably managed if you can install software on it. So this approach does not address the bane of asset inventory–unmanaged assets.

Authenticated scans #

This active scanning methodology uses one or more scanners to log into every device that responds within an IP range. Once logged in (typically via SSH or WMI), the scanner gathers excellent detail about the device. Similar to the previous method, the device is known and probably managed if you already know the credentials to get on it. So, once again, this approach only really works with managed IT assets.

Passive network monitor #

This technique deploys one or more appliances on a network to eavesdrop on network traffic, including chatter from unmanaged assets. The setup requires sending network traffic to the appliance(s) by either reconfiguring one or more switches to span or inserting one or more taps into the network. Where in the network you make these changes matters. Eavesdropping at a network “choke point” is ideal since it ensures visibility into all traffic. For all the work involved, you, unfortunately, get little detail. Suppose an asset rarely talks on the network or is terse. In that case, there’s little data to work with, leading to imprecise or inaccurate fingerprinting. As more devices encrypt traffic, the fingerprinting accuracy gets worse.

API import #

Solutions that generate asset inventories from API imports do not discover assets independently. They rely on the rest of the security and IT stack to cobble together an inventory. Completeness and accuracy depend on data quality from those sources. API import solutions will miss unmanaged assets and produce vague fingerprinting.

Unauthenticated scans #

This final approach uses one or more scanners to actively scan for information from every device within an IP range. Unlike authenticated scans, these scanners do not attempt to log in to machines. Unauthenticated scans can discover unmanaged assets, even without prior knowledge. Since it’s an active scan rather than a passive monitor, it can interrogate the devices to gather much more information for accurate fingerprinting. The one shortcoming of this approach lies with sensitive devices. These assets tend to be older or low-powered, often found in operational technology (OT) environments, and may be disrupted by aggressive scanning.

New reasons for an old problem #

So which approach works best for unmanaged assets? First, it’s worthwhile to understand how this state of asset inventory came to be. There was a time when security just needed to protect the corporate office. Over the past 20 years, the following trends started or magnified, leading to a divergence of environments. In some cases, these environments teem with unmanaged assets. Others permit the deployment of unmanaged assets. Still, others allow assets to become unmanaged more easily.

  • More IoT devices: Network-enabled cameras and smart speakers are recent phenomena.
  • Convergence of IT and OT: OT networks have been overlaid onto IP networks to improve manageability and, in many cases, come under the purview of IT.
  • Move to the cloud: Many organizations see the cloud as a transformational journey to lower cost and increase speed & agility.
  • Rise of DevOps: Software development and operations teams have adopted a methodology of shared ownership, automation-at-scale, and rapid feedback resulting in dynamic attack surfaces, particularly in the cloud. Unfortunately, there isn’t always governance in this area.
  • More M&As: Each year in the 2010s, there were more than 2x the large M&As than each year in the 2000s.1 When you take on a new company, you take on all its unknowns and risks too.
  • Work from home: Pressures around talent shortage gave rise to a growing WFH trend that compounded due to the pandemic.

Against this backdrop of divergence of environments, there has been a convergence of responsibilities onto security teams. During this same time, organizations have improved their security posture around managed IT assets in on-prem environments. Assets outside this scope have become more attractive targets.

What works #

Given these challenges, let's look at the approaches that will work the most effectively.

Start with unauthenticated scans #

Unauthenticated scanning is the only possible starting point–inherent limitations in the other four disqualify them as options. If only we could use an unauthenticated active scanning approach that avoids disrupting sensitive devices.

Mix in a security research-based approach #

The missing ingredient is to couple a well-designed scanner with a security research-based approach. Such a recipe conducts discovery from the perspective of the adversary, someone who actively avoids disrupting devices and leaving digital footprints during recon. The scanner must use properly-formatted packets, which ensures the best chance of “good” behavior from a device and allows tuning of scan parameters, including overall and per-host scan rate. Just as important, the scanner must fingerprint as it scans, adapting the scan behavior as it learns asset details.

Zero unmanaged assets #

This unauthenticated scan and security research-based approach has proven practicable in thousands upon thousands of real-world networks distributed over various environments: IT, IoT, OT, cloud, and remote. Start a runZero trial to see for yourself.

Written by Huxley Barbee

Huxley Barbee is a former Security Evangelist at runZero. He spent over 20 years as a software engineer and security consultant, previously working for Cisco, Sparkpost, and Datadog. Huxley attended his first DEF CON in 1999, and holds both CISSP and CISM certifications. Huxley is also an organizer of BSidesNYC.

More about Huxley Barbee
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Life at runZero
Employee Spotlight: James McNulty
James is our website manager and dynamic SEO strategist! Read on to learn about James' journey on the Marketing team at runZero!
Product Release
Introducing the customizable dashboard, Wiz integration, and more!
Introducing the customizable dashboard, Wiz Integration, and other Q2 2024 enhancements to the runZero Platform.
Product Release
How to integrate your SIEM platform with runZero to create an actionable asset inventory
Learn how to combine runZero's real-time asset inventory with SIEM exports for comprehensive asset tracking and historical data analysis..
runZero Insights
Celebrating Women’s History Month with trailblazers & innovators
It’s Women’s History Month! runZero is celebrating all month long by highlighting innovative women who have been technological trailblazers.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved