Which discovery approach works best for unmanaged devices?

(updated ), by Huxley Barbee

Unmanaged devices are the Achilles heel of any asset inventory. Shadow IT, rogue, or orphaned devices are easy targets for the adversary to gain potential footholds onto the network.

The obvious question is: which discovery approaches are the most effective at finding unmanaged devices?

Why are unmanaged assets harder to find?

First, we need to examine why unmanaged devices are so difficult to find. Let’s break it down:

  • Shadow IT devices: DevOps teams spin up machines but without central governance. Many discovery approaches need inputs to know where to look. So knowledge of these devices does not propagate to the rest of the organization.
  • Rogue devices: As the name suggests, someone intended for these devices to remain under the radar and evade standard discovery techniques. Otherwise, they would only have remained rogue for a short time.
  • Orphaned devices: Many discovery approaches require tuning or fresh inputs to keep the inventory current. Without caretakers to ensure the necessary calibration, orphaned devices become unmanaged assets that fall out of the asset inventory if they were ever there in the first place.

What has been tried and failed

So what are the traditional approaches to finding assets, and why do they fall short?

Endpoint agent (or just “agent”)

This approach requires installing software on every device which gathers excellent detail. This method only works with managed IT assets. After all, the device is known and probably managed if you can install software on it. So this approach does not address the bane of asset inventory–unmanaged assets.

Authenticated scans

This active scanning methodology uses one or more scanners to log into every device that responds within an IP range. Once logged in (typically via SSH or WMI), the scanner gathers excellent detail about the device. Similar to the previous method, the device is known and probably managed if you already know the credentials to get on it. So, once again, this approach only really works with managed IT assets.

Passive network monitor

This technique deploys one or more appliances on a network to eavesdrop on network traffic, including chatter from unmanaged assets. The setup requires sending network traffic to the appliance(s) by either reconfiguring one or more switches to span or inserting one or more taps into the network. Where in the network you make these changes matters. Eavesdropping at a network “choke point” is ideal since it ensures visibility into all traffic. For all the work involved, you, unfortunately, get little detail. Suppose an asset rarely talks on the network or is terse. In that case, there’s little data to work with, leading to imprecise or inaccurate fingerprinting. As more devices encrypt traffic, the fingerprinting accuracy gets worse.

API import

Solutions that generate asset inventories from API imports do not discover assets independently. They rely on the rest of the security and IT stack to cobble together an inventory. Completeness and accuracy depend on data quality from those sources. API import solutions will miss unmanaged assets and produce vague fingerprinting.

Unauthenticated scans

This final approach uses one or more scanners to actively scan for information from every device within an IP range. Unlike authenticated scans, these scanners do not attempt to log in to machines. Unauthenticated scans can discover unmanaged assets, even without prior knowledge. Since it’s an active scan rather than a passive monitor, it can interrogate the devices to gather much more information for accurate fingerprinting. The one shortcoming of this approach lies with sensitive devices. These assets tend to be older or low-powered, often found in operational technology (OT) environments, and may be disrupted by aggressive scanning.

New reasons for an old problem

So which approach works best for unmanaged assets? First, it’s worthwhile to understand how this state of asset inventory came to be. There was a time when security just needed to protect the corporate office. Over the past 20 years, the following trends started or magnified, leading to a divergence of environments. In some cases, these environments teem with unmanaged assets. Others permit the deployment of unmanaged assets. Still, others allow assets to become unmanaged more easily.

  • More IoT devices: Network-enabled cameras and smart speakers are recent phenomena.
  • Convergence of IT and OT: OT networks have been overlaid onto IP networks to improve manageability and, in many cases, come under the purview of IT.
  • Move to the cloud: Many organizations see the cloud as a transformational journey to lower cost and increase speed & agility.
  • Rise of DevOps: Software development and operations teams have adopted a methodology of shared ownership, automation-at-scale, and rapid feedback resulting in dynamic attack surfaces, particularly in the cloud. Unfortunately, there isn’t always governance in this area.
  • More M&As: Each year in the 2010s, there were more than 2x the large M&As than each year in the 2000s.1 When you take on a new company, you take on all its unknowns and risks too.
  • Work from home: Pressures around talent shortage gave rise to a growing WFH trend that compounded due to the pandemic.

Against this backdrop of divergence of environments, there has been a convergence of responsibilities onto security teams. During this same time, organizations have improved their security posture around managed IT assets in on-prem environments. Assets outside this scope have become more attractive targets.

What works

Given these challenges, let’s look at the approaches that will work the most effectively.

Start with unauthenticated scans

Unauthenticated scanning is the only possible starting point–inherent limitations in the other four disqualify them as options. If only we could use an unauthenticated active scanning approach that avoids disrupting sensitive devices.

Mix in a security research-based approach

The missing ingredient is to couple a well-designed scanner with a security research-based approach. Such a recipe conducts discovery from the perspective of the adversary, someone who actively avoids disrupting devices and leaving digital footprints during recon. The scanner must use properly-formatted packets, which ensures the best chance of “good” behavior from a device and allows tuning of scan parameters, including overall and per-host scan rate. Just as important, the scanner must fingerprint as it scans, adapting the scan behavior as it learns asset details.

Zero unmanaged assets

This unauthenticated scan and security research-based approach has proven practicable in thousands upon thousands of real-world networks distributed over various environments: IT, IoT, OT, cloud, and remote. Start a runZero trial to see for yourself.

Get started with runZero in minutes

Do you know about the unmanaged assets on your network? Find them with runZero.

Get started
Join our team

Similar Content

October 28, 2022

How runZero finds unmanaged devices on your network

How do you find unmanaged devices on your network when they aren’t accounted for? Learn how you can use runZero to find unmanaged devices on your network.

October 18, 2022

Why unmanaged devices are a challenge for IT and security programs

Why do unmanaged devices matter? We discuss the importance of knowing about the unmanaged devices on your network, highlight some issues stemming from unmanaged devices, and how runZero can help you find them.

June 22, 2022

Shadow IT: what’s lurking on your network?

Shadow IT poses an immense risk to the security of organizations around the world, but few teams feel prepared to tackle the problem. A Deloitte research report found that 32% of organizations believe “shadow IT” assets are the greatest challenge for IT asset management, but …

Read More