Why unmanaged devices are a challenge for IT and security programs
Unmanaged devices pose a significant challenge for many organizations. As the number of devices connecting to their networks increase, security and IT teams can easily lose track and sight of these devices. As a result, organizations struggle with so many devices flying under the radar, leaving them unprotected and creating potential footholds into a network.
Unmanaged devices can take many forms:
- Shadow IT: Imagine a developer’s test box set up with permission of the engineering team but without central governance: The machine is not on the Active Directory, not getting group policies, maintenance updates, or security controls. Because it doesn’t allow access via domain admin passwords, it’s off the radar for most CMDBs.
- Rogue devices: Rogue devices may include a WiFi access point set up by an employee to get better wireless reception in their corner of the office. These are hard to detect because IT cannot install agents on them and doesn’t find them with an authenticated scan because SNMP strings won’t work on the device.
- Orphaned devices: These devices were once managed but have fallen off the radar, for example an open-source web app run by a department that has since been superseded by a SaaS application but is now continuing its zombie life without patching or oversight.
Asset inventory of unmanaged devices tends to be particularly difficult for Internet of Things (IoT) and operational technology (OT) devices, such as programmable logic controllers (PLCs) in a factory. In an enterprise environment, these devices include printers, IP phones and uninterruptible power supplies (UPS). These devices often don’t take centrally managed administrative credentials and don’t allow IT teams to install an agent on them. That’s why they are often not covered by the enterprise inventory database.
The efficacy of IT helpdesks is often measured by how many tickets they can service. Anything that slows down troubleshooting impacts, not only that metric, but also the productivity of users and entire departments. An IT helpdesk person recently shared that they were investigating a networking issue with spotty connectivity for some users. The root cause was a rogue device with a static IP address that conflicted with other devices that received their address via DHCP in the same range. Without good asset inventory, that investigation would have turned into a wild goose chase.
In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn’t identified ahead of time.
Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. In one case, an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command & control (C2) server. However, neither the SIEM nor the CMDB had any record of the bad/poor IP on the network, nor did the vulnerability management or EDR consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With good asset inventory that tracks IoT devices, the analyst would have saved time resolving this incident as well as been able to find other devices of the same make and model to check if they were using default credentials.
Proactive IT lifecycle programs look for devices on the network that are approaching their end-of-life (EOL) or are outside the warranty period, replacing the devices before they become an issue. Manufacturers often no longer provide functional and security fixes for these devices, making them much more risky and difficult to service if something goes wrong. If unmanaged devices are not inventoried, IT and security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.
Carrying out updates and migrations of networks with a lot of shadow IT tends to be riskier because of potentially unknown applications and services. Having a full picture of all managed and unmanaged devices will de-risk the project because each part of the infrastructure can be planned and accounted for.
Proper governance dictates that you have security controls on every device. It’s impossible to figure out coverage gaps without knowing all of the devices on your network.
Once you have a full inventory of devices on your network, overlay the data from security controls and look for gaps, for example, finding all Windows machines missing CrowdStrike or other EDR systems. This can be a huge step in getting ahead of security issues.
Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These typically become great entry points for an attack, because these machines tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don’t have anybody minding the store. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.
Authenticated scans and agents are not effective for uncovering unmanaged devices because they require centrally managed credentials to scan or deploy, which are generally not available for rogue, IoT, and OT devices. The best solution is to use an unauthenticated scan as a baseline, then layer other information on top, such as data from your security controls consoles.
runZero offers free, professional, and enterprise plans to scan your network for unmanaged devices. It scales from home use to Fortune 50 companies. runZero uses a combination of unauthenticated, active scanning and integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.
With runZero, you can:
- Identify rogue devices to accelerate IT troubleshooting
- Find accidental network bridges that bypass segmentation
- Conduct asset-centric incident investigations
- Find operating systems and networking devices that are EOL or out of warranty
- Plan your network upgrades and migrations
- Ensure great coverage for security controls
- Reduce your internal and external attack surface
You can try out runZero for free–no credit card required–for 21 days and up to 50,000 devices. Try our free Starter Edition for up to 255 devices to get more visibility into your small business or home network.
Get runZero for free
Do you know about the unmanaged assets on your network? Find them with runZero.Get started
November 22, 2022
CISA BOD 23-01 requires asset visibility and vulnerability detection as foundational requirements
CISA released the BOD 23-01 in an effort to stengthen the national security posture with new asset inventory and vulnerability management requirements. Read more for our take on these requirements and see how runZero can help you comply.
November 3, 2022
Which discovery approach works best for unmanaged devices?
Unmanaged devices are the Achilles heel of any asset inventory. Shadow IT, rogue, or orphaned devices are easy targets for the adversary to gain potential footholds onto the network. Which discovery approaches are the most effective at finding unmanaged devices?
October 28, 2022
How runZero finds unmanaged devices on your network
How do you find unmanaged devices on your network when they aren’t accounted for? Learn how you can use runZero to find unmanaged devices on your network.