Why unmanaged devices are a challenge for IT and security programs
Unmanaged devices pose a significant challenge for many organizations. As the number of devices connecting to their networks increase, security and IT teams can easily lose track and sight of these devices. As a result, organizations struggle with so many devices flying under the radar, leaving them unprotected and creating potential footholds into a network.
Unmanaged devices can take many forms:
- Shadow IT: Imagine a developer’s test box set up with permission of the engineering team but without central governance: The machine is not on the Active Directory, not getting group policies, maintenance updates, or security controls. Because it doesn’t allow access via domain admin passwords, it’s off the radar for most CMDBs.
- Rogue devices: Rogue devices may include a WiFi access point set up by an employee to get better wireless reception in their corner of the office. These are hard to detect because IT cannot install agents on them and doesn’t find them with an authenticated scan because SNMP strings won’t work on the device.
- Orphaned devices: These devices were once managed but have fallen off the radar, for example an open-source web app run by a department that has since been superseded by a SaaS application but is now continuing its zombie life without patching or oversight.
Asset inventory of unmanaged devices tends to be particularly difficult for Internet of Things (IoT) and operational technology (OT) devices, such as programmable logic controllers (PLCs) in a factory. In an enterprise environment, these devices include printers, IP phones and uninterruptible power supplies (UPS). These devices often don’t take centrally managed administrative credentials and don’t allow IT teams to install an agent on them. That’s why they are often not covered by the enterprise inventory database.
Rogue devices slow down IT troubleshooting
The efficacy of IT helpdesks is often measured by how many tickets they can service. Anything that slows down troubleshooting impacts, not only that metric, but also the productivity of users and entire departments. An IT helpdesk person recently shared that they were investigating a networking issue with spotty connectivity for some users. The root cause was a rogue device with a static IP address that conflicted with other devices that received their address via DHCP in the same range. Without good asset inventory, that investigation would have turned into a wild goose chase.
Accidental network bridges bypass firewalls
In another case, a critical manufacturing line was shut down due to ransomware. Investigations showed that a rogue device had bridged from the IT to the OT network, enabling attackers to bypass a firewall that had been put in place to segment the networks. The security team lacked visibility into network bridges of unmanaged devices, which is why the issue wasn’t identified ahead of time.
Unmanaged devices hinder incident investigations
Analysts in a security operations center (SOC) need to quickly and efficiently work through alerts. In one case, an analyst received an alert that an internal IP address was communicating with a known-bad IP, notably the command & control (C2) server. However, neither the SIEM nor the CMDB had any record of the bad/poor IP on the network, nor did the vulnerability management or EDR consoles. The device turned out to be an IP camera that had been compromised by malware because it was using default credentials. With good asset inventory that tracks IoT devices, the analyst would have saved time resolving this incident as well as been able to find other devices of the same make and model to check if they were using default credentials.
End-of-life devices are bad for uptime and potentially vulnerable
Proactive IT lifecycle programs look for devices on the network that are approaching their end-of-life (EOL) or are outside the warranty period, replacing the devices before they become an issue. Manufacturers often no longer provide functional and security fixes for these devices, making them much more risky and difficult to service if something goes wrong. If unmanaged devices are not inventoried, IT and security teams are unable to get ahead of potential risks and issues. In addition, finance teams benefit from knowing which devices are fully depreciated and when a new budget is required to replace them.
Shadow IT makes network updates and migrations more risky
Carrying out updates and migrations of networks with a lot of shadow IT tends to be riskier because of potentially unknown applications and services. Having a full picture of all managed and unmanaged devices will de-risk the project because each part of the infrastructure can be planned and accounted for.
Rogue devices complicate governance of security controls
Proper governance dictates that you have security controls on every device. It’s impossible to figure out coverage gaps without knowing all of the devices on your network.
Once you have a full inventory of devices on your network, overlay the data from security controls and look for gaps, for example, finding all Windows machines missing CrowdStrike or other EDR systems. This can be a huge step in getting ahead of security issues.
Unmanaged devices are often the first foothold for attackers
Attackers often scan the network for any outliers: machines that have lower patch levels, unusual services running on ports, and unique pieces of software not found on the rest of the network. These typically become great entry points for an attack, because these machines tend to be more easily exploitable, are less likely to have security controls, and if orphaned, don’t have anybody minding the store. Identifying unmanaged devices to either update or decommission them is a great way to reduce your attack surface and mitigate risk.
Unmanaged devices are best discovered with unauthenticated scanning
Authenticated scans and agents are not effective for uncovering unmanaged devices because they require centrally managed credentials to scan or deploy, which are generally not available for rogue, IoT, and OT devices. The best solution is to use an unauthenticated scan as a baseline, then layer other information on top, such as data from your security controls consoles.
runZero scans your network in minutes to identify unmanaged devices
runZero offers free, professional, and enterprise plans to scan your network for unmanaged devices. It scales from home use to Fortune 50 companies. runZero uses a combination of unauthenticated, active scanning and integrations with cloud, virtualization, and security infrastructure to provide full visibility into IT, OT, cloud, and remote devices.
With runZero, you can:
- Identify rogue devices to accelerate IT troubleshooting
- Find accidental network bridges that bypass segmentation
- Conduct asset-centric incident investigations
- Find operating systems and networking devices that are EOL or out of warranty
- Plan your network upgrades and migrations
- Ensure great coverage for security controls
- Reduce your internal and external attack surface
You can try out runZero for free–no credit card required–for 21 days and up to 50,000 devices. Try our free Starter Edition for up to 255 devices to get more visibility into your small business or home network.
Get runZero for free
Do you know about the unmanaged assets on your network? Find them with runZero.Get started
February 15, 2023
Get to full asset inventory by combining active scanning with API integrations - Part 5
A dual approach is the best way to make sure you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations, agent installs, or passive monitoring for compliance.
February 8, 2023
Why an integrations-only approach isn't enough for full asset inventory - Part 4
Your CAASM may not be enough to help you meet the requirements outlined by CISA BOD 23-01. Learn why you need more than just API integrations for compliance.
February 1, 2023
Passive flow monitoring is expensive and lacks depth for asset inventory - Part 3
Passiving monitoring solutions may not be enough to meet the requirements outlined by CISA BOD 23-01. Learn why you need to do more than sniff the network for compliance.