



Unmanaged devices pose significant challenges for many organizations. These devices can be anything that is connected to the network but not actively managed by IT or security. These assets are not typically captured in asset inventories and can take many forms, including shadow IT, rogue assets, and orphaned assets. As security teams struggle to spot them, these devices fly under the radar, creating a potential foothold into your network.

What happens if these devices are left unmanaged? Let’s take a look at five reasons why you should pay attention to unmanaged devices.

Reason 1: Unmanaged devices are often the first stepping stone for attackers.

Attackers often scan networks looking for outliers. For example, machines with low patch levels, unusual services running on ports, or unique software not found elsewhere in the network. These outliers are perfect entry points for attacks. Because they tend to be more easily exploited, are less likely to have security controls in place, and are not controlled by anyone when they are isolated. Identifying and updating or retiring unmanaged devices is a great way to reduce your attack surface and mitigate risk.

Reason 2: Unmanaged devices hamper incident investigations.

Security Operations Center (SOC) analysts need to process alerts quickly and efficiently. There have been cases where analysts received alerts that internal IP addresses were communicating with known bad IPs, specifically command and control (C2) servers. However, SIEMs and CMDBs had no record of IPs on the network, no vulnerability management or endpoint detection and response (EDR) consoles. The device turned out to be an IP camera compromised by malware as it used default credentials. With an asset inventory tracking Internet of Things (IoT) devices, analysts could have resolved this incident quickly. I was also able to find other devices that share the same make and model and see if they were using the default credentials.

Reason 3: An accidental network bridge bypasses the firewall.

In another case, a critical manufacturing line was shut down by ransomware. Investigation revealed that the rogue device was bridged from his IT network to his OT network, allowing him to bypass the firewalls put in place by the attacker to divide the network. The security team was unaware of the unmanaged device’s network bridge, which prevented the problem from being identified in advance.

Reason 4: Rogue devices complicate security control governance.

Good governance requires security controls on all devices. Knowing your coverage gap is impossible without knowing all the devices on your network. To get the gap to zero, you need to start with a complete asset inventory. Then you can overlay data from your security controls and look for gaps in your inventory. It’s common to look for Windows machines that are missing CrowdStrike (or EDR Agent).

Reason 5: End-of-life devices may be vulnerable.

In many cases, manufacturers no longer provide functional and security fixes for these end-of-life (EOL) devices. Without an inventory of unmanaged devices, security teams cannot stay ahead of potential risks and issues. Additionally, finance teams can know which devices are fully depreciated and when new budgets are needed to replace them.

Resolving unmanaged devices

Unmanaged device resolution begins with a complete asset inventory that provides details about all assets on your network, both managed and unmanaged. A complete asset inventory requires unauthenticated active discovery. It does not assume any prior knowledge of networked devices, such as credentials to authenticate with the device or endpoint. Instead, it focuses on research-driven discovery capabilities to locate and reveal all network-connected assets, managed or unmanaged. This approach is complemented by integration with cloud, virtualization, and security infrastructure, giving you complete visibility into IT, OT, cloud, and remote devices.

Knowing your unmanaged assets is critical to your security program. A solution built around active, unauthenticated detection will ultimately make it possible to find unmanaged assets.

About the author

Chris Kirsch started his career at a German InfoSec startup and has since worked at PGP, nCipher, Rapid7 and Veracode. He is passionate about his OSINT and social engineering. In 2017, he won the social engineering he captured the flag competition at DEF CON, the world’s largest hacker conference, and earned a black badge. Currently, Chris is CEO of runZero (www.runzero.com), a cyber asset management company he co-founded with HD Moore, creator of Metasploit.

