Unmanaged devices present significant security risks for organizations. When these devices are left unidentified, and they’re unprotected, they provide attackers with an entry point into a corporate network. Once these devices have been compromised, it can allow for lateral movement to other machines that may have sensitive data residing on them.
With so many connected devices on a network, it is easy to lose track of what exists. That’s why there have been so many high profile data breaches, like this famous example where an internet connected fish tank was the initial point of compromise.
For many companies, simply getting a credible asset inventory of all devices is a daunting task. When you add unmanaged devices to the mix, it can seem like a near impossible task. However, if you unify and correlate the right sets of data, unmanaged discovery becomes much more effective.
What Is An Unmanaged Device?
Before we dive into tips for better unmanaged device discovery, it helps to draw some distinctions.
An unmanaged device is a device that is only known to networking infrastructure. It may or may not be known and accounted for in an asset inventory, but it isn’t being actively managed from an IT or security perspective.
Examples of devices that are often unmanaged may include IoT and smart devices, connected printers, personal mobile devices, and more.
Tips for Better Unmanaged Device Discovery
1. Gather Evidence of Network Connections
The first step in discovering unmanaged devices is to look at evidence of network connections themselves. This could come directly from firewalls, switches, network interface controllers, and more. Data to look for here could be in the form of ARP cache, MAC addresses, or DHCP/CDP/LLDP tables.
2. Correlate Network Information with Other Sources
Discerning whether the aforementioned data resides in any other system can provide a means to identify unmanaged devices. For example, if a MAC or IP address found in network connections matches a device listed in a CMDB, Active Directory, or other management solution, then it is likely a managed device.
If there is no evidence of the connection to be found in any other system, odds are it is an unknown and unmanaged device.
3. Decide Whether it’s Authorized or Unauthorized
Once you have found an unmanaged device, it’s important to discern whether it is authorized or unauthorized.
An example of an authorized unmanaged device may be a connected printer connected to a network. It’s possible the printer may lack a certain security control, but it has a legitimate purpose to reside on the network.
A laptop without a security agent installed on the same network could be unauthorized. It has no legitimate purpose to be connected to the network without a security control, like an endpoint protection agent installed on it.
In general, it is ideal to have unauthorized devices segmented on a different network, separate from critical networks where sensitive data resides.