How to Find Devices Missing Endpoint Agents

How to Find Devices Missing Endpoint Agents

Finding Devices Missing Endpoint Agents

A common Use Case for Axonius customers is finding devices that are missing specific security agents or other endpoint agents. Here, we will look at why it’s important to find devices missing endpoint agents, the security and operational implications, and how a cybersecurity asset management platform can solve the issue.

Innovation in the endpoint security technology market has increased exponentially in the past decade, moving from signature-based AV to AI and cloud-based EPP/EDR tools. While organizations purchase and implement many different solutions to protect and manage their endpoints, several challenges persist in making sure the right agents are installed on every relevant device.

Challenges in Knowing Which Assets are Missing Endpoint Agents

To understand which devices have a specific endpoint agent installed, simply accessing the admin console of the agent will produce a list of covered devices. However, the problem is the inverse: knowing which devices should have the agent, but don’t.

Part of the challenge is due to device discovery: How does an EPP/EDR solution identify a new device that exists and should be protected? The other issue is based on the context of the security policy. For example, if my security policy requires one endpoint agent for PCs and another for Macs, what mechanism is in place to find the device, understand its context, and then ensure the right agent is installed to meet the policy?

Security Implications for Devices Missing Endpoint Agents

The security implications of having devices missing an endpoint security agent are akin to a bank purchasing top-of-the-line bank vaults and hiring highly trained security guards, yet leaving the door unlocked and not telling the guards to come to work.

Organizations purchase endpoint protection solutions because they understand the risk and want to do whatever they can to protect their devices. However, if they don’t have the ability to find which devices are missing agents and then have a process to add the agents, the investment in the tools is never fully realized.

Data Sources Needed to Find Assets Missing Endpoint Agents

The following data sources are needed to find devices missing endpoint agents:

  • Endpoint Agents –  By connecting to the agent’s admin console, you can see all devices that have the agent installed. Depending on the missing agent in question, this could be:
    • AV
    • EPP/EDR
    • Systems Management Agents
  • IAM Solutions – Services like Active Directory or Azure AD that authenticate and authorize users and devices

How to Find Devices Missing Endpoint Agents with Axonius

To find devices missing endpoint agents in Axonius, there are a few very simple queries. Ranging from the broadest possible scenario to the most detailed, see the following.

Finding Devices with No Endpoint Agent Installed

Let’s first look at the most basic query around finding devices missing an endpoint agent:

not == "Agent"

This query can also be represented in the Axonius Query Wizard as:

This simple query looks at any identified asset that does not have any agent installed whatsoever and is only known to the network. For example, this query can return a result like:

You’ll notice in this result set that the devices include Linux, Windows, Macs, and more, making these results less actionable than if we were to segment the device types to determine which endpoint solution should be present.

Finding Windows Devices without an EPP/EDR Solution

Next, let’s add another level of detail. Our policy states that every Windows device must have the Carbon Black endpoint agent installed. (Note: Carbon Black is just one of several popular endpoint agents we support and is used for the following examples.) We can modify our query to identify any devices that do not have the Carbon Black endpoint agent installed:

 ( == "Windows") and not ((adapters_data.carbonblack_defense_adapter.adapter_properties == ({"$exists":true,"$ne":""})))

This query can also be represented in the Axonius Query Wizard as:

The returned results are all Windows devices that are missing the Carbon Black agent. Now you can quickly identify devices that do not adhere to your security policy.

Finding Windows Devices Missing Carbon Black and Running Google Chrome

We can specify the agent required and add any additional criteria. For example, let’s take a look at Windows devices that do not have Carbon Black installed and have Google Chrome installed. == "Windows" and not (adapters_data.carbonblack_defense_adapter.adapter_properties == ({"$exists":true,"$ne": ""})) and == regex("chrome", "i")

This query can also be represented in the Axonius Query Wizard as:

The results display devices with a Windows operating system, missing the Carbon Black agent, with Google Chrome installed.

Taking Action on Devices Missing Endpoint Agents

Once the devices missing an endpoint agent are identified, customers can use the Axonius Security Policy Enforcement Center to determine which automated action to take.

Highlighted actions include:

  • Deploy Software  — In this case, try to install the missing agent on any device missing the solution
  • Run Command — Run a shell command on Windows/Linux or initiate a WMI or SSH Scan
  • Execute Endpoint Security Agent Action — Isolate or Unisolate a machine using a different endpoint agent (if installed)
  • Block Device at Firewall  — Block the unprotected device at the firewall level
  • Notify  — Let someone know about the device via email, Slack, Syslog, or CSV
  • Create an Incident — Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk

LEARN MORE ABOUT Finding Assets Missing Endpoint Agents

With that said, we’ve created a video that outlines Finding Assets Missing Endpoint Agents here:

And as always, if you’d like to see a custom demo to better understand how Axonius can help your organization solve the asset management challenge, request a demo here.

See for yourself.

Interested in seeing what Axonius can do for your organization?

Schedule a demo and let us show you