As part of today’s digital transformation, there is an unremitting flood of new, often unmanaged devices pervading the corporate network whose traditional security architecture is, as a result of this onslaught, at the point of collapse.
The traditional network is not designed to cope with the deluge of unauthorised wired and wireless devices that cannot be managed. The list includes devices with arbitrary names, those unable to host a security agent and devices using non-standard operating systems.
Globally, the number of network-connected devices is expected to increase to more than 27 billion by the end of this year. Unfortunately, most traditional security solutions aren’t capable of protecting or even detecting these devices.
While the bring your own device movement of the last decade encouraged employees to use their own devices at work and the Internet of things (IOT) has delivered devices with unmatched connectivity, these devices can now carry significant risk. They increase an organisation’s attack surface, allowing cyber criminals to gain a foothold on the corporate network.
Many organisations have had to learn the hard way that the visibility of all devices on their networks is fundamental to any security strategy, which today must include a considerable strengthening of their endpoint defences.
Therefore, an accurate inventory of all devices – both managed and unmanaged – is key to getting to grips with each device’s security vulnerabilities and an understanding of the risks associated with it.
The rule is: any unmanaged device on the network must be considered a critical security threat.
This is easier said than done, considering the estimated number of unmanaged devices on most enterprise networks now almost exceeds the number of managed endpoints.
Research conducted by a leading vendor in this field reveals that, on average, organisations are unaware of around 40% of the devices in their environments. This is despite large organisations typically employing several so-called ‘visibility tools’.
The list of ‘ghost’ devices on most networks includes desktop PCs, laptops and smartphones, as well as smart devices such as smart TVs, webcams, printers, air-conditioning systems, industrial robots, medical devices and many more. It also includes operational technology (OT) hardware/software designed to detect or cause changes in physical devices such as valves, pumps, etc.
Traditional visibility tools are no longer up to the task, given today’s evolving threat landscape. Network scanners and network access control tools, for example, are generally unreliable and are restricted in their scope, particularly in terms of their ability to deliver relevant, in-depth security-related information.
While agent-based tools may well be capable of providing data relating to an organisation’s managed computers, they are notoriously unreliable and limited in their reach, being unable to effectively address unmanaged devices or every IOT- and OT-based device in the environment.
There are several explicit security risks presented by unmanaged devices. One of the more serious is the use of unauthenticated management servers that can be remotely compromised via the DNS Rebinding exploit – a method of manipulating the resolution of domain names commonly used to attack machines elsewhere on the network.
In addition, the embedded operating systems (Linux, Windows, Android) of unmanaged or IOT-based devices present security risks because they are seldom updated. Over time, they amass large numbers of software vulnerabilities, which present opportunities for hackers, leading to leaked corporate data and compromised intellectual property.
Unmanaged or IOT-based devices are often installed on the network without the permission of the network manager and without appropriate configuration – including the updating of default passwords. These devices could include virtual machines created by compromised accounts for malicious purposes.
The rule is: any unmanaged device on the network must be considered a critical security threat.
Is there a solution?
Reducing security risks from unmanaged devices − physical or virtual − is a multi-faceted process starting with a comprehensive device management and security policy that includes appropriate network access control and mobile device management tools capable of tracking known and unknown devices.
But do current tools provide a guaranteed 100% visibility? Fortunately, the IT industry is working hard to meet the inadequacies of traditional visibility tools, filling the gaps with new, next-generation device-discovery tools requiring no agents or additional hardware, making deployment fast and simple with very little impact on existing IT infrastructures.
Some of these tools use deep learning to identify anomalous or outlier devices. Deep learning is a subset of machine learning in artificial intelligence that has given networks the capability of learning −unsupervised − from unstructured or unlabelled data.
The challenge facing any new security solution is to provide a broad range of information about every device on the network − legitimate, unauthorised or rogue − as well as off-network devices communicating via WiFi, Bluetooth and other peer-to-peer IOT protocols.
Of course, simple awareness of the existence of a device or devices is not enough. Their risk value must be calculated. Next-generation solutions will employ cloud-based technology to compare observed device characteristics and behaviour patterns against a knowledgebase which contains a baseline of normal behaviour for each type of device.
In this light, there is also an industry-wide evolution to next-generation endpoint detection and response products which combine or work with endpoint compliance, proactive network threat hunting, automated incident response, network containment and allied technologies.
Importantly, a 99% success rate in terms of device awareness or protection is pitifully inadequate. A hacker only needs to compromise a single device to penetrate an entire enterprise network. Data collected in high-profile breaches prove that skilled attackers, once inside a network, can move laterally to gain access to any amount of confidential business and mission-critical data – often with catastrophic results.
Share