The trend toward hybrid work environments has forced businesses to think about how to protect their organizations from increased use of “bring your own device” (BYOD) endpoints and other new devices. This is no small challenge, as MSPs know. The rise of the remote worker presents one of the biggest changes to the overall cybersecurity landscape that we’ve ever encountered.
And all of these new, remote devices present a unique risk to your clients. On average, undiscovered BYOD endpoints are 71% more likely to be part of a cyber breach. We know why this is, of course. When security and IT teams don’t have full insight into the devices on a network, they have little ability to set the right security settings and configurations, run updates, and patch OS and software vulnerabilities.
Undiscovered devices pose a threat that every IT professional should be aware of. In this article, we’ll discuss common ways to hunt down undiscovered and unmanaged devices, secure them, and enact policies that minimize this particular threat.
What are the risks of unmanaged endpoints?
BYOD and remote workers aren’t a new phenomenon. MSPs have been managing them for many years as enterprise networks add a steady stream of new devices that are outside of IT department control. Moves toward mobility and IoT have led to a lot of unmanageable endpoints that represent a clear security risk.
Smart lighting, Bluetooth keyboards, smart TVs, surveillance cameras, printers, network switches, and routers are all connected devices that often lack any built-in security. When threat actors probe a network for weaknesses, these devices afford an easily exploitable blind spot.
What constitutes an “unmanaged device”?
Unmanaged devices can be defined as IP-connected devices that do not have an agent or configuration solution installed and are not being secured by an endpoint agent
In this Forrester survey, 69% of respondents stated that half or more of the devices on their networks were either unmanaged or IoT devices outside their visibility. On top of that, 26% indicated they had three times as many unmanaged devices as managed devices on their networks. The study also showed that 79% of enterprise security professionals were very to extremely concerned about device security
How to discover unmanaged devices on the network
There’s a reason there are so many devices lost in these networks: finding unmanaged devices isn’t easy. An MSP can’t simply ask Active Directory to show any device not being managed. It’s possible to compare AD data and network management software manually, but this is a time-consuming and error-prone method.
What most MSPs use (or need) is a solution that can automatically correlate and deduplicate data to put them on the fastest road to correcting the problem.
Types of data needed when searching for unmanaged devices
In your typical manual hunt for unmanaged devices, you’ll need the following data sources:
Network/Infrastructure Data: Gain visibility into all devices within an environment by accessing the network infrastructure
Directory Services: Services like Active Directory or Azure AD that authenticate users and devices
Endpoint Management Solutions: Services like SCCM and Jamf Pro
Using Microsoft Defender to Discover Unmanaged Devices
Microsoft has added the ability to discover and secure unmanaged endpoints and network devices to Microsoft Defender for Endpoint. Because this is an integrated feature, no hardware deployment or software deployment is needed within compatible IT environments.
Once network devices are discovered using this method, IT administrators will receive the latest security recommendations and vulnerabilities on them. Discovered endpoints can be onboarded to Microsoft Defender for Endpoints.
Native Microsoft solutions carry obvious limitations. Most MSPs require a solution that is OS/technology agnostic and able to discover any device within any environment.
Using NinjaOne to Discover Unmanaged Endpoints
NinjaOne makes it easy to ensure that all endpoints are fully managed through automated asset discovery and deployment using Microsoft Active Directory. Periodic scans can be scheduled to identify unmanaged devices and deploy a management agent to the asset seamlessly. SNMP-enabled devices are also easily discoverable by the integral network monitoring probe.
All assets are automatically groupable and searchable by collected data points, making it incredibly fast and easy to find and manage an asset. With flexible custom fields, you can collect almost any data on an endpoint for device classification and management.
How to keep unmanaged endpoints off of the network
In a perfect world, finding and managing unauthorized devices should not be necessary. You know all too well that in real operational networks, new devices will always find their way onto the network. MSPs and their clients can take steps to reduce the number of unauthorized and unmanaged devices on the network, and to find out who is responsible for these devices.
According to the CISA access management FAQ, the following actions can be taken to reduce the number of unauthorized and unmanaged devices that appear on the network:
Policy can require administrators to put new devices into desired state inventory before adding them. Often system administrators connect new devices, then patch and configure them on the production network. This provides a window for the devices to be compromised. In addition, the devices are often added to the network before being recorded in Active Directory (or whatever other source of data for the desired state is in use). Getting administrators to keep the desired state up-to-date (edited before the machine appears) will reduce the number of Hardware Asset Management risk conditions.
Logging can track when unauthorized and unmanaged devices are connected to the network, what they are connected to, and who has logged onto them. All of this data can help investigate who connected the devices. Once the person is found, letting them know what is expected can prevent the creation of these risk conditions.
Employees will need to be trained. There should be consequences for individuals who frequently connect unauthorized devices, and who do so after due warning. While such actions won't eliminate all unauthorized and unmanaged devices, these actions can lower their incidence rates, which is a positive step.
Challenges around unmanaged devices
While unmanaged devices pose inherent security risks, there are several factors that can affect just how much of a danger they represent. IT providers and organizations should be aware of these challenges and threat multipliers:
Failure to conduct risk assessments
As with the rest of the network, It’s vital to perform risk assessments on unmanaged devices. Are there any known vulnerabilities or configuration issues? This can be difficult when you can’t put an agent on the device, so a flexible (and tech-agnostic) device discovery tool and agent can be very helpful.
Innately risky devices
Certain devices come with serious issues that will be tough to guard against.
Peer-to-peer is notoriously difficult to secure, and research has shown that such devices can be reachable, even through a firewall, remotely over the internet because they are configured to continuously find ways to connect to a global shared network.
It’s important to assess IoT tools and hardware to uncover potential risks and avoid P2P exploits. You should also investigate the device’s firmware update policy and keep these devices updated (as always).
Configuration issues have led to many data breaches. Widely-known default configs can hand cybercriminals the keys to your network. Simple steps such as changing or deleting the default admin login for your security cameras can go a long way. Passwords and credentials should be carefully managed, and watch out for undocumented backdoor accounts.
Misconfiguration is another big problem. Aside from access control mishaps, users often leave unneeded features switched on, like universal plug-and-play (UPnP), or inadvertently open ports that can serve as access points for attackers.
Lack of network segmentation
Putting a firewall between every device and the internet can prevent hackers from side-stepping through the network. IT professionals should sort unmanaged devices onto their own network segments, separate from your corporate devices and the guest network. This will stop threat actors from using an unmanaged device as an entry point and then moving laterally to exfiltrate data or install malware. There are ways to bypass network segmentation, but this measure is still worth pursuing.
Poor asset management
Any list of cybersecurity best practices -- including NIST’s Cybersecurity Framework -- will tell you that identifying all the devices on your network is foundational to security. It’s not enough just to scan your network for physically connected devices; devices that connect via Wi-Fi and Bluetooth must also be managed.
Lack of continuous monitoring
The majority of unmanaged devices are harder to scan than traditional computers connected to a network, so it’s all the more important to monitor their usage/behavior and look for anything suspicious. Log collection, machine learning, and SIEM/SOC all play a role in the modern cybersecurity stack for this key reason.
Partnering with NinjaOne
Complete visibility is critical to effective management. NinjaOne is here to help MSPs manage their business efficiently and securely. Thousands of users rely on our cutting-edge RMM platform to navigate the complexities of modern IT management.
Not a Ninja partner yet? We still want to help you streamline your managed services operation! Visit our blog for MSP resources and helpful guides, sign up for Bento to get important guidance in your inbox, and attend our Live Chats for one-on-one discussions with channel experts.
If you’re ready to become a NinjaOne partner, schedule a Demo or Start Your 14-day Trial to see why over 10,000 customers have already chosen Ninja as their partner in secure remote management.
Building an efficient and effective IT team requires a centralized solution that acts as your core service deliver tool. NinjaOne enables IT teams to monitor, manage, secure, and support all their devices, wherever they are, without the need for complex on-premises infrastructure.