CAASM Use Case #12 – Finding Obsolete Devices

CAASM Use Case #12 – Finding Obsolete Devices

Obsolete devices are those that could be online, so accessible to bad actors, but they might be out of support or incompatible with your security tools and processes. Obsolete devices in storage that could be repurposed with corporate data and access are also a threat.

Finding these obsolete devices is step one to assessing the threat obsolete devices pose.

Welcome back, cybersecurity treasure hunters! 🕵️‍♀️ Or should that be archeologists?

We’re diving into the twelfth instalment of our Cybersecurity Observability use cases series.

Today, we’re tackling a challenge that’s like finding ancient relics in a digital museum: obsolete devices on your network.

Picture this: Your IT team is humming along, keeping all your systems up-to-date. Then your CIO drops this brain-teaser:

"What about the devices we've forgotten about? The old servers in the basement, the outdated laptops in storage, or the legacy systems we never quite phased out? How can we secure what we can't even remember?" (Chief Information Officer)

Kapow! It’s the cybersecurity equivalent of archaeological excavation – you know these digital artifacts exist, but where are they hiding?

Fear not! This is where CAASM (Cyber Asset Attack Surface Management) and cybersecurity observability become your digital metal detector.

This is what SJULTRA can help you solve with CAASM and cybersecurity observability.

Table of Contents

Digital Fossils in Your Network: Obsolete Devices

Let’s break it down. Obsolete devices are the digital dinosaurs in your network. They’re devices that are:

  • No longer supported by the manufacturer
  • Running outdated operating systems or software
  • Unable to receive security updates
  • Forgotten but still connected to your network

These could be anything from that ancient Windows XP machine in the corner office to the first-generation IoT device someone installed years ago. They’re the “known unknowns” that make security pros reach for the antacids.

Who’s keeping track of these digital relics? How do you know they’re truly obsolete? How do you investigate them… before that 10-year-old server becomes your network’s Achilles’ heel? 😰

Enter SJULTRA's Cybersecurity Observability Service

This is where SJULTRA’s CAASM services, becomes your incident response nitrous boost.

It’s like giving your security team a time machine and a crystal ball, all rolled into one.

CAASM pulls data from a smorgasbord of sources:

  • Endpoint Agents
  • Configuration and Patch Management Tools
  • Ticketing & Helpdesk Platforms
  • Networking Tools
  • Vulnerability Assessment Tools
  • IAM Solutions
  • Cloud Infrastructure

By correlating this data, CAASM creates a rich, unified view of your entire digital ecosystem. It’s like having a digital map of your entire IT landscape, with every device, user, and cloud instance clearly labeled.

Book your free CAASM trial now

Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.

Traps ahead when hunting for obsolete devices

The ability to identify devices on or touching the corporate network is a challenge in and of itself.

In the past, when all devices were managed and corporate owned, enterprises could simply run scans and devices would appear.

Today, with remote work, cloud services, mobile devices, IoT devices, and other unmanaged devices, an entirely new set of complexities exists.

Running simple scans to identify devices communicating on the network, and/or deploying agent-based endpoint management tools, will result in an incomplete asset inventory and heightened cyber risk.

One area of such concern is obsolete devices, that is, outdated devices or unused devices that no longer serve a business purpose, yet are present (if not communicating) in the enterprise environment.

Most asset inventories fail to identify obsolete devices because they’re:

  • unknown/unmanaged
  • agents haven’t been or can’t be deployed on them
  • they haven’t communicated on the network and thus don’t appear in assessments

Let's get hunting!

Once we’ve got CAASM set up (remember, SJULTRA offers a free 30-day trial), we can start excavating those elusive obsolete devices on the network.

CAASM users can accurately and easily answer critical questions such as:

  • Which devices in my environment are latent or obsolete?
  • Where are the devices located?
  • What software is running on the devices?
  • Can the devices be updated/upgraded?
  • What other systems, devices, or users are connected to or accessing obsolete devices?

Where to go hunting: data sources

Start by connecting to key data sources such as:

  • Cloud Infrastructure platforms
  • Infrastructure Monitoring tools
  • Networking monitoring systems
  • MDM/EMM solutions
  • EDR/EPP tools
  • Configuration/Patch Management systems
  • ITAM/ITSM platforms
  • Vulnerability Analysis (VA) tools
  • IAM solutions
  • UEM platforms
  • Virtualization monitoring tools

Now let’s look at some queries!

Multi-step queries to navigate the inventory maze and find obsolete devices.

This is a kinda unique-ish use case because you need to build up queries to “hone in on” the obsolete devices.

For example, one starting query for the old “workstations”:

  1. Find all Windows OS devices…
  2. Seen in the last 30 days…
  3. Where it’s a preferred distribution…
  4. But it’s not a server…
  5. And it’s not a windows server…

So this is like creating a huge hill, then carving away pieces until you’re left with a lump of gold at the end.

 

Here’s the cool “progressive” bit: you SAVE that query and give it a name like “Steve’s Quest for Obsolete Windows Workstations” (but the name in the picture before is “AX-Win Workstations (30d)” :-/

Then you can create a NEW query on top of this to check for, say, Active Directory is disabled.

Then the coup de grace is this:

“Next, we use the saved query, AX-Win Workstations (30d), as the basis to look for Windows workstations with an OS Build past their “end of support” date (i.e., “17763”). In addition an “and/or” expression is used to find devices that do NOT contain “LTSC” so that product edition Windows 10 Enterprise LTSC is excluded from the query since it is still supported by Microsoft.”

NOW with your carved out list of obsolete devices, you can investigate attributes such as:

  • Last Used User (if Active Directory or similar solutions know about the asset)
  • Operating System
  • MAC Address
  • Installed Software & Agent Versions
  • Network Interfaces
  • Vulnerable Software

Et voila! But now what?

Taking action with CAASM enforcement actions

Great, we’ve uncovered these hidden digital fossils. What’s next? This is where the “action” part of our cybersecurity observability comes in. With CAASM, we’ve got four aces up our sleeves:

  1. Notify: Send alerts via email, Slack, or Teams (because who doesn’t love a good “we found a dinosaur” notification?)
  2. Create Incident: Generate tickets in systems like ServiceNow, Jira, or Zendesk
  3. Enrich Device Data: Use tools like Shodan or Censys to show what’s publicly known about the obsolete device
  4. Update Asset Database: Automatically update your CMDB with the newly discovered obsolete devices

Summary

And there you have it, digital archaeologists! 🏺

That’s how we turn the forgotten threat of obsolete devices into a manageable, observable process.

It’s not just about finding old devices; it’s about making sure we’re seeing our entire digital ecosystem, even the parts covered in cobwebs.

Remember, this is just 12 out of 14 standard use cases we help our customers with as part of our CAASM Concierge services. And guess what? You can get it for free!

In the world of cybersecurity, what you’ve forgotten can definitely come back to haunt you. But with the right tools and a bit of observability magic, we can dust off those digital artefacts and decide their fate.

Stay vigilant, keep querying, and may all your obsolete devices be discovered and dealt with!

And don’t forget our no catch, no cost, no obligation, limited time free CAASM trial offer.

documentation and Videos

Read the CAASM documentation: Finding Obsolete Devices.