CAASM Use Case #5 – Finding unmanaged devices

CAASM Use Case #5 – Finding unmanaged devices

Welcome back, cybersecurity sleuths! 🕵️

We’re diving into the fifth instalment of our Cybersecurity Observability use cases series.

Today, we’re tackling a challenge that’s like finding a needle in a digital haystack: unmanaged devices on your network.

Picture this: Your security tools are running smoothly, protecting all your corporate devices. Then your CISO drops this mind-bender:

What about the devices we don't know about? When "rogue" staff or even bad actors add devices to the network outside of our process and procedure? How can we protect what we can't see?" (Chief Information Security Officer)

Boom! It’s the cybersecurity equivalent of dark matter – you know it’s there, but how do you find it?

Fear not! This is where CAASM (Cyber Asset Attack Surface Management) and cybersecurity observability become your digital telescope.

This is what SJULTRA can help you solve with CAASM (Cyber Asset Attack Surface Management) and cybersecurity observability.

Gain Complete Visibility of Your Cybersecurity Assets with the SJULTRA CAASM free trial.

Table of Contents

Dark Matter on your Network: Unmanaged Devices

Let’s break it down. Unmanaged devices are the digital wildcards in your network. They’re IP-connected devices that are:

  • Without an agent or configuration solution installed
  • Not being secured by an endpoint agent
  • Only known to the network or network scanners

These could be anything from Bob from accounting’s personal smartphone to that smart TV in the conference room, or even a rogue VM someone spun up and forgot about. They’re the “unknown unknowns” that keep security pros up at night.

Who's scanning your network for unknown devices? How do you know they are "unknown"? How do you investigate them.. before banning your CEOs new mobile phone from the network? Who takes that call? 😨

Enter SJULTRA's Cybersecurity Observability Service

This is where SJULTRA’s CAASM services, becomes your digital detective. It’s like giving your security team over-the-horizon, long-range vision for your entire network.

CAASM pulls data from multiple sources:

  • Directory Services (like Active Directory or Azure AD)
  • Endpoint Management Solutions (like SCCM and Jamf Pro)
  • Network/Infrastructure Data

By correlating and deduplicating this data, we can spot the devices that are flying under your security radar.

It’s like finding Waldo, if Waldo was a potential security risk!

Book your free CAASM trial now

Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.

Let's get querying

Once we have CAASM set up (remember, SJULTRA offers a free 30-day trial), we can start hunting those elusive unmanaged devices on the network.

Show me all devices that aren't managed by any security agent or management solution.

sjultra axonius query unmanaged devices

In CAASM Query Languge (SQL): 

				
					not (((specific_data.data.adapter_properties == "Agent" or specific_data.data.adapter_properties == "Manager")))
				
			

This query finds all unmanaged devices without security agents or management solutions.

Here’s an example of the returned results:

sjultra axonius results unmanaged devices

What about only AWS instances that have known Common Vulnerabilities and Exposures (CVE®) and are not being scanned for vulnerabilities?

In the CAASM AQL:

				
					(adapters_data.aws_adapter.id == ({"$exists":true,"$ne":""})) and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and (specific_data.data.software_cves.cve_id == ({"$exists":true,"$ne":""}))
				
			

But let’s be more specific.

We can add other filter criteria to prioritize which devices should be addressed. For example, let’s find unmanaged devices that are not being scanned by a VA tool.

				
					not specific_data.data.adapter_properties == "Agent" and not specific_data.data.adapter_properties == "Manager" and not specific_data.data.adapter_properties == "Vulnerability_Assessment"
				
			

Even more specific: has this happened in the last few days?

 

				
					not specific_data.data.adapter_properties == "Agent" and not specific_data.data.adapter_properties == "Manager" and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and specific_data.data.last_seen >= date("NOW - 3d")
				
			

We've found the unscanned devices - now what?

Great, we’ve uncovered these hidden cloud instances. What’s next? This is where the “action” part of our cybersecurity observability comes in. We’ve got four aces up our sleeves:

  1. Notify: Send alerts via email, Slack, Syslog, or CSV (because who doesn’t love another alert about cloud security?)
  2. Create Incident: Generate tickets in systems like ServiceNow, Jira, or Zendesk
  3. Enrich Device or User Data: Use tools like Shodan, Censys, or Portnox to show what’s publicly known about the instance
  4. Update VA Coverage: Automatically add the cloud instance to the next scheduled vulnerability assessment scan

Summary

And there you have it, digital detectives! 🕵️‍♂️

That’s how we turn the invisible threat of unmanaged devices into a manageable, observable process.

It’s not just about finding devices; it’s about making sure we’re seeing our entire digital ecosystem, even the parts hiding in the shadows.

Remember, this is just 5 out of 14 standard use cases we help our customers with as part of our CAASM Concierge services. And guess what? You can get it for free!

In the world of cybersecurity, what you don’t know can definitely hurt you. But with the right tools and a bit of observability magic, we can shine a light on those hidden corners of your network.

Stay vigilant, keep querying, and may all your devices be known and managed!

And don’t forget our no catch, no cost, no obligation, limited time free CAASM trial offer.

Documentation and Videos

Read the Documentation: Finding Unmanaged Devices.