Unmanaged devices on the network have always been a challenge, but the Covid-19 pandemic escalated the issue with many organisations rolling the dice and allowing remote workers to access their corporate networks from personal devices and home networks.
These devices could include mobile phones, laptops, tablets, desktops, USBs; and some employees exacerbate the risk by using public or personal WiFi internet connections to access the corporate network.
The rise in unmanaged network-connected devices increases the attack surface of the enterprise and allows cybercriminals to capitalise on the weakest link - the user endpoint - to gain a foothold into the network.
If compromised devices on the network go undetected, they can be used as launch pads to target higher-value assets, gain access to sensitive information, and cause significant business impact.
The biggest security risks associated with unmanaged devices are
The outcome of these two risks is an increased likelihood of a cyber security incident which could involve lockdown or loss of corporate data, resulting in significant financial and reputational loss.
These statistics are from a survey by Trend Micro ANZ and are aligned with the results from other countries around the world. All of these behavioural practices spell danger for corporate networks if they have not been adequately insulated against cyber attack.
Even remote workers with corporate devices, behave in ways that threaten the security of the network including
What is the answer to protecting against unmanaged endpoints?
A risk-based approach is needed to select and apply different levels of visibility and control.
Banning all unmanaged devices from accessing the corporate network is unlikely to be a realistic option.
Ultimately the challenge is to bring a level of visibility and control to unmanaged devices, and safely enable their use.
To achieve this, a process is needed to find devices that are not secured, appropriately control their connections,
monitor their traffic and behavior, and block any malicious behavior.
All of this needs to be done in the context of how a device is used so that only the actions and privileges that are required to support the business are sanctioned.
For corporate-owned devices, the simplest way to address the issue could be to apply the combination of a Unified Endpoint Management (UEM) agent to the endpoint; and apply a Zero Trust policy.
However, for contractors or personally-owned devices, it is unlikely that end users will agree to, or reliably enable, the installation of an endpoint agent. So what to do? Below are the four steps you would need to navigate.
Establishing visibility is a critical first step. You can't manage what you can't see. Having a complete asset inventory of all devices on the network is a critical foundation for an effective security solution. Given that unmanaged devices can be transient, such as a device introduced by an employee or contractor, it is important that the device discovery process is both continuous and automated.
Once a device is visible, the next step is to understand what it is doing and whether the actions are acceptable. This means observing device behaviour over time to establish baselines, and comparing observed behaviour to other devices of a similar type or functional role. This profiling should include an understanding of common network connections, protocols in use and other typical behaviors. This phase is also critical for understanding how a device is used in the enterprise, so that we can establish appropriate policies that truly enable the device and the business.
Next, is to proactively control the attack surface presented by unmanaged devices. This will require the organisation to establish sanctioned behaviours based on the type of device and its role. At a high level, this means setting what is allowed, and denying the rest.
Having identified and enforced approved behaviour, the next step is to identify malicious behaviour. As well as identifying the signs of malicious tools and techniques, it is also necessary to monitor for signs that a device may be compromised. Once a threat is identified, there needs to be in place the ability to block the threat automatically. If a device is acting as an exfiltration channel of the network, we obviously need to stop the flow of data automatically in order to mitigate damage.
As an alternative to the above process, you could look at installing a clientless security solution like Ericom Security's ZTNA solution to give them least-privilege access and control their ability to access and share data.
MobileCorp is an Australian ICT services company who assists enterprise and business to solve mobility issues. We recommend Ericom Security by Cradlepoint to provide secure access for the unmanaged devices on your network.
Ericom Security isolates web and applications to protect them from third party access risk and threats from compromised devices.
Ericom is a clientless solution that allows BYOD employees and 3rd party contractors access to your public or private web and cloud apps via an isolated, secure cloud environment, where granular data and access security controls are applied to prevent data loss.
Contractors log in through a standard web browser, yet apps and data access are controlled by your IT team:
MobileCorp is an enterprise ICT solutions company with a mission to deliver our customers a communications technology edge. We provide Managed Mobility Services, Enterprise Mobility Management, Complex Data and IP Networks, and Unified Communication solutions. We have a proven track record providing managed services for Australian enterprise and business, and we are a Telstra Platinum Partner.