There’s a hard-to-detect security risk that quietly gets larger every day, and it affects virtually every organization. As unmanaged assets like industrial internet of things (IIoT) devices, industrial control systems (ICS), and even smart consumer electronics proliferate, the security management gap between these unmanaged and managed assets keeps growing. The gap is impossible to see, however, because legacy security tools can’t properly identify and monitor unmanaged assets. To make matters worse, organizations often don’t patch unmanaged assets when vulnerabilities are discovered.
The result? When organizations can’t secure unmanaged devices, attackers can easily exploit those assets, often without setting off alarms until the damage is done. For example, in October 2019, Armis reported our discovery of 11 urgent vulnerabilities affecting the VXWorks operating system that controls more than two billion healthcare, manufacturing, and enterprise devices. In December 2020, however, 97% of the affected devices were still unpatched. A lack of organizational device visibility was no doubt a key culprit.
The URGENT/11 vulnerabilities, and others like them, put organizations at risk of intrusions, ransomware attacks, and data breaches, which cost enterprises an average of “$4.24 million per incident in 2021, the highest in 17 years.”
How do you know if your organization has a managed-unmanaged security gap that you need to close? Let’s look at why the gap exists, why it’s growing, and what tools you need to detect and eliminate it.
What’s Behind the Managed-unmanaged Device-security Gap?
There are two big reasons for the divide. The first is that the number of unmanaged assets is exploding. As many as 50 billion connected assets were already in the field at the end of 2021, per Cisco and Gartner—and analysts project the number to exceed 75 billion by 2025.
These assets include most of the tools and technology we take for granted at work and home, such as bring your own device (BYOD) laptops, tablets, and smartphones; wearables like smartwatches and fitness trackers; and connected speakers and televisions. Unmanaged assets also include IIoT, ICS, and operational technology (OT) devices, in addition to cloud servers and virtual machines.
This expansion of unmanaged endpoints creates new security challenges because these devices are often invisible to IT departments. As far back as 2017, when there were billions fewer unmanaged assets in the field, Armis found organizations were missing 40% or more of the assets in their environments. As the number of assets grows, so does the size of the device blind spot—now closer to 70%. To complicate things further, even IT assets, including company laptops, desktops, and servers, can go unmonitored and unmanaged due to missing or misconfigured agents
At the end of the day, most organizations simply cannot see all the assets operating in their environments. Instead, they often have siloed, incomplete views of their managed assets while significant numbers of unmanaged assets go completely undetected.
Legacy Monitoring and Security Tools Deliver Fragmented Results
Why do so many assets go undetected? Most organizations rely on asset management platforms that rely on agents to identify managed devices on IT networks. Those solutions often can’t see unmanaged devices at all. Worse, these legacy solutions can sometimes disrupt the operation of unmanaged assets or knock them offline.
In response to the problem of silos and invisibility, organizations commonly add more niche security solutions to cover gaps. But the addition of more tools just amplifies the fragmentation, creating more manual work for security teams. The fragmentation can also contribute to challenges with meeting compliance requirements and make it more difficult for organizations to keep up with best practices as the security landscape evolves.
Asset visibility isn’t even the only security gap to consider. Beyond simply identifying every asset, security teams need to know what operating system and software the assets are running (including versions), what other assets they communicate with, their potential vulnerabilities, and their risk profiles. It’s impossible to gather all that data and monitor it in real-time with legacy tools.
Consequences of the Device-visibility Gap
Without comprehensive information about every device in the environment, incident prevention, detection, and response are exponentially more difficult. Sometimes, the attacks on connected assets are clear immediately. Just consider the 2021 attack on a Rhode Island healthcare system’s cloud service; it disabled radiation-therapy equipment and forced the rescheduling of cancer treatments for more than 50 patients. In most cases, however, attackers who gain access to an environment are not found and purged from networks for an average of 287 days.
Without continuous monitoring, organizations also lack the ability to isolate compromised equipment and respond to intrusions in real-time. The asset visibility gap also prevents the automation of policy enforcement and response orchestration, forcing organizations to manually remediate vulnerabilities and threats (often asset-by-asset). And manual response efforts can quickly overwhelm SOC resources. Meanwhile, attackers are free to cause more damage and disruption that requires more money, time, and other resources to remediate.
Closing the Unmanaged-managed Device-security Gap
With a solution that’s built for complete visibility, organizations can close the gap, identify every asset in their environment and benefit from continuous monitoring and automation. What does this look like?
Comprehensive Asset Discovery and Classification
The Armis Asset Intelligence platform starts by using a continuous, passive, and agentless approach to identify all assets across the environment without disrupting their operations. That gives security teams a complete asset inventory that includes managed, unmanaged, cloud, and BYOD assets–including transient devices.
As Armis identifies assets, it automatically analyzes their characteristics and behavior in the Armis Intelligence Engine, a knowledgebase that continuously monitors more than 2 billion assets worldwide. This comparison enables Armis to properly classify devices and understand the context for what an asset is doing versus what it should be doing to detect threats with a high degree of accuracy.
Real-time Asset Risk Evaluation
Scheduled scans can miss rapidly emerging threats and cause delays in response. The Armis Asset Intelligence platform continuously monitors asset attributes and activity and compares them to the normal behaviors defined by the Intelligence Engine. When the platform identifies an issue, it can immediately send alerts or automate and orchestrate responses across existing security tools, such as NACs, to accelerate remediation–all without performing scans that can disrupt asset functions.
Integration of All Asset Data Into One Dashboard
Inventorying assets manually takes a lot of time and often requires the security team to work across multiple platforms. The results can include data-entry errors, missed assets, and point-in-time inventory data that is almost instantly out of date.
The Armis Asset Intelligence platform brings all asset data into one dashboard—by identifying virtually every asset in the environment and by integrating with your organization’s existing IT and security tools to provide a single source of the truth. This unified view is continuously scrubbed and updated as Armis monitors assets and notes changes.
Security Policy Automation
Manually addressing vulnerabilities and risks is time-consuming and may not happen quickly enough to stop an attacker from causing damage. The larger and more complex the organization is, the less practical it is to rely on manual security policy enforcement. With Armis, the security team can automate policies for device isolation, software updates, alerts, and more, so you can remediate issues in real-time at scale.
Faster, More Efficient Remediation
Armis also orchestrates incident response by:
- Alerting administrators
- Initiating tickets for teams to act on
- Evaluating new assets as they come online
- Pushing updates across asset management platforms
- Quarantining affected asset while leaving others free to operate
- Patching assets that need them.
By identifying all assets, cataloging and unifying asset data, and enabling automation, the Armis Asset Intelligence platform enables organizations to close the visibility gap between managed and unmanaged assets. With comprehensive, real-time security monitoring, policy enforcement automation, and more effective remediation, you can better protect your organization’s resources, revenue, and reputation. Learn more about managing your organization’s cybersecurity assets with Armis.