Continuous Monitoring for Transient Devices

By Gavin Millard, Technical Director, Tenable Network Security Nearly eight years ago, Steve Jobs stood on stage in California and announced the brand new iPhone to an eager...

By Gavin Millard, Technical Director, Tenable Network Security

Nearly eight years ago, Steve Jobs stood on stage in California and announced the brand new iPhone to an eager audience, stating: “Every once in a while a revolutionary product comes along that changes everything.” How right he was. The iPhone changed the way we interact with our devices. It defined new markets, created billions of dollars for app developers, and made the vision of a mobile Internet a workable reality.

But this revolution ushered in two side effects. First, the iPhone has had a massive impact on how employees use devices to do their jobs. And second, it forced a paradigm shift in the way security professionals secure infrastructures.

Odd Proposition

Back then, the thought of bringing your own device (BYOD) to work seemed like an odd proposition, but now it’s the norm. The commercialisation of IT and an increase in user mobility have enabled employees to work wherever and whenever they need to. However, the more we enable this style of working, the greater the risks to the business. And those risks should not be ignored or underestimated.

Consider an Android tablet on sale for as little as $40. Unfortunately, the security of these inexpensive devices out of the box is woefully inadequate. Security risks originate with the ability to install apps from untrusted third parties, code being signed by the wrong key, and even well-known and long-standing vulnerabilities being unpatched. An eager employee at your organization could decide to use this device on the corporate network, with a low probability of discovery and a high probability of introducing something nasty into the environment. An eager attacker could infiltrate the network, easily circumventing expensive controls, and use the device to reach out to more useful and data-rich targets.

Trojan Targets

Now, more than ever, Trojans are targeting our handheld devices for three main reasons:

  • They are full of private information that could be used for fraudulent activity.
  • They are often used as a second factor for authentication – something that is useful for a targeted attack.
  • They can be used as a conduit for attack traffic, enabling hackers to take control of the device and wait for it to be walked into a corporate network.

BYODs devices such as PDAs, smartphones, or tablets do not always need a connection to cause a problem. Malware authors are targeting mobile devices for infection and then subsequently passing the virus to a corporate laptop when synced over a USB. A poorly configured phone or tablet is an easy target for malware, and the chances of the infected device being plugged into a host computer of interest are high.

Users aren’t helping either. According to a recent study from BitDefender, almost 40% of users who connect personal mobile devices to corporate networks have no lock screen mechanism in place. Another study by ViaSat discovered that 25,000 devices are handed in every year to Transport for London, with the actual number of devices lost in the capital alone being far greater but unrecorded. The reality is that it’s incredibly easy to misplace a device; and, left unlocked, that one device could lead to the loss of huge amounts of corporate data. Enforcing something simple like a screen lock should be an easy control to implement, but the evidence shows that many organisations don’t enforce such security policies for personal devices.

Traditional Approaches

Many of the traditional approaches we rely on to keep us secure fall down when it comes to dealing with BYOD. For example, vulnerability management – a foundational control that any infrastructure should be deploying – is often blind when it comes to BYOD. If there are no listening ports or remote shell, how can you scan for vulnerabilities? And if you’re scanning every week or month, the probability of picking up a large proportion of transient devices will fall towards zero.

Compounding the issue further is virtualization. Scanning for hosts and vulnerabilities using the traditional approach also falls down when it comes to the virtual space. With systems spinning up and the constant pausing and migrating among different physical systems, the chances of detecting these devices with any high-level of confidence is low. Unfortunately, these virtual systems often have the lowest levels of compliance to corporate security policy and are out-of-date with patching due to them being offline or in cold storage when big bugs are patched. Who hasn’t spun up a VM and stared with some concern at all the updates that are needed to be applied since the last time it was used?

Almost all vulnerability management platforms follow a blueprint designed from the late 90s that simply no longer works. The define-scan-analyse approach taken by active vulnerability scanners suited an era when computers were large pieces of tin that went nowhere, but now the approach is akin to using a Polaroid camera as a CCTV camera – it gathers a picture in time, but lacks a the situational awareness and context among countless snapshots. Highly transient devices and large and high compound annual growth rate (CAGR) of IP usage is a 21st Century problem that requires a 21st Century solution. You need to measure risk in minutes, not months, if at all.

Continuous Monitoring

BYOD and virtualisation are here to stay. Luckily, every device leaves fingerprints on the network. The communications that these devices use to function are easy to capture, and characteristics can be gleaned and analysed through collected metadata. By using a continuous passive monitor connected to the switching fabric of the network or on egress points, critical data can be used to understand if a device or system is running vulnerable code, infected with malware, or many other indicators of compromise and unusual behaviour.

Continuous monitoring is emerging as a platform necessity. Unlike active scanning, passive monitoring does not produce a snapshot in time, but continually observes your network so that transient devices are discovered and scanned as soon as they’re visible.

Pairing real-time passive monitoring with a more traditional active scanner can give you both speed of asset detection and identification and depth and clarity of vulnerability data, resulting in 100% visibility of the infrastructure and a clearer view of the risks. When utilising both a passive and an active scanner, you can also identify unknown devices communicating on the network that aren’t provisioned on the mobile device management platform or contained in the list of assets. The addition of passive scanning helps reconcile the ongoing dilemma of appearance vs. reality. This is how you effectively create and manage a more modern view of the IT infrastructure.

It seems like a day doesn’t go by without a major vulnerability being announced. Some have a flashy logo and catchy name, others incite fear. But when these massive vulnerabilities are announced, it’s surely more effective to have the most current view of your network available to understand where you’re at risk rather than staring at a list of devices from last month, wondering how much has changed since the last snapshot was taken. Your time is more important than that, and so is the business.

In this article

Join the Conversation