Connect with us

Hi, what are you looking for?


Endpoint Security

Reigning in ‘Out-of-Control’ Devices

Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization.

Devices connected to network

Endpoint detection and response (EDR) has demonstrated clear value in protecting endpoints, and in many ways provides unique visibility into local processes. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%. In other words, 40-30% of devices are out of their control.

Out-of-control devices fall into a few different categories:

  • Traditional. This includes network gear like routers and switches that will never support agents and you know will always be out of control.
  • Digital transformation driven. Next are the rapidly expanding number of devices and systems that are now attaching to network infrastructure, including Internet of Things (IoT) and operational technology (OT) devices like video surveillance systems, HVAC systems, and supervisory control and data acquisition (SCADA) systems. Any appliance that can’t support an agent for whatever reason can be hijacked and taken advantage of as an entryway to launch attacks.
  • Rogue. Finally, there are devices people bring into your infrastructure without your knowledge. They may have added the device as a function of their job and simply forgot to add an EDR agent to it. Or perhaps they spun up a new service in the cloud but didn’t use the approved automation that adds all your infosec tools to it. However, sometimes a rogue device is plugged into the network for nefarious purposes – to conduct reconnaissance and serve as a jumping off point for a data breach or disruption.

Not only are we blind to many devices currently connected to our networks and new devices being added every day, but also what these devices are doing. Many organizations have governance practices and policies that specify behavior. So, we often end up with a gap in visibility between what we think is happening and what is actually happening and, on top of that, a gap in capabilities to easily know if that behavior is okay or something potentially malicious that needs immediate attention.

Cast a light on shadow areas

We live in a world rife with stories of malware existing within an organization’s infrastructure for months before it’s caught. Meanwhile data has been exfiltrated because the malicious activity happens in the shadows of the network where attackers can hide and do their work mostly undetected.

So, the first step to reign in out-of-control devices is to gain visibility into what’s happening on the network. However, in today’s dispersed, ephemeral, encrypted, and diverse (DEED) environments, shadow areas are everywhere so it’s incredibly difficult to gain network visibility relying on conventional tools. Instead of finding one spot to monitor and do packet capture, there are dozens, if not hundreds, of spots. Deep packet capture (DPI) becomes extremely complex to manage and takes costs through the roof. That’s where metadata data comes in, allowing you to cast a light on shadow areas you can’t afford to ignore. Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device.

Context comes next

Advertisement. Scroll to continue reading.

We also need capabilities to meld visibility with context for governance, because even when you can see what is happening on the network, you still need context to understand what that traffic means. For instance, you might see a host on your platform scanning across your network. How do you easily tell the difference between your penetration testing platform performing as it should, and a rogue host that has been compromised? If all you’re looking at is network traffic this will raise alarms.

However, when you can enrich flow data with information from other sources, such as your EDR system, configuration management database (CMDB), and cloud security posture management (CSPM), you gain additional meaning that doesn’t necessarily exist inherently in network traffic data. You can understand the who and the what. If it turns out that it’s your pen test platform scanning as it should be, then there’s no need to worry. But if it turns out to be a sales rep’s Mac OS laptop that’s supposed to have policies in place that limit user access to specific parts of the network and applications, you may have a problem and need to investigate further.

Operational governance: the end game

Ultimately, reigning in out-of-control devices is about operational governance. So, the final piece is to build detections around governance policies to identify anomalous behavior and alert on it. In effect, bridging the gap between the visibility piece and the investigation piece.

Out-of-control devices run the gamut from known to unknown and benign to malicious, and where you draw the line is unique to your organization. What’s considered out of control for a large manufacturer with an OT platform that handles all the automation for devices on the plant floor, is very different from how that’s defined in a financial services firm and likely necessitates different controls. Even within a single company, the definition of out-of-control varies whether you’re referring to the OT network or the IT network where laptops, servers, and printers reside. And even at a device level, what’s out of control in the cloud versus the data center is different. Fortunately, metadata enriched with context and overlaid with governance policies provides the flexibility needed to define and detect what is truly out of control and reign it in.

Written By

Matt Wilson is the Vice President of Product Management at Netography. Over his 25+ year career, Matt has held senior technology leadership positions across numerous industries including Neustar, Verisign, and Prolexic Technologies. With a rich background in innovation and go-to-market strategies, Matt has been a critical leader in helping many companies conceptualize solutions from the customer lens and drive them to market with significant impact.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...