- 24 Mar 2022
- 4 Minutes to read
- Print
- DarkLight
- PDF
Find Ephemeral Devices
- Updated on 24 Mar 2022
- 4 Minutes to read
- Print
- DarkLight
- PDF
Watch the “Find Ephemeral Devices” video, or read below.
An ephemeral device is a device that lasts for a short period. Examples of devices that are often ephemeral include:
- virtual machines
- containers
- unknown devices
While many ephemeral devices are often authorized and a normal part of operational processes, security, networking, and risk teams are often challenged to identify the presence of these devices in real-time. This makes it hard for security teams to answer a multitude of essential questions such as:
- How can teams attest to compliance and security metrics if they aren’t able to identify all devices within a week, day, or even hour?
- How does the security team deploy necessary security patches and agents when they are not notified of the creation of these devices that are short-lived?
- How does the security operations analyst triage an alert for a device that no longer exists or reconcile devices that appear to have the same IP address assigned to them?
Common Challenges For Finding Ephemeral Devices
Since ephemeral devices are used fleetingly, they typically aren’t accounted for in an asset inventory using traditional methods and tools. For example, a new container would not be accounted for in a Configuration Management Database (CMDB) if it isn’t connected directly to sources that know about it. That means a container would need to be added manually, and once the container is deprecated, the CDMB would be outdated.
Other technologies that use network scanning to find devices will often miss ephemeral devices because scans are performed in cycles, and not continuously. Such infrequent scans would result in a large visibility gap of ephemeral devices.
Agent-based tools can be effective for identifying assets, but since ephemeral devices are short-lived, they often never have an agent deployed on them in the first place.
Recommended Data Sources
To find ephemeral devices, you will need to connect the sources of where devices are created and deprecated. In addition, it is helpful to understand where networking adapter sources and cloud workload protection platforms
- Cloud Infrastructure: connecting cloud IAAS providers allows you to find and correlate data for containers, and cloud-based virtual machines in Axonius
- Virtualization: virtualization platforms such as VMWare ESXi, Microsoft Hyper-V, or Oracle VM allow you to identify ephemeral virtual machines
- Networking: it is important to know what has connected to the network in order to identify unknown ephemeral devices, such as BYOD computers, smart cameras, or printers.
- Cloud Security & Container Management Solutions: verify that ephemeral devices are protected by cloud workload protection and other platforms when necessary
How To Find Ephemeral Devices With Axonius
By connecting to the management consoles of platforms where ephemeral devices are created, Axonius can identify key indicators that are useful for finding short-lived devices. Axonius can search for the following data fields in order to help identify ephemeral devices:
- Boot time
- Uptime
- Power state
- Virtual machine ID
- Container type
- Container ID
- VPC ID
- Container port
- Last seen
- Asset name
- Host name
- MAC address
- IP Address
- Operating system
Example Queries
To find ephemeral devices, it is useful to look at the power state, uptime, first seen, or last seen time for containers and virtual machines.
Uptime Less Than One Day
A useful way to find ephemeral devices is to look at anything with uptime that is less than 24 hours. This can be done by using the Axonius Aggregated dropdown to search for any device that has an uptime of less than one day.
Cloud Instances Not Seen In 14 Days
The following query shows examples of cloud instances that have not been seen by their management console in 14 days. It could be possible that these instances should be deprecated, but are still active and may pose additional risk.
Virtual Machines Still Seen in Axonius, But Turned Off
It can also be helpful to review machines that have been turned off for a number of days, but are still seen in Axonius. This example looks for any Virtual Machine seen in Axonius in the last five days with an off power state.
Identifying these machines can help security teams understand the implications of any additional risk that may be posed when machines are turned back on. For example, is the machine configured with proper security controls?
Example Enforcement Actions
When ephemeral devices are found in Axonius, there are a number of options to alert teams without any human intervention needed.
Any time a saved query surfaces newly found ephemeral devices, security and risk teams can take actions including:
- Sending a slack message with details to notify team members who may know about the particular ephemeral device
- Creating a Jira issue to notify IT and DevOps teams
- Adding a tag in Axonius for internal tracking purposes
- Create or Update CMDB entries if you are tracking all devices in a CMDB