Finding Obsolete Devices

What Are Obsolete Devices?

Obsolete devices are devices which are no longer useful in a business context. They may be legacy or sunsetted devices which have not been removed from the environment, or they may be outdated devices which cannot be upgraded or patched. Most organizations have some extent of obsolete devices in their networks, yet these devices, if unknown or unmanaged, present cyber risk. Obsolete devices can be exploited by cyber criminals, or they can negatively impact system performance or user experience.

Challenges To Finding Obsolete Devices

The ability to identify devices on or touching the corporate network is a challenge in and of itself. In the past, when all devices were managed and corporate owned, enterprises could simply run scans and devices would appear. Today, with remote work, cloud services, mobile devices, IoT devices, and other unmanaged devices, an entirely new set of complexities exists.

Running simple scans to identify devices communicating on the network, and/or deploying agent-based endpoint management tools, will result in an incomplete asset inventory and heightened cyber risk. One area of such concern is obsolete devices, that is, outdated devices or unused devices that no longer serve a business purpose, yet are present (if not communicating) in the enterprise environment.

Most asset inventories fail to identify obsolete devices because they’re:

• unknown/unmanaged
• agents haven’t been or can’t be deployed on them
• they haven’t communicated on the network and thus don’t appear in assessments

Nonetheless, security analysts and IT operations staff need visibility into obsolete devices to manage vulnerabilities associated with them.

Using Axonius To Quickly Find Obsolete Devices

Via connected adapter sources, the Axonius platform can find rarely used or outdated devices, even if the devices haven’t communicated over the network recently, without any manual searching. The Axonius correlation engine automatically compares fetched device information from multiple sources to gain an accurate representation of assets in an enterprise’s network environment—within minutes.

Further, IT and security teams use the Axonius Query Wizard to identify devices that haven’t been seen by individual sources in a given time period, devices installed on/before/after a specified date, and outdated software and hardware versions. With these capabilities, Axonius users can accurately and easily answer critical questions such as:

• Which devices in my environment are latent or obsolete?
• Where are the devices located?
• What software is running on the devices?
• Can the devices be updated/upgraded?
• What other systems, devices, or users are connected to or accessing obsolete devices?

When obsolete devices are found, Axonius users can leverage the Enforcement Center to tag devices, remove devices from directory services, isolate devices, disable user access to those devices, and take other custom actions directly from their Axonius console.

Furthermore, Axonius provides a RESTful API so customers can push Axonius data to CMDB platforms, vulnerability scanners, directory services platforms, or other tools they already use in order to manage obsolete devices from their preferred console.

Recommended Data Sources

The more adapters you have connected in Axonius, the more data you’ll receive about each asset.

We recommend any or all of the following adapter types:

• Network Infrastructure: Routers, firewalls, switches, and more that monitor, measure, and help manage networks and the devices traversing them
• CMDBs: Databases that store information about an organization's deployed hardware and software assets and the relationships between them
• Endpoint Protection: Typically deployed via agents and provide information on devices, including running software, OS type and version, external IP, network interfaces, and more
• Configuration Patch Management: Configuration and patch management agents provide detailed device information
• Directory Services: Critical data services that allow organizations to manage users and user devices types, and help govern access to resources
• Vulnerability Scanners: Scanners used to uncover known vulnerabilities in an organization’s digital ecosystem, both internal and external
• IAM: Identity and access management tools which provide information on users, access permissions, privileges, entitlements, authentication mechanisms, password strength and expiration, and more.
• Cloud Infrastructure: Major cloud service providers like AWS, Azure, GCP, and Alibaba, which today house large portions of organizations’ systems and services

Finding Obsolete Devices

Axonius allows customers to search for device attributes and find obsolete, outdated, or unused devices. Via the search bar in the Devices tab in their Axonius platform, users can build out queries that fetch device information for OS versions that are no longer supported by the manufacturer.

Example: Finding Windows workstations that have an OS Build past their "end of support" date.

First, the user would build a query that defines Windows workstations seen in the last 30 days:

This query will be saved as "AX-Win Workstations (30d)" and will be used to further refine the query to identify workstations running on unsupported OS versions, or workstations with other potential vulnerabilities.

For instance, the following query can be used to find Windows workstations seen in the last 30 days, and for which Active Directory has been disabled—potentially opening up a blind spot for access governance.

Next, we use the saved query, AX-Win Workstations (30d), as the basis to look for Windows workstations with an OS Build past their "end of support" date (i.e., “17763”). In addition an "and/or'' expression is used to find devices that do NOT contain "LTSC" so that product edition Windows 10 Enterprise LTSC is excluded from the query since it is still supported by Microsoft:

After surfacing devices with the associated vulnerability, users can click into any device of interest to view rich information about the asset, including aggregate, normalized data from all collected sources. This will give the user a holistic pitcure of the device and its true state. Such information will include:

• Last Used User (if Active Directory or similar solutions know about the asset)
• Operating System
• MAC Address
• Installed Software & Agent Versions
• Network Interfaces
• Vulnerable Software

Enforcement Actions

Directly from the Axonius Enforcement Center, users can take specific actions to alert asset administrators, tag workstations, remove devices, isolate devices, and more to decrease the risk of obsolete devices on the network.

Notify
Notify device administrators via email or an integrated system notification method such as Slack, Teams, SharePoint, Box, Syslog Server, cloud notification systems, and more.

Create a ticket
Create a help desk ticket in ServiceNow, Zendesk, Jira, and other CMDB, help desk, and ticketing platforms so that asset owners/administrators will be informed and can deprecate the device. Admins may also automatically add or update assets in their CMDB directly from the Enforcement Center.

Disable obsolete devices that may pose risk
Prevent potential misuse of obsolete Windows devices by disabling them in Active Directory.

For more details, see Action Library.