eIQviews

Let’s have a candid discussion about rogue devices, shall we? You know, the unauthorized access point plugged into a port in a conference or under someone’s desk. Or maybe the network behind the off-shore contractors you have maintaining legacy applications. Perhaps someone is running a side business during work hours on a device they bring from home ON YOUR NETWORK.

Each of these scenarios (regardless of how contrived) happen each day. And every new device presents a significant risk to your environment. Which means you need to be constantly watching for these devices and make sure they are not wreaking havoc. In fact, this is one of the key use cases for network access control (NAC). Of course, that technology is struggling, but it’s not because of the lack of a problem to solve.

So if you are looking at a log management or security information and event management (SIEM) product, won’t that tell you about new devices? Won’t it see something funky and flag it? Well, actually no it doesn’t. Log Management requires logs and your typical rouge device isn’t too interested in forwarding its logs to much of anything. That’s right, each managed device needs to be configured to push log files to the log management product. If that doesn’t happen, the SIEM is blissfully unaware anything is going on – until a number of managed devices are compromised – which is too late.

Yes, network devices (at least the right ones) can detect rogue devices and potentially quarantine those until the proper authorization is presented. But what if you don’t have NAC or can’t afford to upgrade your entire switching infrastructure? That’s right, you need to go beyond log data.

As mentioned in reason #4 about network flows, the network never lies. So we’ve got to look for new network devices and then kick off a scan to figure out what it is and whether it’s authorized. eIQ SecureVue makes that pretty simple. You can set a policy to check for any new IP addresses within a specific time period. Then from right within SecureVue, you can kick off a vulnerability scan to figure out what is the story with that device. Once you figure out what it is, then you can understand whether it should be there.

Additionally, you can set network flow policies to check for traffic leaving the network from unmanaged devices. This kind of extrusion monitoring will tell you if a device is moving data off the network. Maybe they should be, maybe not. But the point is to gain situational awareness of what’s happening in your environment. And just looking at the log data is not going to get you there.