Learning asset naming patterns to find risky unmanaged devices

Description

Devices unknown to the corporate IT control management teams pose security threats. Whether they’re legitimate but unmanaged or unauthorized rogue devices, they represent a security blind spot as they are potential entry points for malware or adversarial actions. Reducing the security risk from unknown physical or virtual devices is multifaceted, and a key first step toward reducing risk from unknown devices is to recognize and identify their presence.

In large corporate networks, devices often adhere to some official naming conventions. In practice, other devices may have their own unofficial naming conventions unknown to IT; for example, devices from departments outside of formal control policy, legacy systems or domains, external vendors or partners, and communication devices brought in by employees. Ryan Foltz’s assumption, which holds true for IT practitioners, is that the vast majority of legitimate network devices follow some known and unknown naming conventions. Devices outside of these naming conventions are the very small minority in the network, and devices with unusual names raise security concerns. IT analysts intimately familiar with their own networking environment can readily point out whether unusually named devices are questionable for further investigation.

To identify these devices, Ryan proposes a machine learning method based on deep learning to identify and model the hidden character distribution patterns from names of all observed devices on the network, effectively capturing the known and unknown naming conventions of devices. Devices with anomalous or usual names not explained by the model are flagged for review, and their corresponding anomaly scores allow ranking for prioritization. This provides a new tool that can be part of a comprehensive device management program or system.