EDS (Early Detection System) for Lost/Missing Devices

The Problem

Often times when devices are reported as lost or missing, by the time they have been reported, any useful data has already gone stale or is potentially completely unavailable. We began working on this issue specifically in a retail environment but the solution can be replicated for any number of industries where mobile devices are in use. In this particular case, the parties responsible for reporting the missing devices (location managers) typically waited at least 30 days before reporting the devices as missing. At this point, all of the data available is 30+ days old and ultimately there is not much that can be done aside from confirming the device is missing. Many of these devices are WiFi dependent and do not report data if removed from their home location or if they are powered off. This detail can be useful in identifying when a device goes missing.

Targeted Devices:

  • Zebra Scanner Devices (Used for Inventory)
  • Mobile Handsets (Android TC-52)
  • Mobile Printers
  • OT/IOT Devices 

 

The Solution

Identification

By looking at the "missing" devices in Axonius we were able to determine that specific adapters or types of adapters would drop the devices sooner than others. For instance wireless access points would drop a device and remove its connection after 72 hours from the last time the device connected. It is also worth noting that the primary security or remote management tools would still actively report the device until it lost power or had been removed from the network long enough that it did not check in. 

Using a combination of adapter connections, we were able to identify devices that were potentially missing based on which adapters were and were not reporting the device. An example of this is below:

In this case, we identified that Armis and Aruba Airwave would both continue to show the devices while Palo Alto would drop the device 72 hours after the devices last connection to the network. This concept has been replicated at other enterprises using a different subset of adapters but essentially you will need to identify several high-fidelity adapters and make note of when they stop reporting a missing device. Each adapter above, removed its respective connection but identifying a set of adapters that report the device at different intervals is very helpful.

Example:

  • Adapter A drops its connection or record of a missing device 7 days after it's last seen
  • Adapter B drops its connection or record of a missing device 10 days after it's last seen
  • Adapter C drops its connection or record of a missing device 3 days after it's last seen

Once all 3 of these adapters no longer have a connection or record for the device it is highly likely that the device is missing. A 4th adapter or CMDB can be used to confirm the device status as it may be in the process of being retired or decommissioned but that can be validated easily. For example:

Action

Using a query like the one above as a trigger, EC (Enforcement Center) actions can be configured to do a number of things with these missing devices. You can simply notify a specific person or team via email or messaging, and request that they investigate the devices. Alternatively, you could open an investigation or incident using your ticketing system. At the very least, it is worth using EC to tag these devices as "Missing" so that they can easily be identified and managed. 

A list of available actions can be found here: Axonius EC Actions. The first two sections relate to notifications and incident/ticket creation. 

 

Potential Workflow

Trigger query identifies missing devices --> EC action opens a ticket, tags the device as missing, and sends an alert message via email, teams, slack etc. --> Investigation takes place and the device status is updated accordingly. 

This can be configured a number of different ways and could include options to remove tags when devices check back in. It is up to each organization to determine what these thresholds should be in order to avoid creating unnecessary work. Institutional knowledge will be helpful in determining not only these thresholds, but also how the organization handles device status changes under normal circumstances. You do not want to end up reporting "retired" devices as "missing" simply due to how the retirement process takes place within the organization. 

Synopsis

Looking at the available adapters in your environment, you can identify which ones drop their connections or records the quickest and use this information to trigger an asset investigation via EC actions. Research has shown that networking adapters, specifically ones associated with access points will remove a device record the quickest as they typically have a low threshold for "last seen" when devices do not connect. 

 

1

Comments

0 comments

Please sign in to leave a comment.

Didn't find what you were looking for?

New post