Benefits of Rogue System Detection

Asset management, including Rogue System Detection, is an important part of overall organization security.

Security software often focuses on assets that are known and permitted within the network environment, but is not designed to detect and control rogue systems that are connected to the network. Rogue devices are not part of the management framework, which means they are not part of any standards, policies, security controls, or patch updates.

Rogue systems can include devices that we often overlook, and include things as varied as systems that employees bring from home, Voice over IP devices, printers, test systems, and even manufacturing equipment.

Rogue systems pose a unique threat to organizations, present vulnerabilities, and can allow sensitive data to be exposed or stolen. Conficker is an example of a severe attack that infected many organizations after unprotected laptops gained access to the corporate network.

Managing rogue assets

These examples show the challenge of managing rogue assets:

  • Unmanaged assets are often insufficiently patched and protected, and vulnerable to attack. These systems can harbor undetected malware. Not only is the asset compromised, but the asset can attack and damage other systems in the network.
  • Contractor and visitor systems that connect to an organization’s network often do not meet established security policies. Unprotected systems or systems with an undetermined protection level that join the network can create compliance issues. Attackers can also use the legitimate data and access rights provided to these systems to extract sensitive information or to distribute malware.
  • Rogue systems detected on the network can indicate physical malicious activity within the corporate network, and can created unprotected wireless access points that bypass firewalls. Without actively monitoring the network for rogue systems, there is no way that an administrator can determine the number of unmanaged systems on the network. The greater the number of unmanaged systems there are, the greater the risk to the network.

McAfee recommendations

McAfee recommends three stages to achieve identification and then appropriately mitigate rogue assets on the network:

  • Identify all assets on the network — Identify all devices on the network and gain full visibility. Rogue System Detection 5.x replaces the old sensor with a more advanced sensor. The new sensor improves upon previous releases with:
    • Detection of additional rogue devices
    • Faster detection of rogue devices
    • Improved accuracy for rogue device attributes (such as OS detection)
  • Report assets back to Rogue System Detection — Compare the results to existing managed assets and a rule set created for determining the true status of a system. Rogue System Detection allows administrators to create and apply rules, ignore known managed systems, and filter unmanaged devices that are of no threat by adding them to the Exceptions List.

    Exceptions are systems that don’t need a McAfee Agent and from which you no longer want to receive detection information. Common examples include voice over IP telephones and switches. At the same time, you can identify unmanageable non-corporate devices, such as personal cell phones.

    You can also add systems to the Rogue Sensor Blacklist. These are often systems that are adversely affected if a sensor is installed on them.

  • Convert a rogue system to a managed client — Once you have a list of rogue devices, Rogue System Detection allows you to execute a series of actions on the results. These are systems that you don't want on your network, and the solution can be to generate a simple alert to inform the administrator that these rogue systems are present and to take appropriate action.

    For unmanaged corporate resources, the administrator can choose to make it a managed system or add it to the Exceptions List. While automation saves time and reduces the scope for errors, manual administration is necessary when testing and commissioning a solution or changing policies.

Automatic Responses

Use the Automatic Responses feature of McAfee ePolicy Orchestrator to handle rogue systems:

  • A rule configured to push out the McAfee Agent using domain administrator credentials converts an unmanaged system to a managed system.
  • Preconfigured systems placement rules can determine where to place the rogue device in the System Tree and trigger execution of the correct policies and installation tasks. These rules can turn an unmanaged system into a fully managed, protected, and compliant system. Administrators can use this method to deploy protection to entire networks with minimal effort.

See the McAfee ePolicy Orchestrator Product Guide for more information about Automatic Responses.