Lesson 1.3

1.3: Devices

8 minutes

Devices

Devices are the physical — or virtual — objects that hold your people’s credentials, source code, and customer data. The pillar exists because every real attacker has to land on a device eventually. Compromise a person, and the payoff is whatever that person’s laptop can reach. If their laptop is unmanaged and unpatched, the blast radius is your entire SSO session cookie.

What lives here

  • Laptops. Corporate-issued MacBooks and ThinkPads. The first-class citizens of the device fleet.
  • Phones. Especially for executives, because executives have both the juiciest email and the worst device hygiene.
  • Servers. Cloud VMs, on-prem bare metal, the one Mac Mini under a desk that hosts your office Wi-Fi portal.
  • BYOD. Laptops and phones your people own personally but use for work. The contractor’s Windows 11 tower. The engineer’s Framework laptop running Arch. The CFO’s iPad.
  • Containers. Yes, these count. A running container is a short-lived device with a network identity and file system. Most orgs forget they have thousands of them.
  • IoT and edge. Conference room cameras, badge readers, smart TVs in the lobby, manufacturing sensors. Each one is a general-purpose computer wearing a narrow-purpose costume.

What typically goes wrong

Unmanaged devices on the corporate network. You don’t know what they are, who owns them, whether they’re patched, or what they’re doing. Every org has this — the question is how many.

No patching baseline. “We patch when we can” translates to “we patched in 2023 when the security auditor asked.” A baseline is a rule: OS updates within N days of release, browsers within M, application patches within X. Without numbers, there’s no baseline.

BYOD without containers. An engineer stores a production SSH key in their personal Dropbox on a personal laptop their kid also uses. There’s no technical answer inside that device that you control. The boundary between “work” and “personal” doesn’t exist unless you design it in.

Server sprawl. Over a few years, you accumulate VMs nobody remembers creating. Each runs something — maybe a staging DB from a project that shipped in 2021. They don’t get patched. They do get scanned. They’re eventually the entry point.

Trust without verification. “Joined the domain” or “enrolled in MDM” treated as a health status, when enrollment happened 18 months ago and the device has been offline since.

What mature orgs do differently

MDM on everything corporate-owned. Jamf for Macs, Intune for Windows, usually both for mixed fleets. MDM gives you inventory, configuration, and the ability to remotely wipe. Without it, a lost laptop is just a story you tell.

BYOD only with isolation. Personal devices either don’t access corporate data, or they access it through a container (MDM work profile, a browser-isolated session, a VDI). No middle ground. “I’ll just be careful” is not a control.

Patching SLAs tied to severity + exposure. Critical CVEs on internet-facing systems: 72 hours. High CVEs on internal systems: 14 days. Everything else: a month. The numbers can vary; the existence of numbers cannot.

EDR everywhere, centrally managed. Endpoint detection and response — CrowdStrike, SentinelOne, Microsoft Defender for Endpoint — on every endpoint, with alerts feeding one central place a human actually watches.

Decommissioning process. When a device leaves the fleet, it’s wiped, removed from inventory, removed from identity systems, and its certificate is revoked. This is a checklist. If it’s not a checklist, it doesn’t happen.

Anchor: CrowdStrike, July 19, 2024

At 04:09 UTC, CrowdStrike pushed an update to its Falcon sensor — a “Rapid Response Content” file, intended as a minor configuration change — to roughly 8.5 million Windows endpoints worldwide. The file contained a logic error. Machines that applied it immediately blue-screened and entered a reboot loop.

Delta canceled 7,000 flights. Hospitals postponed surgeries. The NHS took GP systems offline. Emergency dispatchers in multiple states fell back to pen and paper. Global economic impact was estimated at $5–$10B.

CrowdStrike’s EDR is a device-layer control. It lives on every endpoint, it has kernel privileges, and it auto-updates by design — because that’s how you catch a novel threat at 04:10. The tradeoff is that an auto-updating control with kernel privileges is also an auto-updating failure mode with kernel privileges.

The device-layer lesson isn’t “don’t use EDR.” It’s: device management isn’t just “get patched” — it’s “control when patches hit.” Mature orgs now ring-deploy security agent updates the same way they ring-deploy application releases: canary, staged rollout, rollback plan. If your endpoint agent vendor doesn’t offer that, you negotiate for it. If they can’t, you reconsider the vendor.