Sevco Security Shorts: Cross-Asset Search

We’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their environment. We call these videos Sevco Security Shorts.

Now, we’re posting the transcripts of this series for those that would prefer to read the content.

Hey, everybody. Today, we’re going to talk about cross-asset search, searching across users and devices, vulnerabilities and applications. So in this case, let’s go to users. Here’s the Venn diagram we’re used to seeing. There’s Microsoft Active Directory, there’s Okta, and then of course there’s Slack as well. And as with any Venn diagram, if you look at the very center, these are things that these devices have in common. There’s 641 solutions that show up in all three, but there’s five that are just in Slack and aren’t showing up anyplace else. And here, we see five actual users now that perhaps should be disabled, they should be added to Okta, or for some reason, they’re sitting in some systems but not sitting in others.

So let’s go a little bit deeper here. Let’s run a query. So I’m going to go into the query section, and underneath our first attribute, I’m going to choose Microsoft Active Directory, and then I want to select groups. That’s the main identifier. Now, I want to say “look at groups that contain”, and the value, I’m simply going to say admin. I want to find all my admin users across Microsoft Active Directory, Slack, and Okta. And here we go. Now, we have 18 actual users, and I can scroll through those users, but here’s one, Kora. Let’s double click on her and see what’s in the details.

So we can see that Kora has a few things pulling information. Again, Microsoft Active Directory, Okta and Slack, that’s where we’re getting these details from. We show that there’s four systems that she’s an administrator for. Where we’re getting these details from Jamf, which is Apple’s mobile device manager, MDM, as well as CrowdStrike’s EPP and EDR. But what’s missing? There’s no vulnerability management solution. There’s no Tenable or Qualys or anything like that, so while we have some endpoint protection and we have some management controls, we lack any type of vulnerability management.

So let’s make an even more detailed cross-asset query now. So we’re going to go back into our users section and we’re going to add to this query, so we’re going to say add to the rule. We’ve got our “and” statement, and the first thing I want to create here is let’s look at our devices and I want to pull in category, and I’m going to say this particular category “equals” enterprise endpoint. So all admins that are on enterprise endpoint, and I’m going to add one more piece to this and I’m going to say under the device category, their controls “does not equal”, and we’re going to say endpoint security. And now, I’m going to apply that. And now, we’ve gone from 18 users to 17 users. Okay, that’s interesting to know.

So now, I’ve removed one user from that category, but let’s get even more detailed. Let’s go worst case scenario. So we can continue with these nested and statements. So again, within the device section, I’m going to say controls, I’m going to say controls “does not equal”, and here, we’re going to go ahead and add vulnerability management. And we’ll do another one here. Let’s go ahead and add controls again, and this time, we’ll say “does not equal”, and we’ll just round things out, configuration management. So now, we’ve got all the admins that are in Microsoft Active Directory that are in the category enterprise endpoint. So they’re on an enterprise endpoint, but the endpoint doesn’t have endpoint security, vulnerability management or config management.

Now, we’ve got one user. Out of our 18 admins, we got it down to 17, now down to one. His name is Damian. So we can see the details related to Damian. Let’s find out what we can figure out about this user. So again, we’re pulling in the user information from Active Directory, Okta and Slack, like we have throughout this presentation, and let’s look at the actual devices that Damian is an administrator on. We can see there’s 10 devices. Now, we see Automox, we see various types of solutions across EDR, Jamf, Active Directory, SentinelOne, and even Tenable here.

Now, anytime you see a black square, that means that solution doesn’t only not exist on that system, but it’s never existed, and the darker the square, it means the longer amount of time it has been since the last communication. So in this case, we did everything very manually but we could have certainly automated this, and we can automate devices being added on or removed from this category. And when those things happen, that can trigger an alert and those alerts can be sent to our ticketing management system, or CMD or SIEM, or however you’d like to orchestrate changes. So overall, the cross-asset search capability allows you to look across users, applications, devices, and vulnerabilities, and do this multi-dimensional correlation extremely easily, and in a fast, scalable, automated way.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.

Share This Post: