Sevco Security Shorts: Device Telemetry

These last few weeks as you’ve seen, we’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their IT environment. We call them Sevco Security Shorts. 

Now, we’re posting this transcripts of this series for those that would prefer to read the content.

Hey everybody. Today we’re going to talk about device telemetry. This is a great capability within Sevco that allows for focused investigations. 

So just like our live asset inventory view, you’ve got filtering capability, you’ve got the ability to look at specific date and times, and you bring up all this correlated asset telemetry from your various sources.

But let’s say our IT ops team gives us an IP address and they say, “Something funky is going on with that IP. Can you tell us which device it was associated with?” Sure. So I can pick a specific IP and create a very detailed attribute here, but I’m just going to say value. My value is equal to the IP address, Again, I didn’t call it the IP specifically, I’m just looking for that string. I can use wild cards, Boolean logic, all sorts of cool stuff in here.

But I’m going to apply this. And we say, “Okay, wow, it’s been associated with quite a few different devices.” But they say, “Yeah, but we really just want to look at this for March 15th.” So I say, “Okay, let’s go into our calendar.” We’ll select March 15th. And then we pull up to see, okay, now we have some other information. We see from Automox, Malwarebytes, CrowdStrike. And they said, “Well, it was really early in the morning. It was at 7:00 AM.”

Okay, let me drill down into that, too. And now we see without any doubt that that IP address was associated with this host name, EPJCDG, not a great host name but there you go, as supported by Automox and CrowdStrike. So very quickly throughout our entire organization, we were just given an IP address and we figured out exactly what device it was associated with by two disparate sources.

Well, maybe there’s something a little bit more detailed they’d like us to research like a user account. So for example, let’s look for a service account. So maybe they say, “We’ll go ahead and pull up an attribute.” We’ll say this attribute is equal to an associated username. And further, we’re going to say that the value for this account, I’m not going to say equals, I’m going to say is like, and the reason I’m going to say that is I know most of our service accounts start with svc, but sometimes they have extensions. 

So I’m just going to do a wild card here and I’m going to apply that. And as you might expect, if you’re looking at a service account with a wild card like that, you’re going to get a lot of hits. So 10,363 systems had logins. We see a lot of Automox representation here across a whole number of hosts.

Well, let’s zoom in a little bit deeper. “Perhaps,” they said, “we just want to look at this for today.” Okay, well, we’ll click on today. If we look at today, we see, okay, now we’re down to 145. So we know there was 145 devices today that that service account has logged into. And if that service account was tied to something malicious that was occurring today, now we know where to focus our research and go a little bit deeper. So that’s a really, really powerful capability.

Now for any one of these hosts, we can go ahead and expand this data to the live inventory view that we’ve seen in other videos to really drill down to all the specifics of that particular asset. So again, asset telemetry allows you to have a really fast and really holistic way of researching specific attributes, devices, domains, et cetera, throughout your entire organization.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.


Share This Post: