Technical Documentation
WebsiteLinkedIn
  • Technical Documentation
  • Admin Guides
    • Epiphany Intelligence Platform Administrator Guide
      • Epiphany Intelligence Platform Overview
      • Using Epiphany: A Quickstart Guide
      • Epiphany Tools
        • Dashboards
        • Path Finder
          • Path Finder Search Strings
        • Impact Matrix
        • Vulnerabilities
        • Rogue Report
          • Coverage Area
          • Host List and the Query Builder
        • Inventory
          • Active Directory
        • Tickets
          • Creating Tickets
          • Adding comments to a ticket
          • Ticket Activity
          • Closing A Ticket
          • Reveald Ticket Synchronization
          • Supported Markdown
      • Administration
        • User Management
        • Source Management
          • Site Collectors Setup
          • Cloud-Based Data Sources
            • Data Source Examples
          • On-Prem Data Sources
            • Example
      • Search and Query Guidelines
        • Search Basics
        • Query Operators
        • Complex Epiphany Queries
        • Search Keywords
      • Other Resources
    • Epiphany Validation Engine User's Guide
      • Chapter 1: Architecture of EVE
        • Endpoint
        • Platform
      • Chapter 2 : EVE Endpoint
        • Hardware Requirements
        • Operating System Requirements
        • Custom Threat Module Requirements
        • EVE Agent Requirements
          • Endpoint (physical or VM) with Golden Image.
          • Exclusion of E.V.E. paths in third-party Endpoint solutions
          • Third-party communications configuration in the EVE Platform.
          • Privileges
          • Communication between Endpoint and Platform
          • Frameworks
        • Obtaining The EVE Agent
        • The E.V.E. Agent
          • Controls
          • Notifications
          • Isolation
        • Installing the EVE Agent
          • EVE Agent Installation on Windows EndPoints
          • Validating the Installation of EVE Agent on Windows
          • EVE Agent Installation on Linux Endpoints
          • Validating the Installation of EVE Agent on Linux
          • Backup of the Virtual Machine with Golden Image
        • Updating EVE Agent
        • Uninstalling the EVE Agent
        • Troubleshooting
          • Obtaining Logs of the Agent from the cloud instance
          • Obtaining Logs locally of the EVE Agent on Windows Systems
          • Obtaining Logs locally of the EVE Agent on Linux Systems
          • Obtaining Logs of the Isolation Process
      • Chapter 3: EVE Platform
        • Logging in to the Platform for the first time
        • Navigation Tabs
          • Dashboard
          • Emulation Control
            • Endpoints
              • Endpoints Table
              • Obtaining Endpoint Details
              • Rename an Endpoint: Alias
              • Restart an Agent
              • Emulation History of an Endpoint
              • Remove a Host
              • EVE Agent
              • Download the EVE Agent
              • Download Endpoints Report
              • Windows Installer Update
              • Linux Installer Update
              • Delete an Installer Version
            • Threat Library
              • View the MITRE Matrix Related to a Sample
              • Artifacts Severity
              • Artifacts
            • Emulations
              • Scheduled Emulations
              • Emulation Results
              • Export a .xlsx Report of an Emulation
              • Export a .PDF Report of an Emulation
              • Continuous Validation
            • Custom Threats
          • System Configuration
            • Users
              • Account Types
              • 2FA
              • SSO
        • License
        • Help
        • Support
        • Users Management
        • API
    • Data Usage Guide
      • Primer: How Epiphany Works
      • Data Sources: A Deeper Dive
      • Getting Results: Data Source Outputs
      • Data Privacy and Security
    • Epiphany Security and Trust
      • Introduction
      • Program Details
      • Primary Risks
      • Our Responsibility to You
      • Your Responsibility to Yourself
      • Supplemental Information
      • Secure by Design
      • Conclusion
  • Use Cases
    • Overview
    • 6 Essential Cybersecurity Questions
    • Validate and Manage Assets and Devices in Your Environment
    • Deep Inspection and Audit of Identity Services
    • Manage Exploitability
    • Manage Business Impact
    • Effectively Manage Attack Paths to Enable Better Risk Decisions
  • Epiphany Workflows
    • Technical Analysis
      • Create an Analysis-Focused Dashboard
        • Dashboard Widgets
        • Attack Path Widgets
        • Exposure Widgets
        • Occurrence Widgets
        • Environmental Widgets
        • Administrative Widgets
        • Ticketing Widgets
        • Example Analyst Dashboard
        • Report Features in Dashboard Widgets
      • Attack Path Management
        • Analyze the Attack Path
        • Select a Remediation Recommendation
        • Track Remediation Progress
        • View Potential Exposure to Material impact
        • Tag a Node
      • Vulnerability Management
        • Search for Vulnerabilities
        • Prioritize Vulnerabilities for Remediation
      • Identity Management
        • Identify Risky Conditions in Active Directory (Kerberoastable Users and AS-REP Roastable Users)
        • Identify Risky Conditions in Active Directory (Exposed Active Directory Domain Administrators)
        • Audit High Value Groups
      • Device Management
        • Explore Device Inventory
        • Identify a Rogue System
  • Site Collectors
    • Epiphany Collector Prerequisites
    • Site Collector Guide
      • Create a Site Collector in Epiphany
      • Download a Site Collector Image
      • Generate an Activation Key and Activate Your Epiphany Site Collector
      • Windows GPO Configuration for Epiphany Collector v2.0
      • (Deprecated) Windows GPO Configuration for Epiphany Collector
  • Data Sources
    • Azure Services
      • Obtain the Tenant ID in Azure
      • Register Epiphany as an Application in Azure
      • Add Permissions to the Application - Azure AD
      • Add Permissions to the Application - Defender for Endpoint
      • Add the Azure Credentials to Epiphany
      • How Epiphany Interacts With the Azure API
      • Supplemental Information
    • Carbon Black Cloud
      • Create a Role in Carbon Black Cloud
      • Create a New Carbon Black Cloud User
      • Generate a Carbon Black Cloud API Key
      • Add the Carbon Black Cloud Credentials to Epiphany
      • Supplemental Information
    • Cisco IOS
      • Create a New Cisco IOS User
      • Add the Cisco IOS Credentials to Epiphany
      • Supplemental Information
      • Cisco IOS Manual Collection
    • Claroty
      • Create a Claroty Read-Only User
      • Add the Claroty Credentials to Epiphany
      • How Epiphany Interacts With the Claroty API
    • CrowdStrike
      • Create a CrowdStrike API Key
      • Add the CrowdStrike Credentials to Epiphany
      • How Epiphany Interacts With the CrowdStrike API
      • Supplemental Information
    • Cylance
      • Create a New Cylance User
      • Add the User's Cylance Credentials to Epiphany
      • How Epiphany Interacts With the Cylance API
      • Supplemental Information
    • Manage Engine Patch Manager Plus
      • Create a New Patch Manager Plus User
      • Create a New Patch Manager Plus API Key
      • Add the Patch Manager Plus Credentials to Epiphany
      • How Epiphany Interacts With the Patch Manager Plus API
    • NCentral
      • Create an NCentral Read-Only User and an API Key
      • Add the NCentral Credentials to Epiphany
      • How Epiphany Interacts With the NCentral API
    • Nessus
    • Qualys
      • Create a New Qualys User
      • Add the Qualys Credentials to Epiphany
      • How Epiphany Interacts With the Qualys API
      • Supplemental Information
    • Rapid7 Nexpose
      • Create a New Rapid7 Nexpose User
      • Add the User's Credentials to Epiphany
      • Deploy an Epiphany Site Collector
      • Associate the Site Collector and the Data Source
      • How Epiphany Interacts With the Rapid7 Nexpose Data Source
      • Supplemental Information
    • SentinelOne
      • Create a New Sentinel One User and Generate an API Key
      • Add the User's Sentinel One Credentials and API Key to Epiphany
      • Supplemental Information
    • Tenable
      • Create a New Tenable User
      • Tenable IO Permissions
      • Generate an API Key
      • Add the User's Credentials to Epiphany
      • Deploy a Site Collector (Tenable.sc only)
      • Associate the Site Collector and the Data Source (Tenable.sc only)
      • How Epiphany Interacts With the Tenable Data Source
      • Supplemental Information
    • Trend Micro Apex One
      • Create a Trend Micro Apex One API Key
      • Add the Trend Micro Apex One Credentials to Epiphany
      • How Epiphany Interacts With the Apex Server
      • Supplemental Information
    • Trend Micro Cloud One Deep Security
      • Create a Trend Micro Cloud One Account and API Key
      • Add the Trend Micro Cloud One Credentials to Epiphany
      • How Epiphany Interacts With the Trend Micro Cloud One API
      • Supplemental Information
    • Vicarious vRx
      • Create an API key in Vicarious vRx
      • Add the Vicarious vRx API Key to Epiphany
    • Windows AD
      • Create an AD Service Account for Epiphany
      • Create the Windows AD GPO
      • Deploy the Epiphany Site Collector
      • Add the Windows AD Credentials to the Windows AD Data Source Configuration in Epiphany
      • Supplemental Information
  • Data Sources (Early Access)
    • Armis
      • Create a New Armis User
      • Generate an Armis API Key
      • Add the Armis User's Credentials to Epiphany
      • How Epiphany Interacts With the Armis API
      • Supplemental Information
    • ArubaOS
      • Use SSH to Collect ArubaOS Network Appliance Information
      • Add the ArubaOS Credentials to Epiphany
      • ArubaOS Manual Collection
      • Supplemental Information
    • Automox
      • Create a New Automox User and a New Automox API Key
      • Add the Automox Credentials to Epiphany
      • How Epiphany Interacts with the Automox API
      • Supplemental Information
    • AWS
      • Create a New AWS User and AWS API Credentials
      • Add the AWS Credentials to Epiphany
      • How Epiphany Interacts with the AWS API
      • Supplemental Information
    • BeyondTrust
      • Create an Explicit User Account in BeyondTrust
      • Deploy an Epiphany Site Collector
      • Add the BeyondTrust Credentials to Epiphany
      • Supplemental Information
    • Bloodhound
      • Bloodhound Set Up 1
      • Bloodhound Set Up 2
      • Add the Bloodhound Credentials to Epiphany
      • How Epiphany Interacts With the Bloodhound Data Source
      • Supplemental Information
    • Cisco Meraki
      • Generate a Read-Only Meraki Account
      • Generate a Meraki API Key
      • Collect the Meraki Network Maps
      • Add the Cisco Meraki Credentials to Epiphany
      • Supplemental Information
    • FortiOS
      • Generate a FortiOS API Token
      • Add the API Token to Epiphany
      • Supplemental Information
    • HPE Comware
      • Data Collection for Epiphany
      • Supplemental Information
    • Juniper OS
      • Configure and Verify the Rest API
      • Data Collection for Epiphany
      • Supplemental Information
    • Okta
      • Okta Set Up 1
      • Okta Set Up 2
      • Add the Okta Credentials to Epiphany
      • How Epiphany Interacts With the Okta Data Source
      • Supplemental Information
    • Palo Alto PAN-OS and Panorama
      • Create a New PAN-OS or Panorama User
      • Add the Panorama or PAN-OS Credentials to Epiphany
      • Add the SSH Credentials to Epiphany
      • PAN-OS and Panorama SSH/Manual Collection
      • How Epiphany Interacts With the Palo Alto API/Console
      • Supplemental Information
    • Windows AD (Legacy Version)
      • Create the Windows AD GPO
      • Supplemental Information
    • VMware vSphere
      • Create the vSphere User Account
      • Create a Role
      • Assign Read-Only permissions to vCenter
      • Assign a User Account the Role on a single Object
      • Add vSphere as a Data Source within the Console
  • Changelog
    • 2023-08-02: Phase 1 Customer Portal
    • 2023-08-25: Epiphany Administrator Guide v1.0
    • 2023-09-14: Product Update
    • 2023-09-27: Product Update
    • 2023-10-13: Product Update
    • 2023-12-01: Product Update
  • Legal Notice
    • Terms and Conditions
    • Privacy
Powered by GitBook
On this page
  • What Epiphany Uses Data for
  • How Epiphany Classifies Data Sources
  • Identity
  • Devices
  • Vulnerability
  • Network
  1. Admin Guides
  2. Data Usage Guide

Data Sources: A Deeper Dive

What We (and You) Get From Your Data

What Epiphany Uses Data for

Essentially, all customer-provided data ingested by the Epiphany Intelligence Platform serves one or more of these purposes:

  • Provide or enrich identity. Identity is used by Epiphany to correlate which person’s identities can do what, and what level of privilege a person has. Identities can span multiple systems and access mechanisms.

  • Identify and adjust friction coefficients. The data sources, where applicable, are used to determine weighting and costs for attack paths. Two paths with the same number of traversals are weighted in part by the amount of resistance or friction an attacker will encounter to cross a path or establish persistence at a foothold. Functioning anti-malware tools, network security appliances, and other components that detect, prevent, or provide tighter port, protocol, or access controls serve as resistance points.

  • Determine exploitability and prioritization. Due to the sheer volume of vulnerabilities and the velocity in which they are discovered, it’s not practical to expect them to be patched or mitigated within an SLA smaller than the time in which they can be exploited. Since other platforms don’t have the context to see critical assets, how they can be attacked, or resistance points, the ability to prioritize the remediation of vulnerabilities with efficiency was not previously possible. It also means that vulnerabilities that are not exploitable in a way detrimental to a specific environment would not have been easily known. With that said, data on vulnerabilities in the environment are combined with the aforementioned dataset to determine the priorities of remediation efforts.

How Epiphany Classifies Data Sources

Data sources often have overlapping data, affording Epiphany the ability to join these sources, perform analysis and correlation, and return an objective truth. At the time of this writing, Epiphany has four categorizations of data. Depending on the specific source of data there may be more elements collected in one than in others. At a high level the fundamentals for each data type are described next.

Identity

As alluded to earlier, identity data provides the baseline for permission barriers. Typically, people (subjects) have user accounts that are members of groups or are assigned roles that correlate with permissions to certain assets (objects). Data sources that fall into the identity category provide:

People

  • A uniquely identifiable attribute representative of a person.

  • A detail of the specific object-level permissions that a user’s account has.

  • A detail of the groups or roles to which a user belongs.

  • A historical account of the actual use of permissions by a specific user (for example, a session).

Groups and Roles

  • A detail of the users that have membership to a group or role.

  • A detail of object level permissions that a group or role has.

  • Associations between groups or roles (for example, group one is part of group two) and the effective permission and object set.

There is also object-level data that is provided by these types of data sources, such as basic inventory and object identifiers.

While not to be seen as a comprehensive list, sources such as Microsoft Active Directory, Microsoft Azure Active Directory, and OKTA provide this type of data.

Devices

Device data provides information about the state and resilience of devices. An attacker’s initial objective is to establish a foothold in a targeted environment. This foothold represents a persistence point from where an attacker can perform reconnaissance and pivot to other devices. As an attacker tries to traverse from the foothold to another device, how possible is it for this next device to become a foothold itself? Is the device resilient enough to thwart such an attempt?

Having exploitable vulnerabilities or accounts with access that should not be permitted are examples of how footholds can be established. Antivirus, endpoint detection and response (EDR) and other tools with the ability to react to questionable conduct increase resilience. Data from these tools and their configurations are evaluated by Epiphany’s machine learning model to determine effectiveness against risks. Data sources that fall in this category provide:

  • OS and application inventory.

  • Identity information (used for correlation).

  • Vulnerability data (if present).

  • Presence of a countermeasure.

Epiphany supports several common anti-virus and endpoint detection and response vendors, generally using read-only API level access to collect this data.

Vulnerability

While the platform leverages many other data sources outside of the customer environment for analysis, vulnerability data sources provide very specific types of information around the state of a device from an exploitability perspective. Vulnerability scanners and agents typically gather lots of very useful information beyond just the vulnerabilities themselves, such as users, applications installed, indicators of compromise (IOCs), and more. Epiphany uses all this information in addition to the presence of vulnerabilities known to be exploitable to gauge how easily a device can be compromised by an attacker. All these data points start to correlate to help Epiphany understand in-depth the risk a device poses to an environment, especially if these vulnerabilities exist on devices that have paths to critical assets or are used by identities with roles capable of accessing critical assets.

It is important to note that Epiphany does not simply take vulnerability details and note that a device is vulnerable and therefore a risk. An analysis and exploitability scoring mechanism is employed, which is part of the product’s distinguishing features (and intellectual property) to allow Epiphany to determine if the vulnerability on particular device could be exploited given its location on the network.

Products from manufacturers such as Tenable, Rapid7, Qualys, and Microsoft provide this sort of data and are supported by Epiphany for collection.

Network

The network is the highway that interconnects devices, therefore there is a logical correlation point between all the devices on the network. Note that the Epiphany data set may contain network switches, routers, firewalls, and IOT devices, all of which communicate across this common backbone.

Consider this: a device that is recognized as highly exploitable introduces a risk to the environment. If that device can communicate with a critical asset, does that alone suggest that there is a real risk to the target? The answer is, “it depends.” There are follow-up questions that Epiphany evaluates with its understanding of the network layer, including if ports are open or if an access control list (ACL) would block the traffic. Epiphany gathers specific data points from networks devices such as:

  • Network interconnections and routes

  • VLAN configurations

  • ACLs

PreviousPrimer: How Epiphany WorksNextGetting Results: Data Source Outputs

Last updated 1 year ago