Identify a Rogue System

Workflow

The most powerful tools in Device Management are knowledge and visibility. Most organizations struggle to know where they have devices that are misconfigured, unmanaged, or rogue. In other words, devices that don't match their expected security configurations. It can be a complex task to sift through so much information. Epiphany is simplifies this for you. The contains components specifically designed to track devices and look for exposures. For the Epiphany-specific process we'll use the following workflow:

1. Go to Asset Tools -> Rogue Report.

2. Review data overlap.

3. Explore data sets

4. Search for rogue systems.

5. Review the Threat Check report.

Rogue Reporting System

Epiphany's Rogue Report distills otherwise mountainous sets of data into simplistic diagrams and tables you can use to search for the systems that might pose a great risk to your organization due to things such as their misconfigurations or absence in a critical data set. Most organizations do not realize that each tool within their environment manages data in different ways and for different time periods. Tools that are used to discover devices can only give point-in-time reports and endpoint agents sometimes go stale, disappearing from the tool all together. Epiphany attempts to bridge that by using all the data at its disposal to illustrate to you the true state of your environment and how your tools relate to each other.

Review Data Overlap

The simplest way to describe the data Epiphany visualizes in the Rogue Reporting system is to think of Venn Diagrams. They show you where data intersects and where it doesn't. In Epiphany you can dynamically alter the visualizations based on what data sets you are curious about. For example, if you want to see how much vulnerability scanner coverage you have over your Active Directory, you can see that.

By removing data sets from the Basic Filter (shown by the red arrow in the image above), you are able to see only how those two data sets relate to one another. By selecting where those two data sets intersect you can see that only 7,506 devices exist in both data sets. This indicates that only a little more than one-third of the Windows Active Directory is being seen by the vulnerability scanner, highlighting a potential major gap in organizational visibility.

Searching For Rogue Systems

A rogue system is the one that does not match your expectation of that system. To more easily frame it, a rogue system can be defined as a device that does not match a set of rules:

1. The device must be actively checking into Active Directly.

2. The device must be seen by a vulnerability scanner.

3. The device must have endpoint protection installed.

4. The device must be on a local network or the VPN.

While this is a very basic set of rules to determine a rogue device, it is fairly realistic for most large enterprises. These rules can become very detailed, including time bounding, versioning, ownership, and more. Epiphany has a Query Builder to help deal with exactly such complexity.

These Rogue System queries can be saved, rerun at will, or downloaded to a CSV file for further exploration.

Review the Threat Check Report

The Threat Check Report is a specialized report designed to cover all the key areas of your exposure management journey and contains periodic information help you visualize how your data interacts and why that matters. The Data Overview section of the Threat Check Report highlights the key areas of your data quality. It covers your organizational Data Overlay, the number of exposed devices in key Impact Matrix groups, as well as Epiphany Coverage. This data can be used to periodically check your organizational progress as your data quality improves.