Elemental Cyber Security FAQ
Frequently Asked Questions
ESP SOLUTION OVERVIEW
- What does the Elemental Security Platform do?
- What is unique about the Elemental solution?
- Why is visibility into the network environment important?
- What is the role of access control in ESP?
- What security problems does ESP address?
- What are the key benefits offered by ESP?
- How does ESP help in meeting internal and regulatory audit requirements?
- What factors should I consider when evaluating security compliance management products?
ESP SECURITY POLICIES
- What is a Rule?
- What is a Policy?
- What kinds of policies are supported?
- Can I create custom policies?
- Can exceptions be granted to policies?
- What is your policy language? What are the advantages of a language-based approach? Do I need to learn a new scripting or programming language to use your product?
- How are new policies added to an ESP installation?
- How are security policies targeted and deployed?
- Why is change in the network environment an important consideration in managing policies?
- What automation is enabled by ESP.
- What is Dynamic Grouping?
- How is inventory classification used in managing policies?
- Can the Elemental system provide security for hosts not running the ESP agent?
- Does the ESP Agent work when the host is not connected to the local network?
- How can ESP help protect sensitive information?
- How does ESP remediate policy compliance violations?
- What kinds of reports are provided?
ESP ADAPTIVE SEGMENTATION and ACCESS CONTROL
- How does ESP control access to key systems?
- Is an inline appliance required to control how a host communicates with other hosts on my network?
- Why should I deploy an agent-based solution versus an agent-less solution?
- What performance impact will your product have on my hosts?
- How much network traffic does your system generate?
ESP SOLUTION OVERVIEW
What does the Elemental Security Platform do?
The Elemental Security Platform (ESP) helps you continuously maintain your security compliance level, identify and resolve security compliance problems in dynamic enterprise networks. ESP allows you to easily specify custom security policies, then it will automatically apply them as and where they're needed. ESP closely aligns security policy management with business objectives by providing deep visibility into the security posture and activity of individual computers. ESP provides unified monitoring and remediation capabilities, to ensure compliance with your security policies, to mitigate risk, and to measurably improve the security of digital assets.
What is unique about the Elemental solution?
ESP uniquely combines policies or sets of technical controls which address host security configuration, adaptive network segmentation and access control into a single unified security policy framework. ESP provides thousands of predefined controls and an extensive array of policy templates which you can combine and extend to express your own custom security policies. Dynamic grouping of hosts according to shared attributes, powered by continuous monitoring of endpoints and other critical systems on the network, enables organizations to reduce the effort and minimize errors of manual policy provisioning, monitoring and reporting. The unified ESP framework provides comprehensive and continuous monitoring for security compliance, and provides a means of controlling the security posture of machines on the network.
Why is visibility into the network environment important?
In addition to gathering extensive information about the configuration, inventory, and network activity of machines running the ESP agent, ESP also discovers and passively profiles any unmanaged machines that may be observed on the network. This deep visibility enables ESP to dynamically group systems based on business roles and common characteristics of users and computers. By continuously updating this information and dynamically rebuilding host group memberships, ESP always provides you with an accurate map of the ever-changing network environment. This layer of automation enables organizations to efficiently manage security policies by quickly identifying changes or anomalies in the network. ESP enables precise targeting and automatic updating of security policies.
What is the role of segmentation and access control in ESP?
Adaptive network segmentation and host level access controls are a key part of the ESP solution. The ESP agent can block or permit traffic to restrict communications between hosts on the network in accordance with your security policies. For example, you can deny access to critical resources if a requesting system does not meet certain compliance requirements, and you can have different access control policies for different resources. By leveraging its deep visibility into the roles and security posture of computers and users, ESP enables simple implementation of role-based access controls that automatically adapt to changes in the network environment.
What security problems does ESP address?
Some key uses of the ESP system include the following:
- Provides centralized, in-depth visibility into the security posture of individual computers
- Automates security compliance to meet industry standards and internal requirements
- Reduces frequency of internal and external security compliance audits via automation
- Protects sensitive resources from unmanaged, unknown or non-compliant systems
- Provides a consistent security solution for distributed, cross-platform computing environments
- Monitors and enforces security policies on endpoint systems on an ongoing basis
- Restricts access to network resources based on host configuration or policy compliance
- Prevents the unauthorized copying of files to writeable and external storage devices
- Automates the ops team's system hardening manual
- Establishes baselines and metrics for managing and improving the current state of security
What are the key benefits offered by ESP?
- Reduces length and cost of audits
- Decreases the time and effort to monitor and enforce policies
- Prevents security incidents and their associated costs
- Detects anomalies and identifies high-risk assets
- Provides metrics to measure the security and compliance posture of systems
- Mitigates risks associated with unknown and non-compliant systems
How does ESP help in meeting internal and regulatory audit requirements?
The Elemental Security Platform (ESP) can perform quick, standardized evaluations of compliance with complicated regulatory laws and standards. Moreover, you can customize those evaluations to your own organization's needs, including where and when the security policies apply. You can tailor the content and target the deployment of policies to support the business objectives of the organization. Most important, ESP enables you not only to achieve, but especially to continuously maintain your compliance goals.
What factors should I consider when evaluating security compliance management products?
Enterprise security infrastructure and requirements are continually evolving. Some key questions to consider when evaluating security compliance management products include:
- Will the solution adapt to my changing environment? Is it flexible enough to solve not just the problems I know I have now, but also those I will face in the future?
- Can it automate my security operations manual?
- Can the solution help me not only achieve compliance, but also countinuously maintain it and possibly adjust my security baseline proportionally to the changes in my environment?
- Can I use the solution across much of my infrastructure? Can the solution give me visibility into all my network assets, even those I don't already know about?
- Do I need to put an agent on every machine, or can I achieve my security compliance objectives through partial deployments?
- Does the solution reduce the effort required to manage security policies and maintain compliance across the entire organization?
- Are there cost savings that result from its implementation?
ESP SECURITY POLICIES
What is a Rule?
An ESP Rule is the most basic element of a policy within the Elemental Security Platform. Rules address among others specific host configuration settings and/or network access control security requirements. Relative to the different security industry standards and regulatory compliance frameworks the ESP Rules are equivalent to the technical controls mandated by these frameworks.
What is a Policy?
A Policy is a collection of rules (controls) and other policies.
What kinds of policies are supported?
ESP provides ready-to-use security policy templates for both regulatory compliance (NIST, SOX, HIPAA, PCI) and industry best practices (CIS, NAS, NIST, DISA, Microsoft, and Oracle).
Can I create custom policies?
Yes - the ESP management interface provides a visual policy editor that makes it simple to customize policies to meet your specific requirements.
Can exceptions be granted to policies?
Exceptions can be granted on an individual basis for any rule. Granted exceptions will not skew compliance metrics.
What is your policy language? What are the advantages of a language-based approach? Do I need to learn a new scripting or programming language to use your product?
The Elemental policy language is called PolicyFUEL™ (FUEL) - it is based on Python and is easily portable across platforms. However, you do not need to know the FUEL language in order to use the ESP rules and policies. Only the rules are implemented in FUEL; you define policies using the interactive graphical web-based user interface to select rules that have been implemented by Elemental. The language enables highly efficient agent/server communications, provides a very tight coupling between the monitoring and automated enforcement of policy rules, and enables policies to be easily expressed in a manner consistent with how they are documented in enterprise policy manuals.
How are new policies added to an Elemental ESP installation?
Elemental provides policy content updates on a periodic basis for all customers with current maintenance and support contracts. Content is delivered in the form of XML files called FuelPacks which are easily imported into the ESP system through the management interface. A Test Space enables users to stage and test new and updated policies before moving them into the Production Space for general use.
How are security policies targeted and deployed?
Using the web-based graphical user interface, policies are deployed to sets or groups of hosts that are defined using the ESP Dynamic Grouping feature. The system ships with an extensive collection of predefined host groups which can be used immediately for policy targeting and deployment. Users can also define custom groups based on the roles of users and machines, the security posture and inventory of computers, as well as the activity of systems on the network. The target for an ESP policy is a group of one or several hosts.
Why is change in the network environment an important consideration in managing policies?
Policies are typically static in nature. Applying and measuring compliance with a stated policy is a simple exercise in a non-changing environment. Practically speaking, however, modern networks have an alarmingly high turnover rate (systems being retired, re-tasked, and/or new machines and applications coming on the network). Managing and accurately assessing host configuration and network access in this dynamic environment is nearly impossible without automation.
What automation is enabled by ESP?
The Dynamic Grouping of hosts enabled by the ESP system automates the targeting, provisioning, and updating of policies. As group memberships change, policies are automatically updated. Both host configuration and network segmentation policies benefit from this automation.
What is Dynamic Grouping?
Dynamic Grouping is the process by which ESP manages the membership of host groups (sets of systems) based on specific attributes. An example would be, "all Dell Laptops that are in a specific subnet and have writeable USB media, that are running Windows 10, and on which a member of the Finance AD user group is currently logged in." The ESP Dynamic Grouping mechanism allows you to define groups of systems based on these (and many other criteria), with group membership dynamically updated as machine configurations, and logged-in-users, change. Based on the information continually gathered by the ESP agents, the membership of these groups is refreshed every few minutes.
Dynamic groups provide three basic functions:
- Automated provisioning and targeting of security policies
- Simple expression of policies to limit network communications between groups of systems
- Targeted reporting
How is host profiling used in managing security policies?
The ESP Agent collects a comprehensive hardware and software inventory from the host on which it resides defining the host's profile. This profile is used to define host groups (based on the presence, or absence, of specific applications, files, patches, CPU type, hardware devices, etc.). The host groups can then be used as targets for policy deployment. Change in the host's profile can also be used to automatically trigger access control requirements. For example, a policy might be deployed to prohibit the installation of an instant messaging application. If the policy is violated, the ESP agent will deny access to certain specific resources that you have defined.
Can the Elemental system provide security for hosts not running the ESP agent?
Yes. The ESP Agent serves three general purposes:
- Host configuration management
- Network Access Control (packet filtering)
- Passive network listening
The third feature enables the ESP Agent to passively detect unmanaged machines on the network and classify them to identify network behavior and host details. Based on this classification, the ESP system can dynamically group these unmanaged machines along with managed machines. By deploying network access control policies to the machines that are running the agent, ESP can control what these unmanaged systems are able to do on the network. This is possible because the Elemental access controls are implemented at the host or endpoint level, meaning that communications with managed hosts can be restricted by controlling just one side of the communication.
Does the ESP Agent work when the host is not connected to the local network?
Yes. The Agent will continue to monitor/enforce the last policy data it received from the server. ESP allows you to apply policies to systems based on their location when connecting to the network, as well as the type of interface being used.
How can ESP help protect sensitive information?
ESP offers a broad spectrum of policies to protect sensitive information. Some examples include:
- Limit network connections to key systems
- Prevent the use of writeable media on end user machines
- Restrict traffic from end user machines going to outside destinations (IM, P2P, ftp, external mail servers, etc.)
- Control file and directory permissions
- Verify file integrity and contents
How does ESP remediate policy compliance violations?
ESP can enforce policy rules. Example - file x should have permissions y. If a (privileged) user changes the permissions on the designated file, ESP will first report non-compliance and then automatically set permissions back to what were originally dictated by policy.
What kinds of reports are provided?
All data is stored in a full-featured relational database and data warehouse. There are extensive predefined reports that can be run directly or scheduled to be run on a periodic basis. Reports can be viewed directly in the UI, exported to CSV or XML format, rendered to printable format, or optionally emailed to specific recipients.
ESP ADAPTIVE SEGMENTATION and ACCESS CONTROL
How does ESP control access to key systems?
The ESP system implements access control policies at the host or endpoint level. The ESP Agent runs at the kernel level and monitors all packets in and out of managed systems to assure they conform to policy. Non-compliant traffic is detected, reported, and optionally blocked. Network segmentation can be implemented at different logical levels through access control policies that can be expressed using the ESP Dynamic Groups, e.g. "Only Finance users can connect to SAP ERP servers." This enables segmentation adaptation by automatically redeploying access control policies according to changes in the environment as host group memberships are updated.
Is an inline appliance required to control how a host communicates with other hosts on my network?
No, access controls are monitored and controlled at the host level. The access controls implemented on a protected system are independent of the path a machine may take in attempting communications. Similarly, attempts to send traffic from a managed machine to an unapproved destination is terminated at the source - and your ability to stop such traffic is not dependent on the traffic traversing a security appliance..
Why should I deploy an agent-based solution versus an agent-less solution?
'Agentless' solutions can typically be more accurately described as 'transient agent' solutions. That is they are in fact executables that have all the characteristics of an agent (e.g. require privileges to run, consume system resources, support communications protocols for communicating with a server, etc.)...Some key advantages of the ESP persistent agent system architecture include the following:
- In order to see, block or allow network traffic, a persistent presence on the host is required. All packet filters, including the ESP Agent, require this presence. Agentless approaches must rely on other devices to detect rogue machines and to regulate traffic on the network.
- Using an agent allows Elemental to run the policy engine locally on each managed host. This allows Elemental to leverage the power of a language based approach to deliver highly efficient agent/server communications. And it allows the Elemental approach to scale to a very large number of managed systems. Agentless approaches do not scale well. The process of pushing down mini-programs in the form of transient agents to do the monitoring and enforcement of policies is inherently inefficient.
- ESP Agents provide persistent compliance monitoring. ESP policies remain in effect whether or not the machine is connected to the local network. Agents run independently. Agentless approaches require continuous communications with a central server.
- ESP Agents provide a very tight coupling between the monitoring and enforcement of policy rules. This enables automated remediation of non-compliance. Non-compliance can be directly and automatically remediated if desired without requiring additional manual administrative action
- The ESP architecture provides a scalable infrastructure for running checks and gathering data with security credentials on managed machines.
What performance impact will your product have on my hosts?
The ESP agent is designed to be non-intrusive. On average the agent will consume 2-4% of dynamic memory and will have a negligible impact on CPU usage. As with other common endpoint security products, there may be intermittent spikes in CPU usage depending on the types of policies deployed, but the majority of ESP rules require very little resources to run.
How much network traffic does your system generate?
Communications between the ESP agent and server are highly efficient. The underling policy language has been developed to enable policies to be communicated to the agents while consuming minimal bandwidth. While many site-specific implementation details - such as the number of host groups, the number and type of policies deployed - will be determinant factors, the typical network bandwidth consumption is on the order of 300 Kbs per 1000 agents.