by: Elena Garrett
ESP Dynamic Security Grouping
Dynamic Security Grouping is the automated process by which the Elemental Security Platform (ESP) manages the membership of host groups, and it is one of the key functionalities of ESP. ESP collects a variety of information about managed hosts, and transforms this information into potential "group parameters." These parameters can be mixed and matched to create very broad or very granular host group definitions. Here are some examples of custom ESP groups:
- • "All Dell laptops"
- • "All Dell laptops in subnet 10.0.17.0 and with kernel 6.3.9600"
- • "Any Engineering Linux servers managed by John in Dallas"
- • "All hosts in subnet 10.0.17.0 with kernel 6.3.9600 with detected writeable USB media that are missing hotfix KBKB4471320"
ESP's Dynamic Grouping provides a multi-dimensional way of organizing or labeling assets for risk assessment and compliance validation.
During the group creation, network or security admins can simply drag-and-drop the list of parameters that should be used to define the group. ESP server will then quickly check the stored data about all managed assets, select those whose attributes match the parameters of the group and record them as members of the group. If any of those parameters (the subnet, the kernel, the removable media, the service pack info, or hotfix status, etc.) change on those endpoints, ESP will detect the change and automatically (dynamically) update the group membership.
Once the groups are defined, network and security admins do not need to take any manual steps to add or remove machines from the groups. Groups' membership will be updated dynamically and continuously in response to detected changes in hosts' attributes, and results of the update will be recorded for tracking, enforcement and reporting purposes.
Granular visibility into host attributes is the key to ESP dynamic grouping
Straight out of the box, the ESP system automatically starts to assemble a comprehensive inventory of attributes present on managed endpoints, including their hostname, FQDN, MAC and IP address, DNS and DHCP server info, network gateway, hardware manufacturer and model number, wireless capabilities, types of interfaces and ports available, removable media, disk space, RAM space, clock skew, CPU model, OS version, service pack version, kernel version, installed applications, running processes, installed patches, patches available for installation, open and active ports, last shutdown and last boot time, anti-virus and anti-malware programs running, types of documents stored, host hardware value, traffic value, documents value, frequency of trust relationships, risk scores, and more. Overall, over 90 attributes are collected by the system by default.
In addition to the host's risk and value scores, ESP also gathers information about each host's compliance with deployed rules and policies, and its membership in other groups. Host compliance scores and host group membership status are also considered to be their attributes. All of those attributes are automatically and continuously refreshed, any of these attributes can be used during the process of creation of ESP custom groups.
Benefits of dynamic grouping
Dynamic groups provide several additional benefits, such as:
- • Automatic detection of changes on the network
- • Targeted provisioning of security policies
- • Micro-segmentation
- • Easy creation of "Quarantine," "Untrusted," or "High Risk" groups of hosts, allowing for automated identification and containment of potentially compromised devices
- • Tracking of risk, value, and compliance scores
- • Ability to limit compliance scope based on specific parameters such as the presence of certain software or certain port activity
- • Security configuration collection and management
- • Targeted monitoring and reporting