Elemental Cyber Security FAQ (Frequently Asked Questions)
ESP SOLUTION OVERVIEW
What does the Elemental Security Platform do?
What is unique about the Elemental solution?
What security problems does ESP address?
What are the key benefits offered by ESP?
Why is visibility into the network environment important?
What is the role of access control in ESP?
How does ESP help in meeting internal and regulatory audit requirements?
What factors should I consider when evaluating security compliance automation products?
Why should I deploy an agent-based solution versus an agent-less solution?
What performance impact will your product have on my hosts?
How much network traffic does your system generate?
What are the ESP Enterprise Modules?
Why is change in the network environment an important consideration in managing policies?
What automation is enabled by ESP.
What is Dynamic Grouping?
How is inventory classification used in managing policies?
Can the Elemental system provide security for hosts not running the ESP agent?
Does the ESP Agent work when the host is not connected to the local network?
How can ESP help protect sensitive information?
How does ESP remediate policy compliance violations?
What kinds of reports are provided?
ESP SECURITY POLICIES and COMPLIANCE AUTOMATION
What is a Rule?
What is a Policy?
How are security policies targeted and deployed?
What kinds of policies are supported?
Can I create custom policies?
Can exceptions be granted to policies?
What is your policy language? What are the advantages of a language-based approach?
Do I need to learn a new scripting or programming language to use your product?
How are new policies added to an ESP installation?
ESP ADAPTIVE MICRO-SEGMENTATION and ACCESS CONTROL
How does ESP control access to key systems?
Is an inline appliance required to control how a host communicates with other hosts on my network?
Can ESP prevent intruders' lateral movement on the network?
Can ESP detect rogue or unauthorized devices and prevent them from accessing digital resources?
How can ESP define or reduce my compliance scope?
How does Adaptive Micro-Segmentation differ from Network Admission Control?
ESP RISK ASSESSMENT AUTOMATION
ESP SOLUTION OVERVIEW
The Elemental Security Platform (ESP) helps you continuously maintain your security compliance level, identify and resolve security compliance problems in dynamic enterprise networks. ESP allows you to easily specify custom security policies, then it will automatically apply them as and where they're needed. ESP closely aligns security policy management with business objectives by providing deep visibility into the security posture and activity of individual computers. ESP provides unified monitoring, automation and remediation capabilities, to ensure compliance with your security policies, to mitigate risk, and to measurably improve the security of digital assets.
ESP uniquely combines policies or sets of technical controls which address host security configuration, adaptive network segmentation and access control into a single unified security policy framework. ESP provides thousands of predefined technical controls and an extensive array of policy templates which you can combine and extend to express your own custom security policies. Dynamic grouping of hosts according to shared attributes, powered by continuous monitoring of endpoints and other critical systems on the network, enables organizations to reduce the effort and minimize errors of manual policy provisioning, monitoring and reporting. The unified ESP framework provides comprehensive and continuous monitoring for security compliance, automation of security policy deployment and enforcement, while providing a means of controlling the security posture of hosts on the network.
Some key uses of the ESP system include the following:
- - Provides centralized, in-depth visibility into the security posture of individual computers
- - Automates security compliance to meet industry standards and internal requirements
- - Reduces frequency of internal and external security compliance audits via automation
- - Protects sensitive resources from unmanaged, unknown or non-compliant systems
- - Provides a consistent security solution for distributed, cross-platform computing environments
- - Automatically monitors and enforces security policies on endpoint systems on an ongoing basis
- - Automatically restricts access to network resources based on host configuration or policy compliance
- - Automatically prevents the unauthorized copying of files to writeable and external storage devices
- - Automates the ops team's system hardening manual
- - Establishes baselines and metrics for managing and improving the current state of security
- - Reduces length and cost of audits
- - Decreases the time and effort to monitor and enforce security policies
- - Prevents security incidents and their associated costs
- - Detects anomalies and identifies high-risk assets
- - Provides metrics to measure the security and compliance posture of systems
- - Mitigates risks associated with unknown and non-compliant systems
- - Provides better governance of IT assets through fact-based, proactive risk management
In addition to gathering extensive information about the configuration, inventory, and network activity of machines running the ESP agent, ESP also discovers and passively profiles any unmanaged machines that may be observed on the network. This deep visibility enables ESP to dynamically group systems based on business roles and common characteristics of users and computers. By continuously updating this information and dynamically rebuilding host group memberships, ESP always provides you with an accurate map of the ever-changing network environment. This layer of automation enables organizations to efficiently manage security policies by quickly identifying changes or anomalies in the network. ESP enables precise targeting and automatic updating of security policies.
Adaptive network segmentation and host level access controls are a key part of the ESP solution. The ESP agent can block or permit traffic to restrict communications between hosts on the network in accordance with your security policies. For example, you can deny access to critical resources if a requesting system does not meet certain compliance requirements, and you can have different access control policies for different resources. By leveraging its deep visibility into the roles and security posture of computers and users, ESP enables simple implementation of role-based access controls that automatically adapt to changes in the network environment.
The Elemental Security Platform (ESP) can perform quick, standardized evaluations of compliance with complicated regulatory laws and standards. Moreover, you can customize those evaluations to your own organization's needs, including where and when the security policies apply. You can tailor the content and target the deployment of policies to support the business objectives of the organization. Most important, ESP enables you not only to achieve, but especially to continuously maintain your compliance goals.
Enterprise security infrastructure and requirements are continually evolving. Some key questions to consider when evaluating security risk and compliance automation products include:
- - Will the solution adapt to my changing environment? Is it flexible enough to solve not just the problems I know I have now, but also those I will face in the future?
- - Can it automate my security operations manual as well as my risk calculations and compliance checks?
- - Can the solution help me not only achieve compliance, but also continuously maintain it and possibly adjust my security baseline proportionally to the changes in my environment?
- - Can I use the solution across much of my infrastructure?
- - Can the solution give me visibility into all my network assets, even those I don't already know about?
- - Do I need to put an agent on every machine, or can I achieve my security compliance objectives through partial deployments?
- - Does the solution reduce the effort required to manage security policies, maintain compliance and calculate risk across the entire organization?
- - Are there cost savings that result from its implementation?
'Agentless' solutions can typically be more accurately described as 'transient agent' solutions. That is they are in fact executables that have all the characteristics of an agent (e.g. require privileges to run, consume system resources, support communications protocols for communicating with a server, etc.). Some key advantages of the ESP persistent agent system architecture include the following:
- - In order to see, block or allow network traffic, a persistent presence on the host is required. All packet filters, including the ESP Agent, require this presence. Agentless approaches must rely on other devices to detect rogue machines and to regulate traffic on the network.
- - Using an agent allows Elemental to run the policy engine locally on each managed host. This allows Elemental to leverage the power of a language based approach to deliver highly efficient agent/server communications. And it allows the Elemental approach to scale to a very large number of managed systems. Agentless approaches do not scale well. The process of pushing down mini-programs in the form of transient agents to do the monitoring and enforcement of policies is inherently inefficient.
- - ESP Agents provide persistent compliance monitoring. ESP policies remain in effect whether or not the machine is connected to the local network. Agents run independently. Agentless approaches require continuous communications with a central server.
- - ESP Agents provide a very tight coupling between the monitoring and enforcement of policy rules. This enables automated remediation of non-compliance. Non-compliance can be directly and automatically remediated if desired without requiring additional manual administrative action.
- - The ESP architecture provides a scalable infrastructure for running checks and gathering data with security credentials on managed machines.
The ESP agent is designed to be non-intrusive. On average the agent will consume 2-4% of dynamic memory and will have a negligible impact on CPU usage. As with other common endpoint security products, there may be intermittent spikes in CPU usage depending on the types of policies deployed, but the majority of ESP rules require very little resources to run.
Communications between the ESP agent and server are highly efficient. The underling policy language has been developed to enable policies to be communicated to the agents while consuming minimal bandwidth. While many site-specific implementation details - such as the number of host groups, the number and type of policies deployed - will be determinant factors, the typical network bandwidth consumption is on the order of 300 Kbs per 1000 agents.
Elemental Security Platform software implements four sets of features, each feature set represents an ESP Enterprise Module which works with ESP Base Pack.
- - ESP-BP : Elemental Base Pack - ESP Server Application, Policy Management Engine and Basic Reporting
- - ESP-SC : Elemental Security Compliance Module - Cyber Security Compliance Automation, Host Profiling and Security Posture Monitoring, Security Policy Management
- - ESP-AS : Elemental Adaptive Segmentation Module - Micro-segmentation, dynamic, adaptive policy deployment and enforcement
- - ESP-FR : Elemental Forensic Reporting Module - Historic and Auditable Compliance Reporting, Traffic Statistics with Forensic Reporting
- - ESP-RM : Elemental Risk Management Module - Cyber Risk Assessment, Value Tracking and Reporting
Policies are typically static in nature. Applying and measuring compliance with a stated policy is a simple exercise in a non-changing environment. Practically speaking, however, modern networks have an alarmingly high turnover rate (systems being retired, re-tasked, and/or new machines and applications coming on the network). Managing and accurately assessing host configuration and network access in this dynamic environment is nearly impossible without automation.
The Dynamic Grouping of hosts enabled by the ESP system automates the targeting, provisioning, and updating of policies. As group memberships change, policies are automatically updated. Both host configuration and network segmentation policies benefit from this automation. ESP enables the automation of:
- - security compliance scores,
- - risk and value scores,
- - security policy deployment and enforcement,
- - reporting on security posture, compliance and risk
- - audit trails, and more.
Dynamic Grouping is the process by which ESP manages the membership of host groups (sets of systems) based on specific attributes. An example would be, "all Dell Laptops that are in a specific subnet and have writeable USB media, that are running Windows 10, and on which a member of the Finance AD user group is currently logged in." The ESP Dynamic Grouping mechanism allows you to define groups of systems based on these (and many other criteria), with group membership dynamically updated as machine configurations, and logged-in-users, change. Based on the information continually gathered by the ESP agents, the membership of these groups is refreshed every few minutes.
Dynamic groups provide several basic functions:
- - Automated provisioning and targeting of security policies
- - Simple expression of policies to limit network communications between groups of systems
- - Create limited compliance scopes
- - Targeted reporting
The ESP Agent collects a comprehensive hardware and software inventory from the host on which it resides determining the host's profile. This profile is used to define host groups (based on the presence, or absence, of specific applications, files, patches, CPU type, hardware devices, etc.). The host groups can then be used as targets for policy deployment. Change in the host's profile can also be used to automatically trigger access control enforcement. For example, a policy might be deployed to prohibit the installation of an instant messaging application. If the policy is violated, the ESP agent will deny access to certain specific resources that you have defined.
Yes. The ESP Agent serves three general purposes:
- - Host configuration management
- - Micro-segmentation (granular access control)
- - Passive network listening
The third feature enables the ESP Agent to passively detect unmanaged machines on the network and classify them to identify network behavior and host details. Based on this classification, the ESP system can dynamically group these unmanaged machines along with managed machines. By deploying micro-segmentation (network access control policies) to the machines that are running the agent, ESP can control what these unmanaged systems are able to do on the network. This is possible because the Elemental access controls are implemented at the host or endpoint level, meaning that communications with managed hosts can be restricted by controlling just one side of the communication.
Yes. The Agent will continue to monitor/enforce the last policy data it received from the server. ESP allows you to apply policies to systems based on their location when connecting to the network, as well as the type of interface being used.
ESP offers a broad spectrum of policies to protect sensitive information. Some examples include:
- - Limit network connections to key systems
- - Prevent the use of writeable media on end user machines
- - Restrict traffic from end user machines going to outside destinations (IM, P2P, ftp, external mail servers, etc.)
- - Control file and directory permissions
- - Verify file integrity and contents
ESP can enforce policy rules. Example: file x should have permissions y. If a (privileged) user changes the permissions on the designated file, ESP will first report non-compliance and then automatically set permissions back to what were originally dictated by policy.
All data is stored in a full-featured relational database and data warehouse. There are extensive predefined reports that can be run directly or scheduled to be run on a periodic basis. Reports can be viewed directly in the UI, exported to CSV or XML format, rendered to printable format, or optionally emailed to specific recipients.
ESP SECURITY POLICIES
An ESP Rule is the most basic element of a policy within the Elemental Security Platform. Rules address among others specific host configuration settings and/or network access control security requirements. Relative to the different security industry standards and regulatory compliance frameworks the ESP Rules are equivalent to the technical controls mandated by these frameworks.
A Policy is a collection of rules (controls) and other policies.
Using the web-based graphical user interface, policies are deployed to sets or groups of hosts that are defined using the ESP Dynamic Grouping feature. The system ships with an extensive collection of predefined host groups which can be used immediately for policy targeting and deployment. Users can also define custom groups based on the roles of users and machines, the security posture and inventory of computers, as well as the activity of systems on the network. The target for an ESP policy is a group of one or several hosts.
ESP provides ready-to-use security policy templates for both regulatory compliance (NIST, SOX, HIPAA, PCI, etc.) and industry best practices (CIS, NAS, NIST, DISA, etc.).
Yes - the ESP management interface provides a visual policy editor that makes it simple to customize policies to meet your specific requirements.
Exceptions can be granted on an individual basis for any rule. Granted exceptions will not skew compliance metrics.
The Elemental policy language is called PolicyFUEL™ (FUEL) - it is based on Python and is easily portable across platforms. The language enables highly efficient agent/server communications, provides a very tight coupling between the monitoring and automated enforcement of policy rules, and enables policies to be easily expressed in a manner consistent with how they are documented in enterprise policy manuals.
You do not need to know the PolicyFUEL™ (FUEL) language in order to use the ESP rules and policies. Only the rules are implemented in FUEL; you define policies using the interactive graphical web-based user interface to select rules that have been implemented by Elemental in FUEL.
Elemental provides policy content updates on a periodic basis for all customers with current maintenance and support contracts. Content is delivered in the form of XML files called FuelPacks which are easily imported into the ESP system through the management interface. A Test Space enables users to stage and test new and updated policies before moving them into the Production Space for general use.
ESP ADAPTIVE MICRO-SEGMENTATION and ACCESS CONTROL
The ESP system implements micro-segmentation through highly granular access control policies at the host or endpoint level. The ESP Agent runs at the kernel level and monitors all packets in and out of managed systems to assure they conform to policy. Non-compliant traffic is detected, reported, and optionally blocked. Micro-segmentation can be implemented at different logical levels through access control policies that can be expressed using the ESP Dynamic Groups, e.g. "Only Finance users can connect to SAP ERP servers." This enables segmentation adaptation by automatically redeploying access control policies according to changes in the environment as host group memberships are updated.
No, access controls are monitored and controlled at the host level. The access controls implemented on a protected system are independent of the path a machine may take in attempting communications. Similarly, attempts to send traffic from a managed machine to an unapproved destination is terminated at the source - and your ability to stop such traffic is not dependent on the traffic traversing a security appliance..
The Elemental Security Platform supports policies to limit or prevent communications between host groups. The traditional complexity of specifying these policies in terms of IP addresses, ports and protocols has been abstracted to simplify the process. Instead, the Elemental system uses host groups and applications as arguments to define network access policies. For managed hosts this means, for example, that a policy may say, "HR Windows Desktops cannot connect to PeopleSoft ERP Servers," or "Only Engineering Workstations may connect to Test and Production Servers". These are implemented on all managed machines enabling the Elemental agent to limit inbound and outbound traffic accordingly.
ESP's unique and powerful dynamic grouping capability is key to addressing the problem of identifying and containing unauthorized hosts. Using passive detection processes and adaptive host-level access controls, the Elemental system empowers security managers to use a policy-based approach to secure network communications, and to contain or quarantine machines that are either unknown or non-compliant with the organization's computer security polices.
Containment policies can also be defined and deployed for unmanaged hosts. To contain new machines, policies such as "Deny all traffic from Newly Discovered Hosts" can be implemented on specified groups of managed hosts. A policy like this could be applied to critical file or application server groups to protect them from rogue hosts. More restrictive quarantine policies may apply a rule of this type to managed infrastructure such as DHCP, DNS and domain authentication servers to disable the ability of new (or rogue) hosts to function effectively on the network.
All hosts, managed and unmanaged, are assigned attributes based on their observed configuration and networking activity. Using these attributes, the ESP server continuously computes and dynamically updates host groupings, these represent specific compliance scops for predefined security policies. By matching hosts to various criteria—such as "when first discovered", "geographic location", "not running an agent", "wireless capable", or "not compliant with AV policy"—the ESP server assigns hosts to groups that provide both a security posture and business or compliance context to the way that administrators view the hosts on their networks.
The key differences in the Elemental approach are:
- Discovery and grouping of hosts and workloads is continuous and adapts to change.
- Access control policies are enforced at the host or workload level, not on network infrastructure devices like routers or switches.
The continuous nature of the Elemental solution enables host-level access controls that adapt to changes on the network. Consider for instance a group whose network activity is limited by policy. As the membership of this group changes, all managed hosts are updated and the agents apply network traffic controls accordingly. Also, by enforcing policies at the host level, access to critical resources can still be protected even after machines gain access to the network.
ESP RISK ASSESSMENT AUTOMATION
Elemental's approach to Information Risk and its implementation in ESP have been inspired by Robert Courtney (1977): risk is the product of the estimated value and the probability of failure of an asset.
Another source of inspiration is IETF's Risk Assessment definition: a process that systematically identifies valuable system resources and threats to those resources, quantifies loss exposures (i.e. loss potential) based on estimated frequencies and cost of occurrence.
In simplest terms, IT risk can be viewed as a measure of the associated loss potential for a system:
Risk ==> (probability of compromise * value) ==> loss potential
The Elemental Security Platform automatically and programmatically determines the value and risk of machines based on a myriad of observed characteristics, roles, behavior, and usage information. The ESP quantifies the value and risk of all systems on the network, both managed and unmanaged, through the analysis of factors including compliance, trust, system properties, the type and volume of networking activity, stored information, and the roles of machines and users. This capability identifies high value and at-risk systems enabling organizations to identify, mitigate, and manage IT risks.
The Risk Framework provided by ESP enables security professionals, managers and auditors to make informed decisions about defining and targeting security policies throughout their computing environment to protect critical assets, information and business operations. At Elemental Cyber Security, we believe that Cyber Risk Management consists of three core components :
- - Value: understanding the value of assets that comprise the enterprise’s computing infrastructure and the associated loss potential of these assets resulting from inadequate or ineffective security control;
- - Metrics: communicating the security and risk posture of the network environment through businessaligned metrics;
- - Enforcement: taking measures to mitigate the level of cyber risk.
The Elemental Security Platform (ESP) leverages the extensive visibility it provides into the state, security posture, activity, and roles of systems to continuously and programmatically assess the value and associated risk of all machines on the network. Therefore, ESP constantly and in context indicates a tendency of risk and its evolution over time. This includes machines not running the ESP agent. This quantitative and qualitative risk management capability offered by ESP enables a fundamental shift in cyber security from a posture of being reactive to external and internal threats to one that is proactive, internally directed, and aligned with business interests. Elemental’s Cyber Risk Management solution represents a maturation within the security marketplace, providing the much-needed context to more fully leverage investments in IT security.
ESP risk scores are automatically and continuously calculated for each managed host by factoring in several indicators. These indicators are the value of a monitored host, its security compliance level and its trust relationship to other hosts on the network.
Value Indicators: the value is determined by a number of factors—including the type and characteristics of systems, observed networking activity, and the value of the information stored or transacted by and through it. More than simply the intrinsic value of the machine, the indicators of value are closely aligned with a measure of the value an asset represents to the business, and are rooted in the context of the business environment. This means the indicators are ‘tunable’ through weighting that best reflects the most relevant factors within specific operational environments. These include:
- - Hardware / Software / Devices / Applications
- - Documents – context- and age-dependent
- - Network Activity – a comprehensive view of the volume and type of both inbound and outbound communications
- - Roles – weightings based on the business purpose, location, and importance of systems
Risk Indicators: in quantifying a measure of the degree of risk to which a system is exposed, the ESP takes into account the system’s compliance with its assigned policies, as well as the compliance of systems it trusts. Collectively, a system’s adherence to and conformance with a set of well-written security policies provides a robust and comprehensive methodology for assessing the potential for systems to be compromised or disrupted.