5 Steps to Comprehensively Mapping Your Attack Surface

On-Demand

Video Transcription

Randy Franklin Smith:
Good day, everybody. Randy Franklin Smith here. Today, we’re talking about how to get accurate and comprehensive picture for the entire or overall attack surface for your entire network. And this is much more than just running a vulnerability scan of every end point on your network. There’s so much more to it than that because that just gives you host level of vulnerabilities. How do we blend that in and align it with all of the possible paths that potentially malicious traffic can take on our network? And what is the relative security of those different zones on the network?

Randy Franklin Smith:
So that’s what this aggregate or comprehensive level attack surface is all about. Now, today’s real training for free is made possible by FireMon and FireMon has recently merged with Lumeta and I’ve got Scott Custer here with me from Lumeta. And Scott, you just want to say hi real quick and maybe a couple of sentences about FireMon and Lumeta?

Scott Custer:
Yep. Hello. Again, Scott Custer here, I’m a senior solutions architect with Lumeta, we’ve been just recently as mentioned acquired by FireMon to really help provide that all of the information that we’re going to be sharing today. So thanks for attending.

Randy Franklin Smith:
Yeah, and there’s some really interesting synergy between FireMon which we’ve covered in webinars before and Lumeta. And I think you’ll be seeing a little bit of that focus as we go along, but let’s just do a quick run through of the five main steps that we’re going to be covering in order to get this comprehensive attack surface. We’re going to start out with validating your address space, then we’re going to make sure we really understand the boundaries of your network.

Randy Franklin Smith:
We’re going to do something called path analysis once we have that data. And that’s a pretty big deal actually, path analysis. And there’s multiple ways to go about doing it. So a lot of good material there, your host and device census and then closely related to that is taking your vulnerabilities that you find on each individual device and host, and then putting it all together, which arguably could be a six step.

Randy Franklin Smith:
So first of all, though, just a few terms when we use the term firewall today in keeping with any of the webinars that I’ve done with FireMon we’re talking about not just your classic firewall but also basically any other network device that has an ACL that they can choose whether or not to route or forward a packet or allow it to pass through. So that can be anything from a wireless access point to layer two switch, a layer in switch, whatever routers, firewalls, you name it.

Randy Franklin Smith:
These are the things that provide the segmentation on your network. So basically all of that. Now we have three other terms, packet analysis, path discovery, and path analysis. So packet analysis will be the most familiar to you, that’s where we’re capturing packets from switches on the network and then analyzing those packets to collect information for a variety of goals.

Randy Franklin Smith:
For today, we will be interested in packet analysis not for the purpose of discovering malicious traffic per se, but for building this attack surfaces. So that may be address space discovery, that may be path discovery. What are the various paths that traffic can take? And how can we find external network links? And potentially also through packet analysis, we can find segments and portions of our address space that we’re not aware of.

Randy Franklin Smith:
Now, I put that one in there primarily to differentiate it from path analysis because they just sound a lot alike, but first of all, let’s talk about path discovery. So we have path discovery, path analysis. Path discovery, I’m defining as the analysis of a lot of different information, possibly captured packets or the results of network scanning in order to discover new networks and routes and address spaces that those packets can take.

Randy Franklin Smith:
So packet analysis is getting that data breaking down but then, a follow on if we’re doing it from capture packets would be path discovery, but you’re also going to see the way Lumeta does it is with some very sophisticated network scanning in order to discover and quantify, what are all the different routes that traffic can take on the network? And what are all of the segments and other connected networks on this network? Now, how does that differ from path analysis?

Randy Franklin Smith:
Well, I regard this as a higher level analysis of our discovered path or firewall policies, but also our address space and it’s with the goal or the view to revealing all of the possible communication pathways. So in terms of source and destination which ports and protocols, and then also it becomes very important to understand our host footprints as well.

Randy Franklin Smith:
The other thing that I probably should have included here under path analysis is taking into account the relative security or access controls about all of the source network segments where traffic can originate from. But Scott, you live and breathe in this world on a full-time basis. So, have you got anything that you’d like to add or augment to these terms before we really dive in?

Scott Custer:
Well, one thing that I would like to add just to kind of something to think about as we’re talking about this is, when we’re looking at path analysis, when we’re looking at these paths, also consider the fact that any device that’s capable of forwarding could be incorporated into these paths and any device that’s capable of affording could be an infiltration or exfiltration point in your network.

Scott Custer:
So being clear about exactly which devices are forwarding and which are supposed to be forwarding, which are under management and which aren’t is really key to ensuring that the full surface area is understood.

Randy Franklin Smith:
Yeah, that’s good. And by the way folks, any questions you’ve got, any feedback, anything else, please use the question window, share any and all thoughts and comments that you have, I’ll work as much of that in as I can. Okay, so step number one was coming up with this overall comprehensive multi-dimensional tax surface is validate your address space. That’s going to benefit the two main dimensions.

Randy Franklin Smith:
There’s two main dimensions to your overall attack surface, and that is the network dimension and the host level dimension, validating your address space is going to facilitate the rest of this on both planes or both on the network plane and the host plane.

Randy Franklin Smith:
So by address space, we simply mean what are all of the ranges of IP addresses and subnets that comprise your overall network taking into account all of the segmentation links to external entities, networks that you have hosted up in the cloud. And the list just goes on and on.

Randy Franklin Smith:
So how do we do this? Well, obviously you start with your documentation. So we’ve got our network diagrams, every organizations made some attempt to document their address space. You can also go to your router configurations. And that’s, if you’ve got all of your routers and you’ve got every segment that’s identified on your routers, that would go a long way to helping you validate your address space.

Randy Franklin Smith:
But let’s go a little bit further and take a more active and quantitative approach. And basically this is a question for you, Scott Custer. Is it practical to an IP scan of your entire… well, not your but of the entire private IP space? So 10 dot everything, and 192.168 dot everything.

Scott Custer:
The idea of scanning all potential 17 million IP addresses within the private IP space can be daunting to some people, to some products. For us, it’s not really much of a problem. We can set date that has a discovery space with relative ease and with some products that may be possible.

Scott Custer:
I do have to, I’m curious about other products. So I do take a look at them on occasion, but what I found that they can’t reach their arms around the entire address space or they have issues with speed. And so that speed and scalability issue can be problematic of course for some organizations, but for our product it’s not an issue. Kind of one of the key aspects in terms of this address space is comparison, right?

Scott Custer:
We want to be able to compare what you found, what we found, what you found through your discovery, to what you have inside your organization as defined through your inventory information. So if you have an IP address management system or IPAM. You can say, “Well, these addresses have been allocated to this particular portion of your organization,” with that information, our product can also do a comparison.

Scott Custer:
So we can say, “All right, you told us that you have X, Y, and Z networks deployed, and there should be one, two and three number of hosts within each of these X, Y, and Z networks.” We can take that actual information and say, “Well, actually in X, Y, Z networks we found a lot more devices than what you thought you had.”

Scott Custer:
And so with this just base comparative knowledge, we can allow you to be able to say, “Well, why are these extra hosts there? Why are these extra devices not in our database?” And it could be just a matter of truing up, it’s one of those kind of maintenance things that I don’t know, nobody wants to do to say, “Oh yeah, we added another host there, make sure you add that to the inventory management system or IPAM.”

Scott Custer:
And so that process can be somewhat tedious but it is critical to the overall security and the overall tax surface to ensure that we really fully have an accurate and ongoing count of all of the different elements, all of the different devices with each of the allocated networks. So that’s one of the things that our product does very well. We can scan through that entire address space, validate all the devices within each one of the address spaces and do that comparison.

Scott Custer:
And I can show you that a little bit in our product litter or whatever product you use, it allows you to be able to say, “This is what I thought I had, this is what we actually had. Let’s find out why.” And bubble up to the top things that are new to ensure that they don’t have additional attack surface area, which we’ll talk about a little bit more in some of the other areas of the webinar.

Scott Custer:
So this simple diagram right here is what we call our known networks, so you can see very simple pie chart allows us to be able to tell you, “Hey, well, this is what we know about. These are the items that are known.” In other words, these are the items that were in your IP address management database, they were in the head of an administrator that is telling you where all of the allocated spaces.

Scott Custer:
And this is the address space that’s outside of it, so wait a minute, this is rather extreme example. And again, this is some kind of demo data, usually after we take a look at a network and do this comparison, this wedge is relatively small. And the nice thing about that is that once you get this collection of addresses together, and specific once you know what your address space should be, and that it matches your allocated address database, then you’ve got a great idea.

Scott Custer:
You can see that there’s a smaller collection addresses that may crop up on occasion to say, “Wait a minute, this deviates from the list. Oh, well, it could be that we forgot to update our list.” Okay, we’d go and update it, everything comes up, everything’s all known as true, everything is all a known network. When we can’t, and then of course, if something crops up and says, “Well, wait a minute, this is new. We didn’t add that, we shouldn’t be here. Hold on a second, let’s take a closer look at this.”

Scott Custer:
And then we can drill down into the individual network, it can drill down in here to this slash 24 and say, “What’s going on? What devices are within this network and be able to…” And in our product and of course in other products too, but in our product we can list the individual IP addresses out for you so that you can go back again to other databases, CMDBs, other databases that you might have devices and say, “Well, wait a minute, this is a device that shouldn’t be on our network.”

Scott Custer:
And so you can see here, I’ve got all 34 devices within that specific address space that were unknown that I need to take a closer look at. And so being able to get your arms around that large address space, and then be able to drill down into the individual devices is really key to supporting your security activities. And when we’re looking at an address space as large as the private space on 17 million addresses, it’s a very large surface area. If we were to look at all the borders of the United States, that’s a very large surface area, both land and sea.

Scott Custer:
So that allows us to be able, it’s very similar in terms of understanding if we’ve only allocated the number of addresses that say fit inside Pennsylvania, all of the rest of the other states could be areas from which attackers could attach to our network, grab a DHCP address and be able to participate in our network as if they were legitimate. So that’s really key to getting your arms around that first major surface area to validate your existing address space.

Randy Franklin Smith:
Scott, thanks for jumping in there and speaking to that. The big things that I wanted to talk about here is I think you already addressed, is it practical to just scan every possible IP address? But the other thing is we might scan an address that in fact is part of our network or is reachable, it could be somebody else’s network because that’s just as important, right? But we don’t get any answer back because there’s some segmentation, there’s some kind of internal firewall between us and them.

Randy Franklin Smith:
And that’s something that I guess also comes into play with path discovery, but I at least wanted to bring that issue up here because it has a big impact on the level of confidence that you have that do I really have every IP address on my network? Parts on that, did you already speak to that?

Scott Custer:
Yeah. And the nice thing about getting your arms around that address space and being able to enumerate all the devices, as well as the intermediary devices, those devices routing, is that you’re exactly right. We may get a device that is routing to the host but then the host doesn’t have the right, through access control lists or firewall restrictions to respond. However, in our product, and I think probably some other products, we have the ability to tell you when that happens.

Scott Custer:
So we sent a packet and it was routed and it got through, but we weren’t able to get a response from the host. And likely this particular device right here is the one that’s not allowing for the host’s response. Yeah, that’s really key to ensuring that visibility, the ability for a host to respond back, to give us what we call a protocol horizon is available. And so we can test for it and help organizations sort out how to ensure that that is in place.

Randy Franklin Smith:
I want to cover a couple of questions that came up here in the first step before we move on, but we’ll make it brief. Robert says, “How does this set of discovery and analysis activities change as out network includes more and more cloud-based data apps and connections?” And I think for one thing, we’re considering some of that still to be our network. If I’ve got VMs up in the cloud and I’m routing data between a virtual network up there and our networks, and I’m viewing that as still part of our internal network.

Randy Franklin Smith:
But then if you’re talking about publicly addressed cloud apps, then that is another situation, Robert. Any thoughts on that one, Scott?

Scott Custer:
Yeah, so have two methodologies that we can use, we can place a device inside a cloud and be able to enumerate the devices. And this is kind of, I would say, a raw comparison between what you’re being told is the number of devices and what we actually found.

Scott Custer:
So that’s one kind of very empirical method, we also have the ability within our product to be able to query a couple of the different cloud providers through their API to be able to see which compute instances are inside their cloud and details about them from a security standpoint inside our product. And so we can incorporate that data, that cloud data gathered either way into your on-premises data.

Scott Custer:
So any solution that you’re looking at out there should be able to do that for you, should be able to say, “This is your cloud stuff. This is your on-prem stuff. Oh, and by the way, here’s how they’re connected. And we can do that with our product from a variety of different perspectives.

Randy Franklin Smith:
Now, I really like Ron’s question. He says, “Do you see healthcare organizations performing scans like this?” One of our struggles with doing an entire RFC 1918 space discovery scanning is that there’s highly sensitive devices and there’s a fear of taking them down with even a very basic scan like this. So if it’s a basic scan, I mean, if it’s a very sensitive device, it’s got to be resilient enough that if a stray packet comes its way, it doesn’t crash. Now that being said-

Scott Custer:
Well, I think.

Randy Franklin Smith:
Yeah. Well, I mean, it’s supposed to be, it should be, that’s all I’m at. But if we’ve got some pacemaker thing that’s keeping somebody alive and heaven forbid a packet does bring it down, I get the point. And I don’t know much else to say about that other than it’s kind of a Catch 22, you’re supposed to protect these sensitive devices but if you can’t validate what’s out there, then how can you protect them? But Scott, you’ve probably got a better answer than me.

Scott Custer:
Well, sure. So we’ve run into this in a lot of different verticals and healthcare, definitely, we scan healthcare organizations every day, hospitals in production hours all of that. So there’s two kind of key things that we’ve done, and certainly probably the biggest danger are retrofitted IP devices.

Scott Custer:
So it’s a device that was designed to originally be connected over a network and I’m using air quotes over here. But it wasn’t necessarily for an IP network and folks had bought adapters to adapt to the IP networks. And those adapters can influence the device negatively if discovery is perform. But we have done discovery inside those types of healthcare organizations and also industrial controls. You can see how critical infrastructure devices have been around for a while in some instances and adapted.

Scott Custer:
And so our particular product has been designed to be extremely lightweight to ensure that we don’t knock those devices over, and we’ve got a track record of dozen plus years to validate the fact that when we do our discovery, we do so in a way that doesn’t negatively impact those devices. And in working with our product and you letting me know, “Hey, we’ve got some sensitive stuff over here. I can craft it to be even more gentle to ensure that there’s no negative impact for that particular thing.”

Scott Custer:
In addition, what we’ve found is that even if any device, even if any product out there has the ability to gently scan, which there aren’t a whole lot of them and discovery agents or discovery technology is usually rather abrasive. So with those technologies, they’re all sending out active discovery packets. And what we heard from our customer base was that we wanted to be able to allow it to do passive discovery.

Scott Custer:
And what has happened in a variety of different organizations is we placed one of our, what we call a scout in those areas and put it in listen only mode. So we can listen to ARP and we can listen to DHCP, we can listen to IPV6 for those things that are able to communicate with IPV6. And we say, “Hey, actually, there’s a lot of traffic here, these little devices are active.” We have a global entertainment company who has a variety of affiliate television stations that equipment is incredibly old and has been adapted to IP.

Scott Custer:
And even our discovery has the potential to knock those off, knocking a TV station from broadcast, so in that situation, we would definitely recommend the broadcast aspect of our product. And we can combine that with our active discovery, so we can give you that big picture here are all the hosts that are responding to broadcast, they’re connected to this router and all of the routers internally are all connected in relationship to this particular network in this way.

Scott Custer:
The key pieces that when you’re looking for a solution that you want to be able to get that combination, whether it’s cloud, whether it’s this sensitive equipment area. And then there’s a variety of other considerations, but that’s the one of the main aspects of both Lumeta and our integration with the FireMon tools is that we’re able to give you that big picture, bring everything together, bring you the information that’s most relevant and important to your day-to-day activities, so that you can actually get on with them instead of messing around, trying to gather data, you’re actually using the data for your intelligence operations, so that you can then do what you need to do.

Randy Franklin Smith:
So, Hassan James and Per, we’re going to come back to your questions here in a little bit. Let’s move on to quantifying the edges of your network. So by this, we mean, what is really our network and what is somebody else’s network? And beyond that, what’s under our control? What isn’t? And how do we regard these other connected zones or segments in terms of security and trust?

Randy Franklin Smith:
So where do you start with that? Obviously we’re going to go to our network diagrams to begin with. But here’s some other ways that I’ve found organizations have been able to discover links that they were not aware of. And I guess that’s the first thing just to acknowledge. Scott talking earlier, invariably, your customers are like, “Oh yeah, we forgot about that connection,” or, “Oh my God, we had no idea of that connection.”

Scott Custer:
Yeah. I’m sorry, we had one customer that had have a vending machine, just sodas, whatever, connected directly to the internet. Lord, in order for it to function to process payments, it had to have a direct non-netted public IP to the internet. So it essentially is exposing this vending machine and credit card payments directly to the internet and they were unaware of it. So yes, absolutely.

Randy Franklin Smith:
Talking about internet of things, but how some companies have actually been able to find some of this is by reviewing who are all of our telecom suppliers, our accounts, what invoices are? What’s on the invoice? Oh, wow. Yeah, we forgot, we even had that, or doing this at affiliates and acquisitions. A lot of times you are not aware of what some of these other companies have done.

Randy Franklin Smith:
I was doing a security audit of an international organization that hosted data that very bad people would kill for, and it turns out there was a Renegade IT department or group in this little IT department, and they had their own lease line connected to the internet. So I’m sure you’ve heard of similar or seen it yourself situations out there.

Scott Custer:
Sure.

Randy Franklin Smith:
But also we want to look at connections to cloud providers, or VPN and dedicated links like express route, if you use Azure, I forget what they call it in Amazon, and so on.

Randy Franklin Smith:
But once a device is discovered, then we need to declare and document, is this perimeter? Is this part of a network owned and under the control of someone else? And what is the trust factor on that? And what are the compliance issues? I’ll tell you, the other thing is, where does that fall geographically in terms of sovereign boundaries with all of today’s privacy legislation?

Randy Franklin Smith:
And along with that goes egress controls and something that you guys refer to as leak path detection, Scott?

Scott Custer:
Yeah. It’s a patented technology, there’s no other product on the market that really can do what we do, especially on this scale and at the speed at which we can do it. So the idea is that, in identifying the edges of your network we want to be able to…

Scott Custer:
We’ll talk a little bit more about perimeter devices in just a bit, but the idea is that, leak path detection allows us to be able to target hosts on your network and have them attempt to respond to external IP addresses without just have them respond to external IP address, so I’ll leave it at that. And it’s a very, very simple straightforward mechanism. And if they’re able to do so then that device is a potential source of ingress and or egress at Layer 3.

Scott Custer:
And so this allows us to be able to say, “Look, you’ve got all these great perimeter controls, you’ve got this firewall, you’ve got this access control list. You’ve got multiple pieces of segmentation between this host and the outside world. But in the example that was given earlier is that they’re not working. This particular host has the ability to connect directly to the rest of the world.

Scott Custer:
And in one situation, I was working with a company that was being purchased by another company that the company that was being purchased was in Georgia. And the global company has locations all around the planet, but the company in Georgia’s president had a vacation home in Maine. And through this discovery, we were able to find out that the individual who set up the connection in the president’s vacation home to allow him to get access back to his company in Georgia also provided inbound and outbound access to everyone on the internet.

Scott Custer:
So there was a misconfiguration done by an individual who was probably maybe new, I don’t know, but through our testing over 75,000 devices, we found this one little tiny hole that provided ingress and egress to the rest of the world. And that single hole could have devastated this entire merger, but we were able to find it and close it down and ensure that when this company in Georgia was bolted onto the global conglomerate, that it was as secure as it could be.

Randy Franklin Smith:
And this just made me think of one more thing that belongs on this list. We never talked about it, Scott, but it’s something that I became aware of with a different technology I was looking at one time. But it qualifies as an important edge for your network, and that is these application gateways from various cloud applications suppliers. And it all depends upon the application, but I’ll just pick on one. And that is, let’s say you have a cloud-based log management service that you use.

Randy Franklin Smith:
Chances are, there are one or more collectors that have been deployed either as VMs or network appliances on your internal network to go out there and get logs from all of the different systems. But I mean, there’s so many other examples just think of any kind of cloud application where you end up installing… Usually it’s just a virtual machine template, but it gives that cloud app a presence on your internal network. But that really is a connection to another outside network, not under your control. Do you agree with me on that, Scott?

Scott Custer:
Absolutely. Absolutely. And we’ve seen just mentioning the template is really critical because we’ve seen systems, the folks that are building the systems and deploying the system, deploying images, whether they’re on the hardware or in virtual machines, they’ve got a lot of different things they’ve got to consider when they’re building the image.

Scott Custer:
And in one organization, the systems people accidentally forgot to shut down all of the non-essential ports. And so in an organization of about 20,000 IPs, we found 350 pop servers, and they weren’t really pop service, but they were devices that had the pop port open and were there for potentially vulnerable to pop attacks.

Scott Custer:
And so those that one little thing inside that template, whether it’s deployed in the cloud or on-prem, could potentially then expand the surface area for all devices that have that that template, that image into hundreds, if not thousands of devices that are now the new attack surface area making vulnerabilities available inside the organization.

Randy Franklin Smith:
All right, well, let’s talk about path analysis. And there’s three ways to do this. And again, path analysis is where we are determining what are all the possible routes or paths that data can take through my network, especially potentially malicious traffic?

Randy Franklin Smith:
And there’s three ways to do it, from actual scanning where we actively go out there and paying an otherwise attempt to communicate with devices on the network. We can also get it deterministically if we collect all of our firewall and router policy and analyze that.

Randy Franklin Smith:
And then we’re able to do a portion of this kind of path analysis through packet capture. So let’s talk of actual scanning first. In this case, the idea is we put scanners or like you guys used the term scout.

Scott Custer:
Scout.

Randy Franklin Smith:
But they’re devices, they could be the intro, I know, at different points on the network where you can… you’re on the other side of whatever segmentation or router that could be limiting your viewpoint. And you put as many of those theoretically as necessary at different points of presence on the network, so that you can just through actual exercise of these and firewalls see what can be reached from where. From any given source point of view, what are all the destinations that I can reach? Is that a fair way of summing this up?

Scott Custer:
Yes. And the thing about our product specifically is that even in a very large enterprise, as long as we are put in a tools network or given relatively minimum permissions to pass through firewalls and access control lists, we can do the entire discovery from tens of thousands, hundreds of thousands, actually, millions of potential hosts can be done from a single perspective.

Scott Custer:
But you’re right, this multiple perspective aspect, being able to deploy multiple items and then perform discovery from each one of those items is very valuable to most organizations, not only from a security standpoint, but from simple things, well, simple, I’ll say, simple things like protocol or application deployment.

Scott Custer:
So they need to know if they deploy this app and it starts here and it’s a cloud app. But they want to make sure that that particular app can actually be used by the entirety of the organization. They need to perform discovery from that particular deployment standpoint.

Scott Custer:
So being able to look at all of those different pieces, being able to look at where things are being filtered and how we’re getting passed through the network can not only provide that visibility, but also can ensure that that it’s efficient and effective and available to the entire organization.

Randy Franklin Smith:
So that’s one way and that’s through actual scanning and the very real possibility that you may need more than one point of view or presence to do this. Here’s another way, and interestingly this is related to you guys as well through FireMon. And this is actually the first method that I’ve learned about of path analysis. And that is by identifying all of your firewalls and routers and then collecting their policies. And from those policies, from those router ACL’s firewalls and everything else that qualifies what we’re calling a firewall today, figure out what are all of the possible paths from point A to point B and all the way through point Z?

Randy Franklin Smith:
And the nice thing about this is it doesn’t put requirements on having to do active scanning and having these active scanners in many different places on your networks that they have different points of view, but it does require that we know all of our firewalls and that we can get into them and get this privileged information from all of them. And then it’s based upon a deterministic projection of what all of the possible pathways are. And to differentiate that from the act of scanning, that is from actual experience. But both of them have their merits, Scott?

Scott Custer:
Yeah. And the nice thing about the merger between us and FireMon or the merger of the technologies is that we can marry these two. So we can use our active discovery to say, “Oh, by the way, you’ve got another 50 firewalls that are not under management.” And then you can go to FireMon and add credentials and add those devices and bring them under management.

Scott Custer:
But we can also, in the future, as our products become more and more integrated, we can then show you, “Well, this is what your firewall policy says. This is what we found, and we can get through it through this protocol and that protocol, there’s something wrong. There’s something going on with that policy.” So my vision, my idea is that, we’ll be able to say, “Well, it’s actually this particular firewall with this specific policy that’s allowing this active discovery technology to be able to go through and get access to a network that it shouldn’t have access to.”

Scott Custer:
And yeah, it’s this comprehensive gathering information and bringing it all together, this is really the end game for our products merger.

Randy Franklin Smith:
So a third way, can you do pass analysis from packet capture? Well, you can, but it’s a different kind. It’s a subset of path analysis or it’s a subset of your path, it is those paths that are actually in operation. And unless you have an attack in progress then it’s going to explicitly exclude those attacks potentially.

Randy Franklin Smith:
Because what we’re doing here is we’re just putting points of presence out there, not scanners though, we’re doing packet capture taps. So these are basically all taps and then we’re collecting those packets and then we’re analyzing it to see, “Well, what are the well-trodden or even, maybe not, well-trodden but trodden paths out there?” But it is not going to show up that little needle in the haystack that says, “Hey, do you realize that such and such at our HVAC vendor can actually establish an RDP connection to our VMware Hypervisor? Well, it wouldn’t be, VMware sorry, Hyper-V hypervisor? I said RDP. But you get the point.

Randy Franklin Smith:
So, I mean, I think the big thing here is it only tells you what is happening, not what could happen and it’s highly resource intensive because you can’t hope to capture every packet on a global network. So in addition to being resource intensive for whatever amount of traffic that you analyze, there’s also going to be traffic that you’re just dark too. So to me, this almost doesn’t belong up here, I don’t regard it as an effective way to do path analysis.

Scott Custer:
I would agree. And the two key pieces is that, when if your analysis is in the wrong place, or what if you’re missing large collections of your network? There’s no way to know that, really. And the other is what about all that encrypted traffic that’s so common these days?

Scott Custer:
So, yeah, okay. Great, you’ve gathered a lot of encrypted information. What do you do with it? And can you do your analysis? Maybe. So there’s a lot of weaknesses here that people… And people would lie on this as a fundamental element of their security policy, but there’s so many what ifs or so many things unknowns that are related to the placement of these devices and the information that you’re seeing that the value is questionable.

Randy Franklin Smith:
And when I was saying the value of packet analysis, but we’re talking about the value of packet analysis for the purpose of path analysis.

Scott Custer:
Exactly. Exactly.

Randy Franklin Smith:
Okay, so we’ve done our path analysis. Now, we’ve fleshed out our network plane of our attack surface at this point and it’s time to swivel over to the host plane. And first of all, we just need to get a census of all of the endpoints out there, all the hosts, all the servers, all the devices and so on. And where do we start?

Randy Franklin Smith:
Well, again, we always start with network documentation. This change is so fast and on such a constant basis, and there are so many different entities or departments within an organization that are flowing and life cycling devices on and off the network, that there is no one complete record of this. And so asset management is very valuable for making sure we’ve got a complete picture and list of all of our hosts and devices.

Randy Franklin Smith:
Systems management is going to help us a lot with at least those systems and devices that are under the stewardship of that particular systems management system. But scanners are going to be valuable. And now here is a place where network probes that do packet capture are, I think, really valuable for identifying hosts and devices because any device out there should be sending a packet once in a while at the least.

Randy Franklin Smith:
And that is a good way if we’ve got a tap where that packet is going by to discover that that device is there. Scott?

Scott Custer:
Yeah, but the key is that if, if we’ve got a tap. And I’ve actually worked with network access control organizations and all kinds of the packet capture organizations in the initial stages of their appointment to perform discovery, right? So we perform this discovery of both paths and end points and say, “Actually, the administrative knowledge that you have about your network is not accurate. Here are the number of devices that are forwarding traffic. Here’s the largest concentration of hosts. If you want to start with listening, you can do it here at this particular choke point.” But that initial discovery, that initial identification of the entire organization and the total number of host is really critical to ensuring these other technologies really function the way they should.

Randy Franklin Smith:
All right. So we’ve got our list of devices. And one thing that we’re going to see is that there’s multiple sources of input for this. And that a lot of times they are going to be a feedback cycle to each other. In fact, that overlaps nicely into the fifth step. And that is, okay we’ve got our hosts and our devices, what are the vulnerabilities on those? And that’s for the most part, a matter of vulnerability scanning and maybe also using data from our EDR solution.

Randy Franklin Smith:
But one of the things that ends up making this a step that’s worth identifying as a separate phase is that invariably your vulnerability scanning is not scanning everything. And that could be first of all, just because of address space validation, but it could also be a matter of permissions to the host, credentials to the host, or it could also be a matter of network visibility.

Randy Franklin Smith:
If the vulnerability scanner is behind a segmentation router, then even if it knows that it should be scanning these IP addresses, it’s not going to get any reply back. And so one thing that we talked about Scott is the value of truing up and reconciling different security technologies with each other. So looking at what the vulnerability scanner reveals, looking at what if folks have something like your solution reveals, and looking what EDR is reporting, and looking for zones that don’t overlap, looking for the remnants of where of a vulnerability scanner found these IP addresses but that’s not part of our address space right now, or our address spaces showing us that we’ve got the segment and the vulnerability scanner does not have that.

Randy Franklin Smith:
And it’s a scan definition or it does but it’s getting zero response from them, right?

Scott Custer:
Well, yeah-

Randy Franklin Smith:
There’s a lot of true up to do between them.

Scott Custer:
Absolutely. And that’s one of the key areas that has been built into our product over the last two or three, four years, the idea of that comparison, right? So you’ve got a vulnerability tool, fantastic tool that uses Prudential’s logs into the devices gets that great information.

Scott Custer:
But what about the stuff outside that? Or you’ve got an endpoint management tool and you want to know, “Well, how many actually of the total, how many devices actually have that end point on that?” And we had a DOD client, Department of Defense client that wanted to know they have an end point technology and they wanted to know, “Well, of all the devices that we have, how many of them, what percentage of them actually have the endpoint installed?” And so our simple integration basically is just a comparison.

Scott Custer:
This is what they say, this is what they have. This is what we found and here’s the Delta. And that simple, really, really basic comparison between those tools, including inventory management tools, including like IPAM, DHCP tools, all the different tools out there on the market that claim to do discovery aren’t actually able to do so, their technology is very limited.

Scott Custer:
So we’re bringing a great deal more value to those products by being able to expand and see the entire picture, and any product that you get should be able to see that big picture. In one example, I found 260,000 devices, the vulnerability scanner in that organization was not aware of 40,000 devices within that 260,000 active IPs.

Scott Custer:
So 40,000 devices had never been touched by their vulnerability analysis tools. And one device is bad, but 40,000? So just that base comparison, just being able to say, “This is what they have, this is what we found, here’s the difference,” can give you very, very clear marching orders, very clear agenda for what needs to happen next with all of the tools in your security stack.

Randy Franklin Smith:
Well, speaking of a clear agenda and what happens next. So this is really the catch me out, in my opinion. From step five, what are real and really elementary product is our host level attack surface, and the vulnerabilities on it.

Randy Franklin Smith:
So like as an unpatched vulnerabilities, tax surface alone would be RDP and then, oh, there’s also an unpatched vulnerability specific to RDP on that host. Okay, let’s take that data and let’s factor that in with everything else that we’ve collected so far.

Randy Franklin Smith:
So we have our products of our path discovery and analysis. We have our host census and the vulnerabilities and attack surface on those hosts. And then also we might also talk about threat data, but let’s just take the first three, combine them together and now we’ve got… And I haven’t come up with my final term, so I’m going to append it all together.

Randy Franklin Smith:
We have our comprehensive multi-dimensional aggregate attack surface, or we could just say, “We are overlaying our network vulnerabilities or network attack surface with our host level attack surface in vulnerabilities. And here is the really neat stuff that that’s going to make possible.” So here, we’re identifying that, oh, look at that relatively small network segment down there towards the bottom left-hand corner of the screen, that little network segment can send a packet over port whatever, or consent protocol, ex-traffic, all the way across this network through these different hops, up to this really vulnerable host at the top left hand corner.

Randy Franklin Smith:
And by the way, you notice that host is red, that’s because there’s a vulnerability on that host and everything lines up. And so that out of all these different combinations of attack surface and vulnerabilities network paths, that is a high priority one because we’re looking at our threat data, we are looking at unpatched vulnerabilities and we’re looking at actual pathways where from a less trusted network segment, we can actually hit that vulnerability on that particular host. And that is what an aggregate attack surface allows you to do.

Scott Custer:
I really like your term aggregate attack surface. So that’s my two cents but I agree. In most of our day-to-day organizations, the activities they want to know what’s the most important, right? What’s the highest priority. And being able to have that aggregate attack surface and essentially a sorted list to say, “Well, not only does this device have this port open, and this vulnerability tool is determined at that port is associated with that particular exploit and so on and so forth, but this ability to be able to define the device and in some organizations, that’s a challenge.”

Scott Custer:
And being able to say all of these factors together, port open vulnerability identified, availability, criticality of the server, all of those pieces come together, give you a number one priority. This thing has to be dealt with right now and that is incredibly valuable to the organizations that we work with given their scale and scope.

Randy Franklin Smith:
But you only get that if you’re able to bring those two planes of attack surface together, the network plane, and the host level. So bottom line is-

Scott Custer:
And we have-

Randy Franklin Smith:
Oh, go ahead.

Scott Custer:
Well, one of the features of our products is it sounds like a strange feature but it doesn’t have really the ability for you to enter in credentials. So when a hacker looks at a network, they’re going to do network reconnaissance, they’re going to see, “Okay, what ports are open? What banners are responding? Does it respond to window share?” Those types of things. We have that in our product, and any product that you use out there should have the ability to be able to see what your network looks like without credentials.

Scott Custer:
Vulnerability tools are going to allow us to dive deeper and look at the potential destruction that a vulnerability would allow, but being able to look at that higher level surface that aggregate higher level surface information is really critical for prioritizing purposes. Thanks, Randy.

Randy Franklin Smith:
So, really what it comes down to, unless you’re going to basically just take your vulnerability scan and compare that to your network diagram. So let’s say you don’t have the time or resources or technologies to do all of this. If you did nothing else but took the most up-to-date network diagram that you have, and then take your vulnerability scan of your different hosts, and at least do your best to identify these things like what I’ve illustrated here.

Randy Franklin Smith:
Then you’re going to have accomplished to a degree, or at least made a best effort on what we’re talking doing today, but really the ultimate would be if we could automate this. And some of you are already thinking about that like James says, “To what extent, when you do policy analysis, are you trying to hit a moving target? By the time you’ve done the analysis, the situation has changed.”

Randy Franklin Smith:
And that would be true if you’re analyzing your firewall policies manually, but in all of these cases, if we can automate our path discovery, if we can automate our path analysis whether it’s from active scanning or policy analysis. If we can put a feedback loop between our vulnerability scanning and our EDR and our network scanning, then we’re winning, then we’re able to really do what we’ve been talking about accomplishing today in a big way.

Randy Franklin Smith:
But aside from that, one of the other big challenges aside from just automation is discovering a lot of this, because unless you can put a network probe/scanner on every segment of your network, then how are you going to be sure that you’ve really identified all the segments on your overall network? Because segmentation and micro-segmentation then becomes a double-edged sword.

Randy Franklin Smith:
But then also, how do you discover leak paths to the internet and segmentation violations between enclaves that you think are secure from each other or unauthorized movement between those? So that’s where our sponsor comes in. I’m going to turn things over to you, Scott, to talk about how Lumeta provides automation and some really sophisticated discovery of all the stuff. So I’m going to make you the presenter.

Scott Custer:
All right. Thank you. Okay, you should see my screen here.

Randy Franklin Smith:
Yep.

Scott Custer:
Yes?

Randy Franklin Smith:
Yes, we do. You look good.

Scott Custer:
Okay, great. Thank you. So as I was showing you were dealing with your audio issue, I was showing basically, you know in the address based population, in being able to identify and get your arms around the active IPs within your address spaces is important to be able to say, “Look, how many devices are in there and what are they?” And we were able to look at specific information from DNS, we were able to look at basic device type information.

Scott Custer:
Those types of things are going to help you sort out and with our product we’re able to put together a variety of different dashboards, so the information that you’re receiving is in the format that you wanted, that allows you to be able to do very quickly look in your dashboard and say, “These are my top priorities for the day or for the morning.”

Scott Custer:
So this particular device details came out of looking at individual reports. So we have the dashboards reports and maps in our product that allow us to be able to give you the data. And I’ll talk more about how we do our discovery and it’s very much related to the, the… I actually want this one, very much related to kind of the things that Randy and I have been discussing throughout the call. But here’s a really, really simple straightforward address space visualization summary.

Scott Custer:
So we wanted to see how much of our address space is populated. So we divided into the class full area, so you can see which address spaces are being used, and when we click on an individual bar here, this allows us to be able to actually see the individual slices, right? So you can say, “Well, we’re using several different IP spaces, let’s see how many devices are in within each.”

Scott Custer:
And just hovering over the top of them and say, “Well it came at 98 devices and the 10.9.0.0/24 network. Now this, click on it, look at the individual details, the 98 devices. You can certainly do that, but even easier we can essentially take this information in this specific chart and put it into that known list that I talked about a little bit earlier, that allows you to say, “These are all devices that have been validated, they are supposed to be on your network, they are okay.” And if anything deviates from that known list you let us know.

Scott Custer:
And we have, not only can you come into the product and see that notification, but we also have the ability to ship notifications out of our product into SIMs, we can ship it out via email, variety of different ways that you can pull the information out and access it so that you can really gather the information the way that you’d like it.

Scott Custer:
So these reports, the other kind of piece about it and it’s based on a question that was asked is that, this information is based on essentially continuous monitoring. So what we’ve done with our product is allow customers to really craft a very specific way that the information is gathered in their organization, and therefore then presented in their reporting phase.

Scott Custer:
So this allows us to be able to say, “Well, in this organization, it was important to have these different areas identified.” In some organizations they have put together a geographic based zone information. I have a company that’s a bank that’s putting together based on essentially functional business units within their organization, and let that essential organization determine how they want to perform their discovery.

Scott Custer:
And you can see here, we’ve got a variety of different discovery mechanisms and I can certainly go into each of them and be able to show you how we do what we do. But the idea is, it’s here in the basic configuration of what we call a collector is how often we want this to be performed. So the organization that matches to the zone, the portion of a larger organization, or the entire organization can say, “I want this information at this time.” And we can provide that information in pretty much any timeframe. So to give you an example of address space surface area, we have a customer that uses 96 million or has access to 96 million potential addresses.

Scott Custer:
That includes the 17 million private IP space, but again, the total of 96 million potential IPs that could be used to access their network. They want those 96 million addresses scanned on a regular basis, we scan them every four hours and they come up with 1.1 million IPs out of those 96 million and we find those 1.1 million IPs every four hours. And we’re actually looking to make that shorter and shorter to give them real-time continuous monitoring.

Scott Custer:
So in any other organization, we’re likely not going to scan that entirety of that address space and they’re not going to have that total number of hosts, or they’re a little bit rare in that case. So we can say with a lot of confidence that we can provide pretty much real-time information for any size organization in order for them to be able to then do what they’d like.

Scott Custer:
And then what we’ve found is that this organization, the people that are using us in this organization have now become data brokers. They are now the people that organizations within this large organization come to and say, “Hey, can you give me that data? Can you send it via the API? Can you send it over to our SIM? Can you put it in this particular format, ship it off to me and this and that.”

Scott Custer:
And so this allows them to be able to have essentially a one point where information is being gathered, so that multiple points can then use it and leverage it for their own purposes. They could go back and re-scan with their own tools or technologies, the specific segment or specific portions of the data that they’re interested in.

Scott Custer:
So it provides a great deal of competence in the level of information, the freshness of information that’s being provided, so that actionable data could come out of those activities.

Scott Custer:
So in doing this discovery, we have that path discovery, that segmentation discovery, that host discovery. And one of the key things that makes our host discovery different from most other technologies out there is that we take the entire discovery space, the entire target list and say, “Randomize it,” we randomized in this case, sell 16 million addresses and look for hosts with most its sequential ports wing, port scans, ping sweeps, going after slash 24s. And maybe they’ll finish by the end of the week, maybe they won’t.

Scott Custer:
This, you pop it in, randomize it a few minutes later in most instances come back and you have your active post count. And we can perform port discovery, which allows them to be able to look at what we consider vulnerable ports or infection ports. We can do basic profiling. As I mentioned, we can look at CIFS and we look at HTTP banners and certificates to give host censuses and all those different types of things.

Scott Custer:
We can even allow customers to supply their own specific attributes to their data. So if they want to say, this is always an R&D network in Rochester, New York, they can say, “That information can be applied to the data so that when they’re looking at their dashboards, maps, and reports.”

Scott Custer:
And one of the things as I mentioned, that was kind of key to our customer base is this integrations piece, and being able to actually say, “Look, I’ve got a collection of security tools but I’m not 100% confident that they’re seeing everything that they need to see. This is where we come into play.” So you can see there’s a lot of names here that you’re likely familiar with, we’re adding more and more names every day, but this is where our base comparison comes from.

Scott Custer:
So the configuration is very straightforward, we simply say, “Well, let’s connect to the call server, and then let’s take a look at what we found.” So we can say, “This is what Qualys had. This is what we found. And here’s the Delta.” And another example is the endpoint technology that I mentioned before. So we can say, “Look, these are the devices that we found to not have end points on them. And these are the devices that we found that we were both able to see and had end points on them. And of course, these are the areas that we can’t see, why can’t we see that our discovery tool was supposed to be able to see every portion of the network?”

Scott Custer:
And we can go and investigate through our product, why we weren’t able to see these specific collections of our network. But this valuable, this information right here is incredibly valuable to most organizations can be exported and shipped off to say, “Look, these devices are all capable of having the McAfee endpoint on them. Why aren’t they installed? Go ahead and install them.”

Scott Custer:
So this gives that clarity of purpose, that clarity of activity to most organizations that is really, really valuable in terms of resource hours. Also, we have allowed customers to be able to break up their network through those zones. And this gives them the ability to look at the network and visualize their segmentation. So you can see here, this is a very straightforward map, and this is getting better and better all the time, which allows us to say, “You know what, there should be segmentation between this network and this network. And I can see through my discovery that this segmentation is actually in place.”

Scott Custer:
If there were a line between this device and this device or any one of these devices to another device, I can say, “Look, there’s this segmentation violation right here, we need to deal with it, we need to adjust a particular device in order to stop that from occurring.”

Scott Custer:
So this allows us to have that visual that I, myself really value and other people who are visual learners, that value to say, “Hey, look this is the way that the network is arranged and organized, and I can arrange and organize it however I like to match my visual understanding, my mental understanding of the network and be able to ensure that there’s nothing out there that shouldn’t be out there that is connected to various segments of the network.”

Scott Custer:
And see here, I can hover over individual devices and be able to then get information from them, be able to then go ahead and take a look at the device details and be able to look really closely and say, “What the heck is this?” And even if we’re not able to get you information about the individual device we’re able to tell you where it is in relationship to the devices, the intermediary routing firewall devices that are hump, that are allowing it to connect to the network.

Scott Custer:
So again, the three areas that we allow that we report information on our dashboards, our maps and our reports, and then our settings, our zones allow us to be able to both segment data from a reporting standpoint but also from a discovery standpoint, to be able to allow that discovery to occur on whatever time threshold that is valuable to the customer.

Scott Custer:
I can go on and on and a bunch of different directions here, but I’m going to flip it back over to Randy and see if any questions… I can’t actually see the questions for some reason, my question pop-up is not functioning. So throw me questions, I’m ready.

Randy Franklin Smith:
All right. Yeah, it seems like it’s one of those days, technology wise. Thank you for jumping in and helping out during my absences and folks thanks for hanging in there with us today. Here are some questions, first of all, James says, “Can I use that five technology and fire logs to validate and correlate my address space by attaching signatures and items from my vulnerability scans?” So there’s a few conjunctions missing, I think, from that question. Do you get a sense for what he’s saying, Scott?

Scott Custer:
Yeah. And you certainly can tell a good deal from your F5 devices about the information that’s flowing through them, but what about the devices or the areas where information is leaving or entering your network, there’s outside of those. And maybe that’s the only place they can go in and out of, but in my experience, and in an organization that’s large enough to deploy that technology. There are likely other ways to get in and out of the network.

Scott Custer:
So it’s going to give you a piece and it’s going to give you a valuable piece of the information, of your segmentation, your network, overall network picture. But I don’t think it’s going to give you the big picture.

Scott Custer:
And the other piece to that is that even when you do that correlation or gathering information and analysis, that comparison to your vulnerability tools, I think is going to be incredibly challenging. We don’t have integration right now between F5 and our product, but we can certainly do something where we could compare the address space that is being seen in those devices to what we’ve found, so that you can actually see where else to go to gather that data.

Scott Custer:
But our goal is to allow you to be able to gather from multiple places, see it in one bubble up to the top, the most important things so that you can address them as quickly as possible. I hope that answers the question.

Randy Franklin Smith:
I think so. Per asks, “Would it be useful or relevant to scan from each segment?” And that question goes back to about the bottom of the hour. And we have discussed that some, but let’s go ahead and address that question from Per. And Scott, I think that is mostly a function of how good is your discovery technology, right?

Scott Custer:
Yeah. We have had incredible success scanning most of the… We tend to work with the Fortune 100, Fortune 500 on occasion. We’ve had tremendous success scanning from one particular perspective, especially from in the beginning stages. If they have, we’ll call it flat network or if they have the tools network, and even in instances where they don’t have tools network, we have been able to, from a single standpoint, fan out across their entire organization and both perform a path discovery segmentation analysis and a host census in very short order.

Scott Custer:
What we see is that this provides us a valuable jumping off point. Now then what they want to do in the case of a global oil company that we’re working with, they wanted to see what various networks will look like from various perspectives around the planet. So they ended up deploying our technology in Kuala Lumpur and London and here in the states and other places. And then scanning the exact same address space to see what they see.

Scott Custer:
And what they found was that the segmentation and the restrictions they put on various geographic locations were not working. They were able to say, “All of the work that the firewall and access control router teams were doing more, was good work,” but there is so much complexity in firewall rules and so much complexity in access control rules.

Scott Custer:
And so such a lack of uniformity in most instances, that there was no way for them to tell whether they were being successful or not, they put the rule in place and that was what they could do. But this perspective deployment that this organization and multiple organizations wanted was able to really validate the work that was being done by their team.

Scott Custer:
And in other organization in a global food conglomerate that we work with, they hire us on a regular basis to come in and do the beginning portions of their global penetration testing. And we were inserted into a userland, scan the entire organization, saw the big picture, but we were able to tell them that the security controls and the restrictions they put into place from the user perspective because we were in the userland, we’re working.

Scott Custer:
We were not able to get here, we were able to get here, but we were supposed to get here, we were not able to tell you what this device was, that’s what they had in place. And that’s what’s missing in a lot of global IT organizations is the validation of the work and effort that organizations put into place to clamp down on security.

Randy Franklin Smith:
Awesome. Now, Jeanette says, and maybe this is something just we’ll follow up on, but if you have any white papers about leak detection she’d like to read about that. So let’s see if we can get back to her on that one later. James asks, “To what extent do policy analysis end up creating a situation where you’re trying to hit a moving target?” I think we covered that one, didn’t we James?

Scott Custer:
Yeah, you mentioned it before. As mentioned, it really depends on the size and scale of your organization. But being able to really get the human mind around all the different aspects and iterations of firewall policies and access control lists on dozens, if not, hundreds of devices is very, very tricky. So the FireMon tool suite is fantastic at gathering and normalizing and aggregating and putting together all the firewall rules and all the different elements to what it takes to secure your perimeter.

Scott Custer:
So yeah, I mean, I think that’s a really, really valuable thing to do, but then as soon as something changes, then what? So being able to use tools from FireMon suite, being able to use Lumeta to be able to continuously examine the changes and modifications that not only take place inside your firewall rules but also inside the network. And that at the end point is really essential to ensuring that you’re securing your organization on an ongoing basis on a continuous basis.

Randy Franklin Smith:
Yeah, let’s see here, Slinger would like to know how accurate is the asset operating system enumeration during discovery scans?

Scott Custer:
In terms of our product specifically, and I was just bringing that up so it’s very fortuitous. The idea is that, no that’s not the right one, that’s one I’m looking for. So well, actually you can see here we have profiled versus unprofiled. So we have 87.27% profiled in our organization. This remaining 13% is either we weren’t able to get enough information from the host, or we don’t have a signature. We have about 3,500 signatures on board to match and profile devices.

Scott Custer:
The key is, is that the looking at the low-hanging fruit, so you’ve got infrastructure devices. And remember that our product is performing this type of device profiling without credentials, the only credential we allow you to supply is SNMP, and that will return a system descriptor and system object ID which gives you a great fingerprint.

Scott Custer:
But the rest of our technology, the other mechanisms we use for device type summary or device profiling is our credential list. And so other discovery tools, other vulnerability analysis tools and service now and all the different things out there that say they do discovery rely heavily in our credentials.

Scott Custer:
And so we don’t do that and because we don’t do that we developed our device profiling technology to take that in consideration. So we give you the best in class for uncredentialed discovery because we never expect to have it. And I was working with the discovery mechanism in a vulnerability analysis tool, I won’t say which one, but I was doing a side-by-side comparison between our product and their product without credentials. They failed miserably, we did a great job because their discovery relies on those credentials and ours is designed in its DNA to not do that.

Randy Franklin Smith:
That’s cool. Let’s see here. Per asks, “What about a software defined network, does that present any challenges to this scanning and discovery method?”

Scott Custer:
So for us in this particular iteration of our product, we’re looking at raw IP traffic, so we’re looking at Layer 3 technology and as you saw some kind of other layer responses that we’re looking for in profiling. But from a raw routing Layer 3 technology, it doesn’t matter. Those technologies will route and forward traffic, the house will respond from an IP standpoint. So the fact that they’re attached to an IP network and they’re participating in that network gives us the ability for us to be able to perform discovery on them.

Scott Custer:
And we’re going to give the information based on the defined discovery. And we are looking with FireMon and all the other tools in the overall product suite from FireMon to be able to incorporate those software defined networks in our topologies, from essentially a credentialed standpoint.

Scott Custer:
In a similar mechanism in our cloud offering, what we’re doing is allowing you to be able to add your Amazon or Azure credentials to our product query or their API, and then we pull it into the overall larger picture. In a similar way, we’re doing that with the other tools in the FireMon suite to pull information out of those software defined network APIs, and be able to say, “This is what was defined inside the product.” And then we can go back and target them actively to validate that design is actually what exists out there from an IP standpoint.

Randy Franklin Smith:
Awesome. And then let’s see, James asks, “Can enumeration signatures be a customized?”

Scott Custer:
Yes. So if we’re doing device profiling, as I mentioned, we have about 3,500 signatures. A lot of them were sourced from customers, I’m blanking on where we do that now. So customers had a device and it’s very common inside hospitals or inside industrial control areas for us not to have the signature because they’re usually fairly clamped down and so on and so forth.

Scott Custer:
But yes, there is a mechanism that you can add your own signatures to our product. And then if you’re willing to share them with us, we’re more than happy to put them in the product and the general lease. So upcoming releases will have those fingerprints in them, but they’re very straightforward. It’s basically editing right now and editing the XML document, but we’re looking to put a wizard in the document to say, “These are the devices that I want to fingerprint. This is the fingerprint I want to apply them, press the go button.” And then every device that matches that fingerprint automatically gets updated in the database. So we’re going to make it easier and easier for folks to have those interest.

Randy Franklin Smith:
And let’s see here, we’ve got some awesome questions. Thank you, folks. A different James asks, “Can I specifically collect all interfacing IPs? And can I collect all IPs that have an enter-exit network or sorry, that enter and exit my network.

Scott Custer:
So I think the first part of that question is interface related. So if we have-

Randy Franklin Smith:
No, internet facing IPs interface related stuff.

Scott Custer:
I think first section is interfaces, so if we’re able to get SNMP access to a device, we can pull its interface table. Well, few other ways to gather interface data from a device, through our path discovery, actually, if we go through device and it sends us in multiple directions, we’ll use a proprietary stitching algorithm to say, all of these paths actually belong to this one device.

Scott Custer:
So we can give you correlative information based on empirical discovery and say, “We went out and found these things and we pulled them all together.” Interface specific data, we have to gather through SNMP. The second piece is we put together what we call a perimeter devices report. So there’s a lot of different techniques to do this, but the one that we use typically is based on IP space, right? So just for this particular conversation, we have organization that has private IP space.

Scott Custer:
Let’s say, I want perimeter. So we have organizations using private IP space internally and public IP space externally. So what we can do is gather or run a report that says, “Here’s all of the devices that have both public and private interface information or public and private IP information on the same device.”

Scott Custer:
And that allows us to be able to say, “Okay, now let’s start looking closer at these devices as to whether or not they should be perimeter devices.” And then we can actually mark them in the product as a perimeter device and say, “Okay, now we validated that this is an actual under management device.” And so we can say there are now 10 perimeter devices, if that number goes up, let me know.”

Scott Custer:
So this allows us, for you to have control over your perimeter, because from a straight up IP standpoint it doesn’t care, it’s going to go through net, it’s going to go through its routing. But from administrative control perspective, you need to use the information that we gathered through path discovery and through potential queries of endpoint routers to say, “Yes, this is my perimeter device, and these are the number that you should have. And if there’s more than that, send me the email to alert me to the fact that that number has grown.”

Randy Franklin Smith:
Well, I think that brings us to the end folks. Thanks a lot for spending time with us today. As always, we hope this was valuable to you technically and educationally. And Scott, thank you from Lumeta and FireMon for making today’s real training for free possible.

Scott Custer:
Oh, you’re very welcome. And thank you very much for having me. It’s been a pleasure and thanks for all your great questions and all your attendance.

Randy Franklin Smith:
All right, folks, have a great day. We’ll be in touch again soon, but bye-bye for now.

Read more

Get 90% Better. See How to Get:

  • 90% EFFICIENCY GAIN by automating firewall support operations
  • 90%+ FASTER time to globally block malicious actors to a new line
  • 90% REDUCTION in FTE hours to implement firewalls

SCHEDULE A DEMO