Sevco Security Shorts: Geo and Network View

These last few weeks as you’ve seen, we’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their IT environment. We call them Sevco Security Shorts. 

Now, we’re posting this transcripts of this series for those that would prefer to read the content.

Hey everybody. Today we’re going to look at assets from a geographical and a network perspective. 

But before I get into that, I want to create a filter here with my Venn diagram. So I’m going to choose Automox, CrowdStrike, and Microsoft Active Directory. Now we can see there’s about 5,553 devices across those three sources that also follow my query filter. And that query filter simply says in regards to CrowdStrike, the last activity is on or before 14 days ago. Or also in regards to CrowdStrike, the agent version does not exist. So a pretty basic query that we’ve covered before. 

Well further, instead of having 5,000 plus devices, I just want to look at Windows servers. So now we’re going to drop this down to 45 devices, 30 of which have public IP location information. Those 30 devices are represented here.

Now, I can take this map and actually drill into it. Here’s 19 devices. Those 19 devices are existing in a data center, so I expect to see those 19 devices. 

And here’s one. This is a remote office. So here we actually have the OS, the platform, the geolocation IP, the internal IP, domain information, associated usernames, and other important information. 

Now, this is a really handy tool looking at information from a geographical perspective. It can point out anomalies pretty quickly. For example, here’s a device that’s in Alaska. So if I want to drill into this device to get a little bit more data, we find out that it’s in North Pole, Alaska, which has a population of about 2,200 people. And fun fact, they have Christmas all year long. If you look at this device, again, we see all the relevant information that we saw from the other one. Also, we see the username and all that data.

Now this might be perfectly normal or it might be an anomaly, but at least you know, and now you can take other steps if you want to go look at this device in more detail. 

But let’s look at things from a network perspective now. So I’m going to choose this selection here in the Venn diagram, which is Automox and Microsoft Active Directory, of which there’s only 15 devices. Again, you see them represented here on the map, including that guy way out there in North Pole, Alaska. 

So instead of geo, I’m going to click on network. And here’s my network view. All 15 devices are considered on-prem. Nothing’s coming from the cloud, nothing from unknown, so that’s good. 

But wait a second. How can they be all on-prem when we know that this device over here was coming from Alaska? 

Well, that could be as simple as the device is physically in Alaska, but maybe it’s also coming through across a VPN, through the firewall into the internal network.

Now, based on that, we know that the device both is one, located in Alaska physically, and two, on-prem from a network perspective. 

And again, that juxtaposition is really great to understand. And all this information, again, is sourced without having any agents installed on these devices. It’s being pulled within API connection to the tools like Automox and CrowdStrike and Microsoft Active Directory from those management consoles.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.

 

Share This Post:

LinkedIn