Sevco Security Shorts: Dashboards and Query Reports

These last few weeks as you’ve seen, we’ve been releasing a series of videos from Chief Strategy Officer, Brian Contos, highlighting how Sevco’s 4D Asset Intelligence platform works, and how organizations can use it to better understand their IT environment. We call them Sevco Security Shorts. 

Now, we’re posting this transcripts of this series for those that would prefer to read the content.

Hey, everybody. Today we’re talking about dashboards and query reports, and this is a great way to get a high level executive overview. And then within one click, drill down into granular detail. 

So at the top here, we see total devices and total users, and these are both broken up based on a seven-day moving average, giving me a nice high level perspective of the number of devices and users in my environment. Then we come down to this middle section where we see our enterprise endpoint controls coverage, and this is further divided up by Windows, Windows Server, and macOS. And then we separate this based on endpoint security, configuration management, and directory services.

So if I come into configuration management, for example, I see that there’s 9,012 devices, but I see there’s actually a gap here because 88.5% of the devices are represented in our configuration management solution, which is Automox. 

But if I want to see the gap, well, I click on gaps and I can very quickly pull up this view, which is about 1,032 devices that aren’t running Automox but should be running Automox. So this is a powerful capability, and again, one click I can get to that detail.

If we look at this bottom section, this is looking at device sources and we see there’s nine device sources here, and I can scroll through a whole bunch of different ones. But there’s CrowdStrike, Microsoft Active Directory, Malwarebytes. And let’s say, for example, I’m moving from Malwarebytes to CrowdStrike, or I’m moving from CrowdStrike to Malwarebytes, and I want to track my licensing and how many I’ve actually moved over and say, “Okay, this is great. Now I’ve got 10,000 devices that are actually on CrowdStrike, and last week maybe I only had 6,000 devices,” or vice versa.

So this is a really great way to track kind of that workflow and that process when you’re moving from one device to another. But more generally, this is a great way of tracking license usage. 

Now, we see in virtually every organization, they have too many and too few licenses. So what do I mean by that? Well, about 17% of EDR and about 6% of patch management licenses just go unused. They’ve been acquired, but they haven’t been deployed on anything. 

While on the other side of that coin, about 19% of devices are missing EDR and about 27% of devices are missing patch management. And these are actually devices that can be running these solutions and should be running these solutions, but they are not. 

So being able to track what you’ve paid for in terms of licensing and what your actual usage is is extremely beneficial.

Now, if I pick one of these, we’ll just take Malwarebytes, I can drill into this data and say pull up all the relevant Malwarebyte data. Now it’s going to go ahead and query the Malwarebytes backend by making that API call. And what do we see here? Well, we see about 8,310 devices, but 705 of these are stale. 

So what’s stale mean? Well, as you can see here in this popup, it’s source assets that have not been active in over 30 days. Well, wow, that’s a problem. I’d like to really research this now with the IT operations team and the security team. I can export this as a CSV if I’d like, and then I can share that. So for example, I’ve done this and I’ve put it in a spreadsheet so it will automatically separate this data, so it makes it very easy for somebody that perhaps doesn’t have access to the Sevco platform to still leverage the information from Sevco.

Now let’s move out of dashboards and take a look at query reports. Now, as you might recall from previous videos, when you create a query, that query can have an action. That action might be send an email or something else, or it could be actually create a query. And if you create a query for yourself, that’s called “My query” and it’ll show up here. There’s also organization-wide queries, which are called “Org-wide queries”, which you see here. And then “Global queries”, which ship with the solution. You’re going to find them the first time that you actually start using Sevco. Things like total devices, daily new devices, and so on.

Now, let’s take a look at this Org-wide query. It says No CS for CrowdStrike, and it’s not CS Exempt. So it’s not running CrowdStrike, and it’s not a device that’s been marked as, hey, it’s okay for you not to run CrowdStrike. And we can go ahead and execute this query now and it’s going to pull up 255 devices. 

Now, if you remember our video on creating queries and using tags, this query is based on a source that does not equal CrowdStrike. The tag does not equal CS Exempt. And the OS platform is going to be Windows or Windows Server or Linux. But now I have those 250 devices, I can take a look at them. I see, okay, well, a lot of them are actually running Automox, so that’s cool, but they don’t seem to really be running anything else.

 

Again, having this type of information at a high level can be very, very powerful because sometimes you just want that quick snapshot, or you want to share with somebody that’s perhaps not a hands-on operator and give them a quick perspective of what’s happening in the organization. But from an operational side, you can click on this information because it is active and drill into that near real-time data to actually affect change.

Interested in seeing how Sevco can give you this kind of visibility in your own IT environment? Click here to schedule a personalized 1:1 demo with our team.

 

Share This Post:

LinkedIn