Compliance Monitoring and Asset Synchronization
The Respond and Orchestrate platforms enable better asset synchronization and compliance monitoring for your security team.
Category: Endpoint, Identity Management Services
Cyware Products Used:
Respond
Orchestrate
Third-party Integrations Used:
Mosyle: Mosyle is an Apple Endpoint Management & Security platform with solutions for education providers and enterprises.
Crowdstrike EDR: To install Crowdstrike EDR agent for monitoring the activity on endpoints.
Problem Statement
Today’s security operations require synchronization and monitoring of assets in real-time to make sure all the assets in the organization are compliant with the security and business policies. It is also important for security teams to have the devices and users in the organization in sync to manage all the assets in one place, discover security vulnerabilities, monitor assets for threats, and automatically validate and enforce security policies.
Solution
The solution is to synchronize new and existing assets including devices and users automatically at regular intervals. This enables security teams to view all the asset information in one place and continuously monitor end-user devices. Moreover, security teams can correlate device information with incidents to quickly connect the dots, investigate, and respond to cyber threats like breaches, ransomware, and malware.
How do we solve this problem?
Retrieve latest Assets: The playbook starts by retrieving all the latest asset details from the Mosyle application at regular time intervals.
Filter Assets: The playbook now filters the newly added devices into types such as devices and users. The filtered devices and users are sent to the Respond application for asset synchronization.
Verify EDR Compliance: The identified devices are cross verified with the Crowdstrike application to see if they have the Crowdstrike EDR agent installed. If the devices do not have an EDR agent installed, then the devices are counted as non-compliant and the details are updated as notes to the Respond asset repository. The playbook also sends a non-compliance report to the IT and security teams based on various other compliance parameters.
Add or Update Users: If the retrieved user details are not present in the Respond asset repository, the playbook automatically creates new users and updates the relevant details to the repository. If the user already exists, then the playbook updates the details of the user.
Add or Update Devices: If the retrieved device details are not present in the Respond asset repository, the playbook automatically creates a new device and updates the relevant details to the repository. If the device already exists, then the playbook updates the details of the devices.
Notify Security Team: The playbook generates a summary of the newly added assets to the Respond asset repository and sends an email to the security and IT team.
Optional Configuration
You can further enhance this use case to validate other compliance parameters such as pending operating system updates, users not associated with a device, multiple users associated with a single user, and more. The playbook also sends a compliance report to key stakeholders based on identified conditions.
Benefits
Proactive Risk Protection
Organizations can identify, assess and address the security risks posed by devices and assets of all types while taking proactive steps to protect their devices, networks, and data.
Improved Cybersecurity Asset Management
Security teams can discover and track assets in real-time, perform a continuous risk assessment and immediately segment untrusted assets from the rest of the network.
Real-Time Synchronization
Organizations can keep all assets in synchronization with the incident response solution and provide security teams with real-time access to all the device and user details.