Elemental Cyber Security FAQ
Frequently Asked Questions
- What does the Elemental Security Platform do?
- What is unique about the Elemental solution?
- Why is visibility into the network environment important?
- What is the role of access control in the Elemental ESP?
- What security problems does ESP address?
- What are the key benefits offered by ESP?
- How does Elemental Security's ESP help in meeting internal and regulatory audit requirements?
- What factors should I consider when evaluating policy management products?
- What is a Rule?
- What is a Policy?
- What kinds of policies are supported?
- Can I create custom policies?
- Can exceptions be granted to policies?
- What is your policy language? What are the advantages of a language-based approach? Do I need to learn a new scripting or programming language to use your product?
- How are new policies added to an Elemental ESP installation?
- How are policies targeted and deployed?
- Why is change in the network environment an important consideration in managing policies?
- What automation is enabled by ESP.
- What is Dynamic Grouping?
- How is inventory classification used in managing policies?
- Can the Elemental system provide security for hosts not running the ESP agent?
- Does the ESP Agent work when the host is not connected to the local network?
- How can ESP help protect sensitive information?
- How does ESP remediate policy compliance violations?
- What kinds of reports are provided?
- How does ESP control access to key systems?
- Is an inline appliance required to control how a host communicates with other hosts on my network?
- Is ESP compatible with Cisco NAC?
- Why should I deploy an agent-based solution versus an agent-less solution?
- What performance impact will your product have on my hosts?
- How much network traffic does your system generate?
What does the Elemental Security Platform do?
The Elemental Security Platform (ESP) helps you identify and resolve security and compliance problems in dynamic enterprise networks. ESP allows you to easily specify custom security policies, then it will automatically apply them as and where they're needed. ESP closely aligns security policy management with business objectives by providing deep visibility into the security posture and activity of individual computers. ESP provides unified monitoring and remediation capabilities, to ensure compliance with your security policies, to mitigate risk, and to measurably improve the security of computing resources.
What is unique about the Elemental solution?
ESP uniquely combines policies which address host configuration, inventory, and network access control into a single unified policy framework. ESP provides more than 2000 rules and an extensive array of policy templates which you can combine and extend to express your own custom security policies. Dynamic grouping of hosts according to shared attributes, powered by continuous monitoring of hosts on the network, enables organizations to reduce the effort and minimize errors of manual policy provisioning. The unified policy framework provides comprehensive and continuous monitoring for compliance, and provides a means of controlling the security posture of machines on the network.
Why is visibility into the network environment important?
In addition to gathering extensive information about the configuration, inventory, and network activity of machines running the ESP agent, ESP also discovers and passively profiles any unmanaged machines that may be observed on the network. This deep visibility enables ESP to dynamically group machines based on business roles and common characteristics of users and computers. By continuously updating this information and dynamically rebuilding host group memberships, ESP always provides you with an accurate map of the ever-changing network environment. This layer of automation enables organizations to efficiently manage security policies by quickly identifying changes or anomalies in the network. ESP enables precise targeting and automatic updating of security policies.
What is the role of access control in the Elemental ESP?
Host level access controls are a key part of the ESP solution. The ESP agent can block or permit traffic to restrict communications between hosts on the network in accordance with your security policies. For example, you can deny access to critical resources if a requesting system does not meet certain compliance requirements, and you can have different access control policies for different resources. By leveraging its deep visibility into the roles and security posture of computers and users, ESP enables simple implementation of role based access controls that automatically adapt to changes in the network environment.
What security problems does ESP address?
Some key uses of the ESP system include the following:
- Provides centralized, in-depth visibility into the state of individual computers
- Automates compliance with SOX, PCI or HIPAA requirements
- Reduces frequency of SOX audits via automation
- Protects sensitive resources from unmanaged, unknown or non-compliant systems
- Provides a consistent security solution for distributed, cross platform enterprises
- Monitors and enforces policies on end-user's computers on an ongoing basis
- Automates the ops team's system hardening manual
- Establishes baselines and metrics for managing and improving the current state of security
- Restricts access to network resources based on host configuration or policy compliance
- Prevents the unauthorized copying of files to writeable and external storage devices
What are the key benefits offered by ESP?
- Reduces time and cost for audits
- Decreases the time and effort to monitor and enforce policies
- Prevents security incidents and their associated costs
- Detects anomalies and identifies high-risk assets
- Provides metrics to measure the security and compliance posture of systems
- Mitigates risks associated with unknown and non-compliant systems
How does Elemental Security's ESP help in meeting internal and regulatory audit requirements?
The Elemental Security Platform (ESP) can perform quick, standardized evaluations of compliance with complicated regulatory laws and standards. Moreover, you can customize those evaluations to your own organization's needs, including where and when the security policies apply. You can tailor the content and target the deployment of policies to support the business objectives of the organization.
What factors should I consider when evaluating policy management products?
Enterprise security infrastructure and requirements are continually evolving. Some key questions to consider when evaluating policy management products include:
- Will the solution adapt to my changing needs? Is it flexible enough to solve not just the problems I know I have now, but also those I will face in the future?
- Can I use the solution across much of my infrastructure? Can the solution give me visibility into all my network assets, even those I don't already know about?
- Do I need to put an agent on every machine, or can I achieve my policy objectives through partial deployments?
- Does the solution reduce the effort required to manage policies across the organization?
- Are there cost savings that result from its implementation?
What is a Rule?
An ESP Rule is the most basic element of a policy within the Elemental Security Platform. Rules address specific host configuration settings and/or network access control security requirements.
What is a Policy?
A Policy is a collection of rules and other policies.
What kinds of policies are supported?
ESP provides pre-configured policies for both Regulatory Compliance (SOX, HIPAA, PCI) and Third Party best practices (CIS, NAS, NIST, DISA, Microsoft, and Oracle).
Can I create custom policies?
Yes - the ESP management interface provides a visual policy editor that makes it simple to customize policies to meet your specific requirements.
Can exceptions be granted to policies?
Exceptions can be granted on a individual basis for any rule. Granted exceptions will not skew compliance metrics.
What is your policy language? What are the advantages of a language-based approach? Do I need to learn a new scripting or programming language to use your product?
The Elemental policy language is called FUEL™ - it is based on Python and is easily portable across platforms. However, you do not need to know the FUEL language in order to use the ESP rules and policies. Only the rules are implemented in FUEL; you define policies using the interactive user interface to select rules that have been implemented by Elemental. The language enables highly efficient agent/server communications, provides a very tight coupling between the monitoring and automated enforcement of policy rules, and enables policies to be easily expressed in a manner consistent with how they are written down in enterprise policy manuals.
How are new policies added to an Elemental ESP installation?
Elemental provides policy content updates on a periodic basis for all customers with current maintenance and support contracts. Content is delivered in the form of XML files and is easily imported into the ESP system through the management interface. A Test Space enables users to stage and test new and updated policies before moving them into the Production Space for general use.
How are policies targeted and deployed?
Policies are deployed to sets of hosts that are defined using the ESP Dynamic Grouping feature. The system ships with an extensive collection of host groups which can be used immediately. Users can also define custom groups based on the roles of users and machines, the security posture and inventory of computers, and the activity of machines on the network.
Why is change in the network environment an important consideration in managing policies?
Policies are typically static in nature. Applying and measuring compliance with stated policy is a simple exercise in a non-changing environment. Practically speaking, however, modern networks have an alarmingly high monthly turnover rate (systems being retired, re-tasked, and/or new machines and applications coming on the network). Managing and accurately measuring host configuration and network access in this dynamic environment is nearly impossible without automation.
What automation is enabled by ESP.
The Dynamic Grouping of hosts enabled by the ESP system automates the targeting, provisioning, and updating of policies. As group memberships change, policies are automatically updated. Both host configuration and Network Access Control policies benefit from this automation.
What is Dynamic Grouping?
Dynamic Grouping is the process by which ESP manages membership of host groups (sets of systems) based on specific attributes. An example would be, "all Dell Laptops that are wireless and have writeable USB media, that are running Windows XP, and on which a member of the Finance AD user group is currently logged in." The ESP Dynamic Grouping mechanism allows you to define groups of systems based on these (and many other criteria), with group membership dynamically updated as machine configurations, and logged-in-users, change. Based on the information continually gathered by the ESP agents, the membership of these groups is refreshed every few minutes.
Dynamic groups provide three basic functions:
- Targeting and automated provisioning of policies
- Simple expression of policies to limit network communications between groups of systems
- Targeted reporting
How is inventory classification used in managing policies?
The ESP Agent collects a comprehensive hardware and software inventory from the host on which it resides. This data can be used to define host groups (based on the presence, or absence, of specific applications, files, patches, CPU type, hardware devices, etc.). The host groups can then be used as targets for policy deployment. Change in inventory can also be used to automatically trigger access control requirements. For example, a policy might be deployed to prohibit the installation of an instant messaging application. If the policy is violated, the ESP agent will deny access to certain specific resources that you have defined.
Can the Elemental system provide security for hosts not running the ESP agent?
Yes. The ESP Agent serves three general purposes:
- Host configuration management
- Network Access Control (packet filtering)
- Passive network listening
The third feature enables the ESP Agent to passively detect unmanaged machines on the network and classify them to identify network behavior and host details. Based on this classification, the ESP system can dynamically group these unmanaged machines along with managed machines. By deploying network access control policies to the machines that are running the agent, ESP can control what these unmanaged systems are able to do on the network. This is possible because the Elemental access controls are implemented at the host level, meaning that communications with managed hosts can be restricted by controlling just one side of the communication.
Does the ESP Agent work when the host is not connected to the local network?
Yes. The Agent will continue to monitor/enforce the last policy data it received from the server. ESP allows you to apply policies to systems based on their location when connecting to the network, as well as the type of interface being used.
How can ESP help protect sensitive information?
ESP offers a broad spectrum of policies to protect sensitive information. Some examples include:
- Limit network connections to key systems
- Prevent the use of writeable media on end user machines
- Restrict traffic from end user machines going to outside destinations (IM, P2P, ftp, external mail servers, etc.)
- Control file and directory permissions
- Verify file integrity and contents
How does ESP remediate policy compliance violations?
ESP can enforce policy rules. Example - file x should have permissions y. If a (privileged) user changes the permissions on the designated file, ESP will first report non-compliance and then automatically set permissions back to what were originally dictated by policy.
What kinds of reports are provided?
All data is stored in a full-featured relational database. There are extensive predefined reports that can be run directly or scheduled to be run on a periodic basis. Reports can be viewed directly in the UI, exported to CSV or XML format, rendered to printable format, or optionally emailed to specific recipients.
How does ESP control access to key systems?
The ESP system implements access control policies at the host level. The ESP Agent runs at the kernel level and monitors all packets in and out of managed machines to assure they conform to policy. Non-compliant traffic is detected and reported, and, optionally, can be blocked. The access control policies can be expressed using the ESP Dynamic Groups, e.g. "Only Finance users can connect to SAP ERP servers." This enables adaptation of access control policies according to changes in the environment as host group memberships are updated.
Is an inline appliance required to control how a host communicates with other hosts on my network?
No, access controls are monitored and controlled at the host level. The access controls implemented on a protected system are independent of the path a machine may take in attempting communications. Similarly, attempts to send traffic from a managed machine to an unapproved destination is terminated at the source - and your ability to stop such traffic is not dependent on the traffic traversing a security appliance..
Is ESP compatible with Cisco NAC?
Yes, ESP works with Cisco NAC. The ESP agent integrates with the Cisco Trust Agent to provide security posture information to the CNAC infrastructure. Additionally, the ESP solution provides a layered defense complimenting the CNAC controls by making sure machines stay compliant once they are granted access to the network. If hosts become non-compliant or host-configuration changes are observed, ESP can automatically respond and restrict their ability to communicate over your network.. ESP supports access control rules that can be implemented at any level of granularity - from restricting access to a few key systems to quarantining a host.
Why should I deploy an agent-based solution versus an agent-less solution?
'Agentless' solutions can typically be more accurately described as 'transient agent' solutions. That is they are in fact executables that have all the characteristics of an agent (e.g. require privileges to run, consume system resources, support communications protocols for communicating with a server, etc.)...Some key advantages of the ESP persistent agent system architecture include the following:
- In order to see, block or allow network traffic, a persistent presence on the host is required. All packet filters, including the ESP Agent, require this presence. Agentless approaches must rely on other devices to detect rogue machines and to regulate traffic on the network.
- Using an agent allows Elemental to run the policy engine locally on each managed host. This allows Elemental to leverage the power of a language based approach to deliver highly efficient agent/server communications. And it allows the Elemental approach to scale to very large number of managed systems. Agentless approaches do not scale well. The process of pushing down mini-programs in the form of transient agents to do the monitoring and enforcement of policies is inherently inefficient.
- ESP Agents provide persistent compliance monitoring. ESP policies remain in effect whether or not the machine is connected to the local network. Agents run independently. Agentless approaches require continuous communications with a central server.
- ESP Agents provide a very tight coupling between the monitoring and enforcement of policy rules. This enables automated remediation of non-compliance. Non-compliance can be directly remediated if desired without requiring additional administrative action
- The ESP architecture provides a scalable infrastructure for running credentialed checks on managed machines.
What performance impact will your product have on my hosts?
The ESP agent is designed to be non-intrusive. On average the agent will consume 2-4% of dynamic memory and will have a negligible impact on CPU usage. As with other common desktop security products, there may be intermittent spikes in CPU usage depending on the types of policies deployed, but the majority of ESP rules require very little resources to run.
How much network traffic does your system generate?
Communications between the ESP agent and server are highly efficient. The underling policy language has been developed to enable policies to be communicated to the agents while consuming minimal bandwidth. While many site-specific implementation details - such as number of host groups, and number and type of policies deployed - will be determinant factors, the typical network bandwidth consumption is on the order of 300 Kbs per 1000 agents.