1.4.1. Visibility
On this page we will introduce the Visibility use case, going through its explanation, benefits, steps, and sources.
1.4.1.1. What is visibility?
Visibility is the module of OpenNAC Enterprise that discovers, quantifies, and qualifies the assets connected to the corporate network.
It guarantees a starting point to establish security controls, the basis for managing the risk associated with the devices.
Allows to know the communication flows in the network, in this way it helps to determine and manage the attack surface in networks.
1.4.1.2. Visibility Benefits
Automates the discovery and inventory of 100% of the devices connected to the corporate network (Quantification of network assets).
Automatically profiles and classifies all the devices connected to the network (Asset Qualification), assigning typology to each connection (mobile, computer, camera, etc.), basis for establishing access policies for devices.
Tagging and grouping the devices connected to the network (criticality of devices, typology, risk profile). 100% customizable according to the business requirement.
Shows network behavior, communication flows, network protocols used, and behavior statistics in real-time.
Facilitates the adoption of standards and frameworks such as ISO2700x, NIST, ENS etc.
1.4.1.3. Visibility in 6 Steps
Our Visibility proposal plans establish visibility in 4 steps:
Discovery: we have to discover and quantify the devices.
Profiling: profile and qualify defining assets profiling groups
Business Profiles: create groups of devices from the characteristics that we know of each one, the most common is grouping by typology.
Enrich with external sources: Add metadata such as associated CVEs, compromised identities, etc.
Share with a third party: Third-party platforms, such as SoC integration.
Output Review: to visualize results we have predefined visibility dashboards with very specific and easy-to-read information.
1.4.1.4. Visibility Sources
We have three ways to generate Visibility:
Network devices mode
Sensor mode
Agent mode
Note
The modes of visibility are not mutually exclusive, they are complementary. We can have all three, the more sources we have, the greater context and more details of each device associated with each connection are achieved.
Network Devices Mode: Works through the protocols currently transiting the network and by enabling some other protocol.
Sensor Mode: performs a deep packet inspection to learn network protocols used in information flows.
Agent Mode: deploying software on user devices to extract complete software and hardware information from the device.
OpenNAC Enterprise discovers the devices and launches plugins to get information about each connection made on the network. The responses of the devices provide the detail of each device associated with the connection.
Any mode that is used will try to establish the IP and MAC (Basic Information) pair and from that launch queries through a plugin such as discover or profiling the devices themselves:
Discover plugin: Launches instructions to get information on each connection on the corporate network, the result depends on the device.
Profiling plugin: Analyzes the information collected from each asset to determine its type.
Once OpenNAC collects all the characteristics of the connections and stores them in the form of Tags in the CMDB. These tags pass through the OpenNAC engine and analyzing the collected data determines their typology, risk value, criticality, etc.
Lastly it quantifies (how many are there) and qualifies (what type are they).
As the main deliverable, after all the data analysis, an updated inventory is generated in real-time with all the connections made in the network. Each connection has its associated details.
Some of the relevant information shown is: MAC, IP, IP Switch, AP, switch port, VLAN, hostname, user, last access, tags, device typology, etc.