Gap Analysis at Scale — Total Network Visibility in 8 Days

Clockspring developed an integrated asset management comparison capability which identified discrepancies between the assets protected by EDR and those receiving periodic vulnerability scans. The resulting report was delivered within 8 days of project initiation and showed a 20% gap in the inventories of these two tools: blind spots in the organization's ability to identify and react to threats.

By comparing the differences in the asset inventory of these tools and overlaying the results on the network topology, Clockspring was able to deliver gap reports down to individual subnets, VLANs, and physical locations which enabled the prioritization of remediation and assignment to the correct team to execute the remediation.

About the Organization

Clockspring was tasked to help a client understand their asset inventory and by extension the security controls surrounding end user computing. Spanning nearly two thousand sites across the US, 300,000 employees, and several hundred thousand endpoints, it is one of the largest organizations in the world. As a result of COVID-19 and the seismic shift in work patterns for all employees, the organization needed to validate that the end user computer protections that were configured for a mostly 'in-house' staff were working as intended to protect the suddenly remote workforce.

Challenges

Given the size and scope of this organization world-class cybersecurity must be achieved. The second and third-order consequences of ineffective risk-management or a vulnerability gaining access to critical components of the enterprise are unacceptable — they can result in the exposure of sensitive client information or the disruption of services which millions of people rely on daily.

Despite an IT staff of over 1,000 employees and contractors and a several-million-dollar IT budget, securing the massive operations and effectively managing enterprise risk comes with two key challenges: Siloes and Scale. Divided into dozens of departments and subdepartments spanning function, geography, and hierarchy, each department has its own culture, tooling, data management, and devices. Additionally, the sheer number of endpoints and data produced is substantial and constantly changing.

Journey to Visibility

Clockspring was brought on by the Director of Infrastructure Operations to achieve a specific solution: accurate and total visibility across the enterprise network. Given the scale and siloes, the Security and IT leadership were unable to have clear and complete visibility of all the endpoints in the organization. In order to deliver to leadership the visibility of where there are problems in real-time and make decisions to remediate, the organization needed to have a full view of the network.

"Clockspring is the best tool in the world at finding holes in all our other tools"

To achieve this visibility Clockspring looked at existing protection mechanisms. Two disparate endpoint management tools were in active use. The first was Forescout, an endpoint-detection response (EDR) tool which looks for live traffic on the wire and builds an inventory in real-time. The second was Nessus which scans the network and looks for vulnerabilities on a periodic schedule. Finally, the inventories of each system were combined with the network topology data from RedSeal to provide network context.

The hypothesis was that there would be a small gap between the results of the two tools because it is such a large and dynamic network and the coverage numbers looked similar at-a-glance. Given the hundreds of thousands of employees and contractors, standard hiring, onboarding, and turnover would mean thousands of devices coming on and off the network weekly. Given Nessus scans periodically and Forescout operates continuously there would be a small expected difference between the resulting data of the two tools.

Solution

Clockspring is a fast and flexible tool designed to move data and correlate different data sets in an automated way. For this problem Clockspring took the asset inventories from Forescout and Nessus and overlayed them on top of the network topology from RedSeal. The resultant report was broken down by physical site, subnet, and vlan which mapped out exactly where gaps were present.

The results were surprising — both technologies were missing significantly more endpoints than expected with a gap rate of 20%.

What did this mean? These endpoints were invisible to the security tools tasked with managing them and as a result were not part of the enterprise risk dashboard. The client was missing real-time visibility into the activities occurring on these endpoints as well as insight into the exposed vulnerabilities. Each of these gaps constituted a compliance issue, each of which could contain an unidentified exploit. What's more is that this state has been present since the inception of these tools — none of the teams have been able to see this before.

Impact

Within 8 days, Clockspring was able to get to total and complete network visibility and "see" thousands of previously invisible and unmanaged endpoints. The endpoints are being remediated and with each device the security posture of one of the largest networks in the world is increasing while compliance risk in a highly regulated environment is decreasing.

Tangibly, now the organization has discovered and removed a large blind spot that could have resulted in damages and/or regulatory action if exploited. The Security leadership now has an accurate hardware asset inventory, total clarity and visibility into a massive and dynamic network, and a flexible automation utility that allows them to make smarter, faster decisions at scale.