What is IdentityGraph™?
IdentityGraph™ is Elisity's asset identity engine developed to address the challenges faced by modern network administrators in managing and understanding asset identities. IdentityGraph™ has been engineered to process, refine, and present identity data in a manner that provides a holistic and clear view of all network assets.
In contemporary network infrastructures, organizations are often using a variety of identity tools to assist in discovering and identifying assets on their network. These assets may be managed by different departments, with varying levels of data maintained that is often fragmented or even conflicting across different identity sources.
For instance, one source might identify a device based on its MAC address and vendor type, while another provides data regarding its operating system or its last known user. Combining these disparate pieces of data into a single source of truth is crucial when it comes time to enforce identity-based policy for assets dispersed throughout your network. The problem is, creating this single source of truth isn't just tedious; it's often not feasible given the dynamic nature of modern networks where new assets are connecting to the network and new data is available every hour.
IdentityGraph™ provides value to network administrators by automating the process of data reconciliation and providing a single, reliable source of truth for asset identities. This reliability ensures that when policies are enforced or assets are tracked, decisions are based on accurate, consolidated data. As a result, organizations can be confident in knowing that their assets are classified correctly, and therefore the correct network policy is being applied.
How IdentityGraph™ Works
Device Discovery and Data Collection
The initial step for IdentityGraph™ is device discovery. As assets connect to the network, various data sources are used to glean identifying data about these devices such as DHCP, IPDT, Radius, CDP/LLDP, to name a few. This data is collected via carefully filtered ERSPAN, and API integration with onboarded switches. IdentityGraph™ uses this data to then query all available connectors and Identity sources. This involves harnessing data from Elisity's Native Identity Database, Active Directory, Claroty, Medigate, and your CMDB, among many others. The goal here is to cast a wide net, ensuring that no relevant data is overlooked.
Data Prioritization and Core Effective Attributes
Once the raw data is collated, the challenge becomes one of resolution and refinement. Given that different sources can offer varying (and sometimes conflicting) data about a single asset, IdentityGraph™ employs algorithms to categorize and rank this information based on its reliability and relevance. This ranking mechanism ensures that the most accurate data is given precedence, culminating in the formation of "Core Effective Attributes."
Core Effective Attributes serve as the primary match criteria when creating Policy Groups, offering a consolidated, accurate identity for each device or endpoint. This does not mean, however, that you MUST match on Core Effective Attributes. As seen in the image above, administrators in Cloud Control Center have complete visibility into all attributes that have been gleaned for any given device.
Each attribute that Elisity has collected will be categorized, and shown on the asset details view for any device.
The main categories within IdentityGraph™ are the following:
Core Effective Attributes: These are the primary, consolidated attributes that the IdentityGraph™ determines as most relevant for an asset. They represent the essence of the device, giving a clear and immediate understanding of its nature and function.
- Examples: Hostname, Genre, Class, Vendor, Type, Model, Operating System, Risk Score, Label, Purdue Level.
Trust Attributes: These attributes indicate the reliability and credibility of a device's identity based on its association with various platforms or systems. It provides a measure of how well-known and verifiable the device's identity is within the network and linked systems.
- Examples: Known in AD, Known in Claroty, Known in ServiceNow, Known in Tenable, Manually Verified, Unverified.
Elisity Native: Attributes in this category are derived directly from Elisity's native detection and identification mechanisms. They represent information that Elisity has been able to ascertain on its own, without relying on external platforms or manual input.
- Examples: Genre, Class, Vendor, Discovered By, Last Seen, Last Update, Interface.
Manually Configured: These are attributes that have been manually set or adjusted by administrators or users. They represent a level of customization and might override or augment the data gathered through automated processes.
- Examples: Hostname, Genre, Class, Model, Operating System, Last Update, Label.
Additional Connector-Based Tiles: Alongside the core categories, any connector from which data has been derived will also manifest as its distinct subsection within the IdentityGraph™. These connector-specific subsections represent specialized sources of information and will display attributes specific to that connector. By examining these subsections, users can gain insights into the diverse data sources contributing to an asset's identity, ensuring a multi-faceted understanding of its profile. Each connector-based subsection serves as a testament to the integrative capabilities of the system, seamlessly pulling and centralizing data from a variety of platforms and systems.
Examples: Active Directory (AD), Claroty, ServiceNow, Tenable, Medigate, Palo Alto IoT Security.
Once these attributes are defined, they can be seamlessly integrated into Policy Groups. By doing so, organizations can enforce network policies based on the refined data offered by IdentityGraph™, ensuring that policies are both precise and effective.
IdentityGraph data enriched by connectors are refreshed periodically however if the operator wishes to refresh the data immediately simply click the refresh button next to each connector tile.
Ongoing Reconciliation and Updates
IdentityGraph™ serves as a continuous, dynamic identity engine. As assets evolve and network dynamics change, the service continually updates its data repository. This ensures that the identity information remains current, and any changes or anomalies are rapidly identified and reconciled. Whether it's a software update on a device, a change in its operational status, or a new device entering the network, IdentityGraph™ ensures that its data remains a reflection of the network's current state.
Attributes learned from IdentityGraph™ are immediately usable in Policy Group definitions. To use any attribute, create a new Policy Group and scroll down to the attribute type. They will be categorized according to how they appear in IdentityGraph™. As you can see, you can select attributes from "Core Effective Attributes" or "Active Directory Attributes." Scrolling down will reveal any additional categories and their associated attributes.
Benefits of IdentityGraph™
Streamline Asset Management for Efficiency and Savings
Leverage the consolidated view of IdentityGraph™ to effortlessly overcome the hurdles posed by decentralized asset databases. By centralizing asset management, you're not only simplifying the process but also driving down operational costs. Dive into the structured methods of updating, categorizing, and managing with IdentityGraph™, ensuring that your network assets remain a strategic advantage rather than an operational challenge.
Fortify Your Security with Precise Asset Identification
A robust security posture begins with knowing exactly what's on your network. With the IdentityGraph™, you can elevate your security protocols through high-fidelity identification. The 'core effective attributes' feature works tirelessly behind the scenes, gathering and consolidating data from various layers. This results in a comprehensive, accurate representation of each asset. The outcome? A fortified security shield, ready to tackle sophisticated threats.
Ensure Accurate Policy Enforcement Across Your Network
The efficacy of your network policies hinges on the clarity of your asset identification. By utilizing these meticulous identification methods, you're creating an environment where policies are crafted with precision. More importantly, you can move forward with the confidence that these policies, once enacted, target the right assets, ensuring that your network's integrity remains not compromised.
Sources and Fields for Core Effective Attributes
Our agent for Microsoft Active Directory enables customers to use user identity data in policy, as well as real-time monitoring of events such as login, user identity changes, and device attachments. The agent can be run on multiple servers for redundancy in the case of issues with an Active Directory server. Users can quickly onboard their Active Directory servers using our connector, sync data about all users and computers, and begin using that data to build Policy Groups in a matter of hours.
Below is an example of the user data we add to IdentityGraph.
Here you can see a list of Active Directory match criteria for Policy Group definition.
Devices in Active Directory can also help enrich the IdentityGraph database and a multitude of attributes can be leveraged for Policy Group definition.
In certain scenarios, customers may want to ignore Active Directory login events for a specific device. Generally, when a user logs in to a device, we will see this login event and associate a user identity to said device. This is often the desired behavior as this allows for identity-based policies for these assets based on user identities. For example, you may want to define network segmentation based on user groups. Radiologists and Pediatricians may work at the same hospital, but they don't need access to the same systems.
Clicking "Shared Services" on any asset will disable user-based identity for the asset. Elisity will ignore AD User login events for the device, causing the asset to be classified purely based on device data in IdentityGraph. This is ideal for applications where user login is required to use a machine, but user identity is not relevant to the segmentation strategy.
To enabled "Shared Services, go to the device and click edit. Click the check box next to "Shared Service" and click save changes.
Risk Score Level
In the intricate ecosystem of network security and device management, it's imperative to differentiate and understand the varying risk levels associated with each device. To address this need, we introduce the Risk Score Level.
What is the Risk Score Level?
The Risk Score Level is a Core Effective Attribute designed to provide clarity regarding the security posture of a device, by classifying it into categories based on its perceived risk. This classification can be:
- Very Low
This score is dynamically sourced from integrations with external platforms such as Medigate and Claroty xDome. And what's remarkable is its adaptive nature: if, for instance, Medigate introduces a new classification like 'Extreme' in the future, our system will automatically recognize and integrate this without needing any manual updates.
Why is it Significant?
Manual Configuration & Bulk Actions: When adding or editing a device, the Risk Score Level is available as a Manual Configuration item, ensuring that you have full control and visibility. Additionally, when adding multiple devices, it can be included as a Bulk Add/Edit field in the CSV.
Device Overview Enhancement: For a comprehensive understanding, the Risk Score Level is a default column on the Device Overview page. This makes sorting and filtering devices based on risk scores straightforward.
Policy Evaluation & Creation: The Risk Score Level is essential when creating policies, especially when dealing with policy groups (PG). It's now an option under Core Effective Attributes when establishing a PG, ensuring your policy creations are as accurate as they are effective.
The Risk Score is a Core Effective Attribute designed to provide clarity regarding the security posture of a device based on its perceived risk. Risk Score is an integer between 0 and 100 and can be leveraged as match criteria in Policy Group definition.
Risk Score data is provided on a per device basis through integrations with solutions such as Claroty xDome, Medigate or Palo Alto IoT Security. The following match logic is supported:
- Not Equal
- Greater Than
- Greater Than or Equals
- Less Than
- Less Than or Equals