Axonius and “The Source of Truth” (How many assets do I have?)

A question I posed when I first started at Axonius as a Technical Account Manager was “How do I  get the core number of assets where Agent X can be installed with the Axonius platform?” It is a great question; you need to know what you have to then in turn determine coverage. Without knowing what you have, how can you ensure Agent X is installed where it should be? 

Much is made of the power of the Axonius platform in identifying all your assets. In this article I am going to explain how this can be achieved and maximize the return on your investment.  The best way to visualize this is via a story with some comparisons to perhaps make the concepts easier to digest. Let’s dive in. 

My organization needs to ensure deployment of Carbon Black to all Windows machines.

So, let us move on and get my source of truth for Windows machines, (i.e. how many do I have,) because as already referenced we need to know what we have in regards Windows devices (assets) before looking at coverage on those assets of Carbon Black.

I run the following query. 

I receive a result of 500 assets. So, is this an accurate figure of all my Windows Machines?

No. Why?

Let us think back to the data Axonius has. Axonius ingests from multiple data sources. Perhaps we ingest from McAfee EPO and this has been embedded in the organization for a few years. It still contains information on assets that have been decommissioned and shipped off to a local charity last year. So I need to add in another factor: stale data. 

By adding in the "last seen" field, I have now excluded machines that are no longer in use.

I now have 400 Window Machines. Is this now the source of truth?Possibly.

Let us again think back to the data Axonius has. So Axonius ingests from multiple data sources via what it calls Adapters.

As great as Axonius is, it can only ever be as accurate as the data it is fed. Nothing and nobody can know what it is does not know, right?

The more data the Axonius platform is fed, the greater the degree of accuracy Axonius obtains. Let us look at this asset with information from more than 8 adapters. So more than 8 sources of information are saying that this asset is Windows.

This is where I start to think of the Axonius platform with an analogy: Axonius becomes a court room with an active case being tried. You are the Judge, and we have multiple witnesses to testify in regards the question we are asking. Think of these adapters as the witnesses in my court case. In this example, you have 8 witnesses telling you that this is an asset running a Windows operating system.

What if we spin that and say "what about if the asset has only been seen by one adapter?" In that case, you don't believe that quite so much, as it is not the same as 8 witnesses telling you the same thing.  

Here is a one adapter (witness) example.

But then you factor in something else: the reliability of that witness. A vulnerability scanner is usually less reliable than an agent in regards operating system type.

Axonius can actually take some of the heavy lifting away from you here. Preferred fields are similar to the quality of the witness. We trust adapter A more than Adapter B for information such as OS type. Therefore, if they both disagree, we believe A over B. (See this post for more information on how this is weighted.)

If our CSV says that OS type is Linux and this is the only adapter we obtain information from, the Axonius preferred fields will present just that information. It may be accurate, and it may not be. Axonius preferred field will have nothing else to go on so will report as such. It is the best we could get from the one adapter (witness) we have.

Should we ignore this adapter then?

No, because what happens if that adapter is the only witness to that machine and it is right? This could be highlighting an asset with no security protection whatsoever and a real security risk. It could be an asset that has been simply incorrectly added to the CSV which Axonius has ingested. Investigation then becomes the key here.  Does it really exist? If not then update the CSV, if yes adjust to your company standard requirements. More adapters suddenly start to see this in Axonius, and we have improved our security posture already.   

Can Axonius ever be wrong in saying a Windows machine exists? 

Yes, if the data it is fed is incorrect.

If it is wrong, how can I trust it?

By reviewing the data, the number of adapters (witnesses) that all say that asset is X, utilizing the preferred field, investigating based on the information provided. That way you arrive at the source of truth.

How can I improve accuracy and the chance of the result being wrong?

More adapters are the answer. You increase the knowledge of the platform and therefore the power that aggregation and correlation brings (information from the adapters (witnesses) combined to be presented as the single asset it is.) The more witnesses you add into the mix, the more likely you will identify everything and arrive at the greater source of truth. 

So, my formula for obtaining the source of truth for Windows Machines my organization has is as follows:

Type = Windows X seen in last (number) of days. 

Do I trust all these results? 

Yes is the answer until you see otherwise. One witness does not mean they are wrong, and the same would apply for an asset that has only been seen by one adapter.  We need to determine if they are wrong and have a healthy degree of skepticism, but until proven otherwise, they are believed.

What do you do if you prove that the information for example from a particular source which states the device is a Windows Machines, but in fact it is a printer?

Tagging and custom data can be used here so we can start to filter these out from our queries and obtain a greater source of truth.  This possibly could even be automated with the Enforcement Center module add-on. 

By following this methodology to arrive at the source of truth, it is a win win. I understand my assets better and I improve general security by highlighting assets that do not have the correct security configuration as defined by my organization. I can achieve the source of truth for all my Windows OS devices and then focus on the Carbon Black agent coverage.