Harnessing the Power of the Armis Standard Query (ASQ) Tool, Part 1

Tools of the Trade

Carpenters have hammers. Chefs have cookware. Artists have paint brushes.

Information technology and security operations teams have their tools as well. Unlike the aforementioned tools of the trade however, these tend to be more dynamic and improve rapidly as new methods are employed to help with their day-to-day operations. These new ways to look at old problems, as well as the sheer necessity due to increased volume of events, have improved things vastly since the days of mostly the single-use, create-your-own tools approach.

Each of these professionals has their own favorites and rely on them to retrieve whatever piece of data, access control, monitoring/alerting, or comprehensive report that is needed. Of course, our aspiration is that Armis is that favorite ‘go-to’ tool.

In this four-part blog series, we will walk through some operational usage examples that will illustrate how Armis customers get the most out of the Armis platform. Our hope is that they spark further ideas about how to leverage Armis to  wield this powerful tool to answer your most pressing security questions

Talk the Talk

The Armis Standard Query tool (ASQ) is central to almost every activity you can perform. Much like any popular SIEM, the language is powerful, but is simple to comprehend and has a nominal learning curve. Fear not! Once you understand it, it is a very robust ally in finding and presenting the activities and devices that may be hiding within your network.

Using ASQ, you will be able to search for devices, vulnerabilities, services, traffic, connections, users, policies and more -- the combinations are virtually endless.

In this blog, we’ll start by walking through two example use cases:

  • Finding devices by model
  • Associating users with a device

Devices by Model

Can you quickly get a list of devices, by model, that reside in your environment? If you answered yes, let me further ask how confident are you that your asset management data is truly accurate and up-to-date?

There are times when understanding your devices by model becomes a necessity. Let’s take, for example, the difficulty the US government has had trying to get a handle on hardware manufacturers that have been banned by FAR 889 within their environment.

With the ever-changing nature of networks, your current solution may be, plainly speaking, inadequate. These solutions typically range anywhere from inventory monitoring applications like a CMDB to highly-manual processes such as keeping a spreadsheet. Historically, these solutions are at-best highly labor-intensive, and at-worst, out-of-date or incomplete. Let’s face it, monitoring and tracking your assets is difficult and no one is immune to this necessity.

This is an area where Armis really shines. We have the ability to show you what may have previously been hidden on your network and continuously track and monitor those devices for changes. Armis doesn’t rely on agents, so it’s not bound by a need to tether your previously acknowledged assets while missing your unknown pool. Armis can immediately begin its discovery and tracking process automatically, without needing to understand what is already on your network.

How easy is it to get this information? Let’s look…

Below is a view of the Armis Standard Query tool. Using this, you will simply choose the values you are looking for. In this example, we are looking for devices with the model of Hikvision or Zhejiang, that reside on the corporate boundary, and were seen in the last 7 days.

 Armis Simple  Query View
When the query is complete, the following results will be presented in the results pane:

Armis Results View

User to Device Association

Knowing what devices are present in your environment is half the battle. Understanding the user-to-device associations takes it one step further, and can be very useful in exposing potential issues residing on those devices. Some examples where user information might highlight problems include the discovery of certificate theft, improper user-to-device associations, or unauthorized certificate export. It’s good to be able to understand when a user-to-device association is just not right.

Let’s take a scenario where an 802.1x certificate is exported to a user's personal phone and improperly allows a connection to your corporate environment.  To be sure, a machine-based certificate is the preferred method, but with that said, most of us do not have the luxury of living in a perfectly configured world. In fact, you might not have even known that a user could do that in your environment - but did.

Monitoring this type of activity is difficult with traditional methods. Applications that are used to manage certificates are not typically able to provide the complete context of certain types of 802.1x certificates and their associated devices. This is especially true in cases where the certificate is only associated with a user. It may take several tools to aggregate that data, let alone bubble up improper usage.

Such an association may look like the below screenshot, as seen from the Armis Standard Query tool. In this query, we are taking the knowledge that no device should be able to connect to our corporate network without a certificate, and specifically, a mobile phone. While at first glance, this may look slightly complicated, it’s actually quite easy to create. We are looking for an activity type of connection started and defining the connection as being from a mobile phone to the corporate network, occurring in the last 7 days.

Armis Standard Query View - Phone on Corporate
Once the results of the query are returned, you can drill further into the device itself, such as in the example below. In it, you can see the fictitious user of ‘roi’ at the fictitious ‘somecorp’ domain.

Armis Standard Query View - Phone on Corporate

Conclusion

These are two simple examples that highlight the interesting things that Armis can be used for and to illustrate the power of the tool. Join us for our next blog where we look at vulnerability and IP mischief through the eyes of Armis, as well as other future blogs in this series to help you wield the power of the Armis Standard Query tool.

For a full demonstration of Armis, please visit www.armis.com/demo.

Have our blog posts sent to your inbox.