At its core, JupiterOne is a robust data platform dedicated to managing and securing customer data. Ensuring the security of this data is critical to earning and maintaining the trust we have established with our customers. Our commitment to data security is the foundation of all our efforts, reflecting our dedication to protecting the integrity and confidentiality of our customers' information. Although we call Raleigh, NC home we have a significant number of employees that are remote, myself included. As the Deputy CISO, managing and securing devices and endpoints is critical in today’s dynamic threat landscape. One of the ways we do this is by leveraging open source solutions like Fleet to enhance and strengthen our endpoint management and compliance capabilities. Here’s how Fleet integrates with JupiterOne to gain comprehensive insights and enhance the security in our environment.
Tracking Endpoints and Codifying Policies
One of the core features of Fleet is the ability to codify policies, track endpoints and their compliance with those policies. For example, we might set a policy checking that laptops are encrypted, password protected, or are running a browser with a specific version or newer. With the power of Fleet policies and the extensive osquery schema, there are close to 300 tables with data that can be used for policies, meaning the main limit is your imagination.
Integrating Fleet with JupiterOne adds more depth and insight to your security program. Fleet provides insight on which user is using which device and what device is violating a policy, JupiterOne enhances the insight by mapping how users and devices relate to the rest of your environment.
At JupiterOne, we set up an alert in the platform to alert us when an employee is running an outdated browser, violating our security policy. JupiterOne contextualizes this information for our security analyst by quickly visualizing that this employee’s device connects to a critical and sensitive company database. This unified view increases the speed to identify and address policy violations for our security team and provides a broader view of security risk within our environment.
- All Fleet alerts are centralized in JupiterOne providing a unified view. We can see policy violations from Fleet and other tools, and correlate with other alerts for a better understanding of our security posture.
- Get a deeper understanding of the importance of violations. For example, you can find all devices violating a policy, with the desired level of detail using this query:
FIND fleetdm_policy AS p
THAT VIOLATES<< user_endpoint AS ue
THAT HAS<< fleetdm_instance AS f
RETURN
p.displayName AS Policy,
f.displayName AS FleetDMInstance,
ue.displayName AS Device,
ue.macAddress AS MacAddress,
ue.osVersion AS OSVersionOnce you have the results, you can then use the graph to identify which ones lead to a critical asset. It’s one thing for a device to not be encrypted, but it’s more critical if that same device is used by a doctor with access to medical data!
In this exmaple, we see a single host is violating a single policy, and that this policy is tied to a JupiterOne alert. We’re in good shape! This allows you to easily visualize all of your policies, what machines they are assigned to and if they’re failing those checks.
Since Fleet is equally useful on servers and workstations, you can also identify Fleet violations that affect sensitive data stores and handle those first.
Software Inventory
Fleet has powerful software inventory capabilities. This data is ingested by JupiterOne, then normalized, allowing you to query and search for applications, no matter what data source informs the graph.
As you can see, looking for an Application returns software detected by Fleet, categorized as fleetdm_software. This is particularly helpful when building policies for allow listing, or for looking for a known vulnerable piece of software in your organization. In the case of user endpoints, MDM tools provide much less granular information than Fleet with osquery, so it is a great addition.
And again, since it’s part of the graph, all of these applications can be easily tied to the devices they’re installed on, as well as what those devices can access, allowing you to prioritize remediation to get the best coverage and efficiency when knocking down those vulnerabilities.
Details on the JupiterOne integration with Fleet can be found on JupiterOne Docs.
Cyber Defense Matrix (CDM) and Fleet
It comes as no surprise that there is a large overlap between people interested in osquery, Fleet, and JupiterOne. Those who understand the power of data value easy access to it and leverage it to better understand their security environment.
JupiterOne published the Cyber Defense Matrix book with Sounil Yu and continues to use CDM as a framework to navigate the cybersecurity landscape. We were excited to see Fleet add Mobile Device Management (MDM) functionality, which means they now address both Identify and Protect functions within the Cyber Defense Matrix.
1. Identify: Comprehensive Endpoint Information
With Fleet we can collect extensive data on each endpoint including software and hardware inventories. We have a complete view of the software running across all devices including software versions, unauthorized applications and ability to ensure compliance with software policies. Fleet also includes vulnerability identification for installed software packages and OSes. That’s right, endpoint instrumentation, MDM and vulnerability identification in the same open source package, with great data you can bring into your security data to empower your security program.
2. Protect: Centralized Device Management
Security administrators can now centrally and remotely manage security profiles to each device ensuring they comply with JupiterOnes security policy including password, encryption and networking settings.
We’re great fans of osquery and Fleet, as well as open-source security tools in general. Integrating Fleet with JupiterOne empowers you to gain comprehensive insights and enhance the security of your environment.
