IoT Security
Create Compensating Controls
Table of Contents
Expand All
|
Collapse All
IoT Security Docs
-
-
- Firewall Deployment Options for IoT Security
- Use a Tap Interface for DHCP Visibility
- Use a Virtual Wire Interface for DHCP Visibility
- Use SNMP Network Discovery to Learn about Devices from Switches
- Use Network Discovery Polling to Discover Devices
- Use ERSPAN to Send Mirrored Traffic through GRE Tunnels
- Use DHCP Server Logs to Increase Device Visibility
- Control Allowed Traffic for Onboarding Devices
- Support Isolated Network Segments
-
Create Compensating Controls
Create compensating controls to indicate steps taken to mitigate risks and lower device
risk scores.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Add compensating controls when you’ve taken steps to mitigate risk for your assets.
Compensating controls can include factors such as Active Directory join status or
endpoint protection. Configuring compensating controls adjusts device risk scores by
reducing the risk score of a vulnerability or risk factor to more accurately
represent the potential security risk of devices in your network.
IoT Security provides some system-default compensating control types, which
you can adjust and apply to devices in your network. You can also create your own
compensating control types to account for additional mitigations.
View and manage compensating controls from SettingsRisk Score Configuration or from the Device Details page. On the Risk Score Configuration
page, you can create new compensating control types, configure new compensating
controls, and edit existing compensating controls. On the Device Details page, you
can create new compensating controls for the device, view all compensating controls
for the device, and adjust the compensating control factor for existing compensating
controls.
Risk Score Configuration
Customize device risk scores by creating compensating controls from
the Risk Score Configuration page.
Under SettingsRisk Score Configuration, you can view, add, and edit compensating controls from the
compensating control section. Select the
Compensating Control Type tab to view all configured
compensating controls and edit user-defined ones. Switch to the Compensating
Control Matching tab to see where a compensating control matches to devices and
risk (vulnerability or other risk factor), and to customize the compensating
control factor for each matching criteria.
Create a New Compensating Control Type
Define a compensating control type when you want to create a broad category for
related compensating controls. While compensating control types have a matching
rule, you don't directly apply the compensating control type to all devices
that match the rule. You need to create a compensating control with that
compensating control type to apply the compensating control to
matching devices. More commonly, you would narrow the scope of devices that the
compensating control applies to by defining an asset scope.
For example, a system-defined compensating control type is Endpoint Security,
and the matching rule is that a device protected with endpoint protection can
have a compensating control with type Endpoint Security.
There can be multiple compensating control asset scopes that use the Endpoint
Security type. You can only create new compensating control types from the Risk
Score Configuration page.
- Navigate to SettingsRisk Score Configuration and select the Compensating Control Type tab from the compensating controls section.
- Click Add Compensating Control Type to bring up the Add Compensating Control Type pop-up.
- Configure the following fields.
- Type: Enter the type of compensating control.
- Matching Rule: Choose the attributes, operators, and attribute values that identify the compensating control type.
- Apply the new compensating control type.
- Verify that the new compensating control type appears in the Compensating Control Type table.You can now use this compensating control type when applying compensating controls to assets.
Apply a New Compensating Control
You can create a new compensating control to apply to multiple matching assets.
When defining a new compensating control, you can choose a system-defined type
or a user-defined type. After choosing the type of compensating control, you
match that type to a specific asset scope and risk (vulnerability or other risk
factor).
For example, you can define an Endpoint Protection compensating control for all
devices with internet access. The asset scope for the compensating control
would be all assets that have the risk of internet access. Because the
compensating control type is Endpoint Protection, the matching criteria would
only apply to those assets with internet access that also have endpoint
protection. For all assets in scope that match the matching criteria, the
compensating control offsets the risk caused by internet access. The
compensating control does not offset other risks that those devices might be
exposed to.
- Navigate to SettingsRisk Score Configuration, and select the Compensating Control Matching tab from the compensating controls section.
- Click Apply Compensating Control to bring up the Add Compensating Control pop-up.
- Configure the compensating control.When you add or edit a compensating control, the Matching Rule field automatically fills in based on the compensating control type that matches the risk that you chose to add the compensating control to.
- Type: Select the compensating control type. The selected type will also populate the Matching Rule field.
- Name: Enter a name for the compensating control.
- Optional Description: Enter a short description.
- Define the assets and risks the compensating control applies to.
- Configure the following fields:
- Asset Scope: Enter the criteria for all assets that you want to apply the compensating control to.
- Risk: Select the risk that the compensating control applies to. You can select either Vulnerability or Other Risk Criteria.
- Vulnerability Vulnerability Risk Criteria: Define the risk criteria that the compensating control applies to.
- Other Risk Factors Other Risk Criteria: Select the appropriate risk criteria from the drop-down list.
- View Matching Devices to verify the devices included in the asset scope.The Match Results section displays the count of all devices that match to the defined asset scope. You can click on the count to open the assets inventory in a new tab or window, with a filter to see all devices that match your asset scope.
- Enter a Compensating Control Factor, which is how much the compensating control offsets the risk.
- Apply the compensating control.Compensating controls can take up to 24 hours to take effect, so you might not see an immediate change in the device’s risk score.
- Verify that your new compensating control appears in the Compensating Control Matching table.
Device Details
Create and manage compensating controls from the Device Details page.
On the Device Details page, you can add compensating controls when viewing the
device's risk score. For existing compensating controls, you can adjust the
compensating control factor from the Device Details page. To make other changes
to an existing compensating control, edit the compensating control under
SettingsRisk Score Configuration.
- Navigate to AssetsDevices and select the device that you want to add a compensating control for.
- On the Device Details page, find the device's risk score under the device's thumbnail, and click See Details.This brings up the Risk Score Details side panel for the device.
- In the Exposure Score table, review the list of identified risks, and see which risks you can apply a compensating control for.Compensating controls apply only to vulnerabilities and other risk factors. When you can add a compensating control, you will see an Edit (pencil) icon in the Compensating Control Name field for that risk.
- Select the Edit (pencil) icon in the Compensating Control Name field for the risk that you want to apply a compensating control to.
- On the Risk Score DetailsEdit Compensating Controls pop-up page, select + Add New to bring up the Add Compensating Control pop-up.
- Configure the compensating control.When you add or edit a compensating control, the Matching Rule field automatically fills in based on the compensating control type that matches the risk that you chose to add the compensating control to.
- Type: Select the compensating control type. The selected type will also populate the Matching Rule field.
- Name: Enter a name for the compensating control.
- Optional Description: Enter a short description.
- Define the assets and risks the compensating control applies to.
- Configure the following fields:
- Asset Scope: Enter the criteria for all assets that you want to apply the compensating control to. By default, the MAC address of the device you're modifying is part of the Asset Scope.The current device must always be within the asset scope, since you're applying the compensating control to the device. If you change the asset scope and it no longer includes the current device, then you won't be able to apply the compensating control.
- Risk: Select the risk that the compensating control applies to. You can select either Vulnerability or Other Risk Criteria.
- Vulnerability Vulnerability Risk Criteria: Define the risk criteria that the compensating control applies to.
- Other Risk Factors Other Risk Criteria: Select the appropriate risk criteria from the drop-down list.
- View Matching Devices to verify that the current device falls in the asset scope.The Match Results section displays the count of all devices that match to the defined asset scope. You can click on the count to open the assets inventory in a new tab or window, with a filter to see all devices that match your asset scope.
- Enter a Compensating Control Factor, which is how much the compensating control offsets the risk.
- Apply the compensating control.Compensating controls can take up to 24 hours to take effect, so you might not see an immediate change in the device’s risk score.
- Verify that your new compensating control appears in the Compensating Control Name field for the risk that you added it to.