Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Creating an Asset Question

 

Search for assets in the network that violate a defined policy or assets that introduced risk.

Policy Monitor questions are evaluated in a top-down manner. The order of Policy Monitor questions impacts the results.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Actions menu, select New Asset Question.
  4. In the What do you want to name this question field, type a name for the question.
  5. From the Evaluate On list, select one of the following options:

    Option

    Description

    Actual Communication

    Includes any assets on which communications were detected that use connections.

    Possible Communication

    Includes any assets on which communications are allowed through your network topology, such as firewalls. You use these questions to investigate whether specific communications are possible, regardless of whether a communication was detected.

  6. From the Importance Factor list, select the level of importance you want to associate with this question. The Importance Factor is used to calculate the Risk Score and define the number of results returned for a question.
  7. Specify the time range for the question.
  8. From the Which tests do you want to include in your question field, select the add (+) icon beside the tests you want to include.
  9. Configure the parameters for your tests in the Find Assets that field.

    Configurable parameters are bold and underlined. Click each parameter to view the available options for your question.

  10. In the groups area, click the relevant check boxes to assign group membership to this question.
  11. Click Save Question.

Investigating External Communications That Use Untrusted Protocols

You can use a policy monitor question that is based on the known list of trusted protocols to monitor traffic in your DMZ. In most organizations, network traffic that crosses the DMZ is restricted to known and trusted protocols, such as HTTP or HTTPS on specified ports.

From a risk perspective, it is important to continuously monitor traffic in the DMZ to ensure that only trusted protocols are present. Use JSA Risk Manager to accomplish this task by creating a policy monitor question based on an asset test for actual communications.

Select an option to create a policy monitor question based on the known list of trusted protocols for the DMZ.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Actions menu, select New Asset Question.
  4. In the What do you want to name this question field, type a name for the question.
  5. In the What type of data do you want to return drop-down list, select Assets.
  6. In the Evaluate On menu, select Actual Communication.
  7. From the Importance Factor menu, specify a level of importance to associate with your question.
  8. In the Time Range section, specify a time range for the question.
  9. In the Which tests do you want to include in your question panel, select have accepted communication to destination networks.
  10. In the Find Assets that... panel, click destination networks to further configure this test and specify your DMZ as the destination network.
  11. Select the and include the following inbound ports.
  12. In the Find Assets that... panel, click include only so that it changes to exclude.
  13. Click ports.
  14. Add port 80 and 443, and then click OK.
  15. Click Save Question.
  16. Select the policy monitor DMZ question that you created.
  17. Click Submit Question.
  18. Review the results to see whether any protocols other than port 80 and port 443 are communicating on the network.
  19. Monitor your DMZ question by putting the question into monitoring mode when the results are tuned.

Finding Assets That Allow Communication from the Internet

Use JSA Risk Manager policy monitor questions to find assets that allow communication from the Internet. JSA Risk Manager evaluates the question and displays the results of any internal assets that allow inbound connections from the Internet.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Group list, select PCI 10.
  4. Select the test question Assess any inbound connections from the Internet to anywhere on the internal network.
  5. Click Submit Question.

Assessing Devices That Allow Risky Protocols

Use JSA Risk Manager policy monitor questions to assess devices that allow risky protocols.

JSA Risk Manager evaluates a question and displays the results of any assets, in your topology, that match the test question. Security professionals, administrators, or auditors in your network can approve communications that are not risky to specific assets. They can also create an offense for the behavior.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Group list, select PCI 1.
  4. Select the test question Assess any devices (i.e. firewalls) that allow risky protocols (i.e. telnet and FTP traffic - port 21 & 23 respectively) from the Internet to the DMZ.
  5. Click Submit Question.

Investigating Possible Communication with Protected Assets

You can create a policy monitor question based on IP addresses that detects possible communication with protected assets. From a risk perspective, it is important to know which users within your organization can communicate with critical network assets.

JSA Risk Manager accomplishes this task by creating a policy monitor question based on an asset test for possible communications.

You might look at all the connections to the critical server over time, but you might be more concerned that regional employees are not accessing these critical servers. To accomplish this objective, you can create a policy monitor question that looks at the topology of the network by IP address.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Actions menu, select New.
  4. In the What do you want to name this question field, type a name for the question.
  5. In the What type of data do you want to return drop-down list, select Assets.
  6. From the Evaluate On drop-down list, select Possible Communication.
  7. From the Importance Factor drop-down list, specify a level of importance to associate with your question.
  8. In the Time Range section, specify a time range for the question.
  9. In the Which tests do you want to include in your question section, double-click to select have accepted communication to destination asset building blocks.
  10. In the Find Assets that... section, click asset building blocks to further configure this test and specify Protected Assets.Note

    To define your network remote assets, your remote assets building block must be defined.

  11. In the Which tests do you want to include in your question section, double-click to select the restrictive test and include only the following IP addresses.
  12. In the Find Assets that... section, click IP Addresses.
  13. Specify the IP address range or CIDR address of your remote network.
  14. Click Save Question.
  15. Select the policy monitor question that you created for protected assets.
  16. Click Submit Question.
  17. Review the results to see whether any protected asset accepts communication from an unknown IP address or CIDR range.
  18. Monitor your protected assets by putting the question into monitoring mode. If an unrecognized IP address connects to a protected asset, then JSA Risk Manager can generate an alert.

View Question Information

You can view information about policy monitor questions and parameters on the Policy Monitor page.

If you want to view more information about any question, select the question to view the description.

If a question is in monitor mode when you select it, then you can view any events and offenses that are generated from the selected question.