Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Investigating Possible Communication with Protected Assets

SUMMARY You can create a Policy Monitor question based on IP addresses that detect possible communication with protected assets. From a risk perspective, it is important to know which users within your organization can communicate with critical network assets.

JSA Risk Manager accomplishes this task by creating a Policy Monitor question based on an asset test for possible communications.

You might look at all the connections to the critical server over time, but you might be more concerned that regional employees are not accessing these critical servers. To accomplish this goal, create a Policy Monitor question that looks at the topology of the network by IP address.

  1. Click the Risks tab.
  2. On the navigation menu, click Policy Monitor.
  3. From the Actions menu, select New.
  4. In the What do you want to name this question field, type a name for the question.
  5. In the What type of data do you want to return drop-down list, select Assets.
  6. From the Evaluate On drop-down list, select Possible Communication.
  7. From the Importance Factor drop-down list, specify a level of importance to associate with your question.
  8. In the Time Range section , specify a time range for the question.
  9. In the Which tests do you want to include in your question section, double-click to select have accepted communication to destination asset building blocks.
  10. In the Find Assets that section, click asset building blocks to further configure this test and specify Protected Assets.
    Note: To define your network remote assets, your remote assets building block must be defined.
  11. In the Which tests do you want to include in your question section, double-click to select the restrictive test and include only the following IP addresses.
  12. In the Find Assets that section, click IP Addresses.
  13. Specify the IP address range or CIDR address of your remote network.
  14. Click Save Question.
  15. Select the Policy Monitor question that you created for protected assets.
  16. Click Submit Question.
  17. Review the results to see whether any protected asset accepts communication from an unknown IP address or CIDR range.
  18. Monitor your protected assets by putting the question into monitoring mode. If an unrecognized IP address connects to a protected asset, then JSA Risk Manager can generate an alert.