Lumeta Spectre Asset Manager is a powerful solution that indexes a prodigious volume of data. Yet too much of a good thing—including information---can overwhelm. For this reason, Lumeta Spectre Asset Manager is designed to be configured incrementally.
Once the settings have been satisfactorily tuned and baselined for one zone of your network, that zone is explored using additional protocols, with additional discovery types, and with other options enabled, yielding a network that is increasingly known, analyzed, and understood by your organization. This approach brings Lumeta Spectre Asset Manager online in your environment deliberately , and uses it to generate result sets that are reasonably sized, digestible, and actionable.
Customer after customer has found that Lumeta Spectre Asset Manager tends to amplify the capabilities of other security systems running in their network. Ultimately, Lumeta Spectre Asset Manager helps customers first to first achieve and then maintain the state of continuous network situational awareness.
| Anchor | ||||
|---|---|---|---|---|
|
Lumeta Spectreis Asset Manager is designed to be deployed incrementally, with a constrained discovery area gradually expanded in scope to encompass the whole of your network. This caps the volume of information generated to an amount that can be addressed reasonably by your troubleshooting teams. It also minimizes the amount of information you need to input to into the system to get started.
Toward that end, the first deployment exercise is to identify critical core infrastructure. Consider selecting the your OSPF network's backbone area (i.e., Area 0) of your OSPF network as as the starting area for discovery.
Identify Critical Core Infrastructure
Your PSO technical consultant will ask you a series of questions to better understand your network better. This preliminary information informs decisions to come regarding how and where you set up Lumeta Spectre Asset Manager components. It also helps in defining define network zones and developing develop conceptual models that visually convey salient information to those in various roles visually.
A retailer, for example, stores its customers' credit card information in a protected enclave. That enclave would be an ideal candidate location from which to start. It's a best practice to limit your initial scope to one or two enclaves.
Identify What's Known: Zone & Collector List TypesAnchor IWK IWK
The final preparatory step is to answer the question, "What do you already know about your network's critical core?" Your technical consultant will work with you to identify and embed this information and embed it in SpectreAsset Manager. This process entails associating IPs and CIDRs with particular network zones and within that zone, labeling them as Internal (aka "owned") or Known (aka "familiar").
Here's a preview of what to gather and the field requirements for entering data to Lumeta SpectreAsset Manager:
...
- Internal is used in Spectre Asset Manager to define the perimeter of your network--the edges where you might leave your internal network space to enter unmanaged outside space such as the Internet. Defining and refining the perimeter of your network's perimeter helps you to better understand your ingress and egress points points (i.e., usually firewall devices) to control and manage them. Internal subnets are those your organization has under management.
Known - The Known list is all of the "networks you know about." It's the address space (i.e., CIDR blocks and IP addresses) about which you are aware.
Eligible - The Eligible list signals to collectors, "It's okay to go here." ItIt's the address space (i.e., CIDR blocks, IPs) Spectre Asset Manager is permitted to investigate. If an IP is found during Host Discovery or on contact with a routing table and it is also on the Eligible list, then Spectre Asset Manager interrogates that route or IP.
To make Spectre Asset Manager perform Path Discovery and Host Discovery on all SpectreAsset Manager-discovered routes and devices, enter 0.0.0.0/0 on your Eligible list.
In preparation for discovery, you'll also need to associate collectors with areas to monitor and areas to avoid. Collectors go to their Targets, drop further interrogation after Avoids, and halt at Stops. The IP/CIDR list defines the coordinates within which discovery activities take place. At the collector level, scope coordinates are located in the Discovery Spaces tab. The Spectre The Asset Manager system appends discovered routes and IPs to its internally managed Target list. The Discovery Spaces Target List illustrated here, however, shows only those Targets input manually or imported by system users like you.
- Target
The target list governs where collectors send packets during active and targeted discovery.Avoid - The Avoid list itemizes those areas of a network that should not be probed during monitoring such as an affiliated company’s subnet. Spectre Asset Manager drops further interrogation of discovered devices and routes that are in the Avoid list.
- Stop List
This list contains address points at which path discovery will halt. Probes beyond that address space cease. The Stop list serves as another way to prevent access to off-limit areas of a network.
Other information you'll need to provide includes:
- OSPF Information
: Your local domain’s OSPF Area ID, typically Area 0, the backbone. - Network Information for the Command Center and Scouts
The following additional information, which you may choose to auto-configure via DHCP.- IP Address
- Network Mask
- Default Gateway
- SNMP Information
: A list of community strings and/or v3 credentials that Lumeta Spectre Asset Manager uses during Path Discovery and Device and Device Profiling Discovery.
At the conclusion of this process, you'll have a clear definition of where you want to send discovery packets and where you don't. You'll know the network segments to which you'll connect your Lumeta SpectreAsset Manager, and you'll have enough information to set up a zone and configure Collectors. In brief, you'll have devised a vantage point from which to start observing a segment of your network.
| Anchor | ||||
|---|---|---|---|---|
|
Your preliminary discovery configuration will allow you to exercise Lumeta Spectre Asset Manager in a small target area of your network to see if it returns the results you expected.
To configure discovery, browse to any location in Lumeta Spectre Asset Manager, select Admin Settings from the top navigation bar and use the following procedures to configure users, roles, a zone, and one or more collectors.
- See Users & Roles to configure Spectre Asset Manager system users and roles.
- See Adding & Managing Zones to configure a zone.
Verify Spectre Verify Asset Manager Results
- Discover your devices
- Profile your devices
- Access data via SNMP
- Discover specific ports
Verify Lumeta SpectreAsset Manager's view of these devices, profiles, and ports against what you know and expect to find about them, and assess the results.
...
- Some kind of security blocking such as a firewall that won't let discovery probes through
- Insufficient or incorrect community strings or credentials that limit the amount of information returned about routing tables and SysNames
- Insufficient or incorrect target lists (CIDRs)
- Unchecked options in the Path Discovery pane. If Trace-to-Hosts is not selected, Lumeta Spectre Asset Manager will discovery hosts via broadcast and OSPF protocol, but would not try to find the path to those hosts.
- If Trace-to-Discovered-Routes is not selected or discovered routes are not on the Eligible list, and Lumeta Spectre Asset Manager gets routes/IPs from a routing device via SNMP, it does not pursue those addresses. This also can be controlled (i.e, limited, fine-tuned) by the Stop or Avoid lists in Discovery Spaces, and the Eligible list in the Zone configuration.
Can you see what you want to see and what you anticipated seeing? That's excellent!
Your successfully configured zone is now running and will continue to run. Spectre Asset Manager will provide your enterprise with continual awareness (i.e., network situational awareness) about the core infrastructure segment you just successfully configured. That awareness is conveyed in the form of analyses, reports, notifications, and topology maps.
| Anchor | ||||
|---|---|---|---|---|
|
Continue to add zones that represent other enclaves and other uni-purposed aspects of your infrastructure such as Credit Card Zone, Classified Data Zone, Finance Zone, WiFi Zone, Guest Zone.
...