Device Posture
In Lacework Edge, device posture can be used to determine the risk of a given device, which in turn can control user access to Applications and Networks. By this measure, you can ensure your users are accessing resources using managed and healthy devices.
The Device Posture menu is found under the Settings menu, under the Setup column.
Attributes
Device Posture Attributes are the individual considerations you compile in Device Posture Profile to indicate the posture level of a device. Lacework Edge considers the following as attributes of Device Posture:
- Activation Lock enabled - MacOS only
- Disk Encryption enabled - MacOS & Windows
- Location Tracking enabled - MacOS & Windows
- Processes running - Linux, MacOS & Windows
Lacework Edge automatically tracks the status of Activation Lock, Disk Encryption and Location Tracking for all devices, so you can use those Attributes in a Profile without any changes. Checking for running processes requires a new Process Check Attribute.
Adding Process Check Attributes
To track processes, create a new Attribute by clicking + Attribute. This will bring up the Add Process Check dialog.
-
In this dialog, assign your process check a descriptive name, choose the platform to which it applies, and optionally provide a description.
-
Add a Process Regex for each process you want to track in this Attribute.
- In the Process Regex, you can either match on just the executable name, or the whole path and executable name. For
example, if searching for Microsoft Defender Antimalware Service, which is
MsMpEng.exe, you can enterMsMpEng\.exeas its Process Regex. - You can add up to 20 Process Regex conditions. If ANY of these conditions are met, this Process Check is considered successful. For example, different devices run different antivirus or firewall software at your company, but all are considered valid, and so you may want to search for any such process.
- In the Process Regex, you can either match on just the executable name, or the whole path and executable name. For
example, if searching for Microsoft Defender Antimalware Service, which is
-
Once you've added the Process Regexes as part of this Attribute, click Save. Once saved, your new Attribute will appear in the list. You can click on its name to view details and edit.
Profiles
Device Posture Profiles pull together the monitoring of different Attributes of a device's posture to set a single
tag, posture, with can be applied to access decisions.
- Profiles may contain one or more Attributes.
- For a device to match a Profile, it must match ALL Attributes in that profile.
- Attributes can be used across multiple Profile and Posture Levels. For example, you may want a Low Profile to only match on Disk Encryption, and a Medium one to match on Disk Encryption AND Location Tracking.
- Device Profiles are OS-specific, so it makes sense to have multiple Profiles to match each OS you are monitoring for Posture.
- Lacework Edge offers 3 Posture Levels under which you can create Profiles - High, Medium and Low.
- Edge will check each device against all of the profiles in descending order from High to Low. In turn, the device will get Posture Level of the first profile it matches, and hence the highest possible level for that device.
- If a device matches no profiles, it will be given a Posture Level of None.
Creating Profiles
- To create a Device Posture Profile in Lacework Edge, click the Posture Level for which you want to add a Profile, and click the + Profile button. You will be asked which platform (OS) for which this Profile will apply. Once you choose your OS, you will be presented with the New Profile dialog.
-
In this dialog, assign your Profile a descriptive name and optionally provide a description.
-
Select the Attributes you want to be considered as part of this Profile by checking the boxes next to those Attributes.
-
Once you are finished, click Save. Your Profile will appear in the list for that Posture Level. You can click on its name to view its details or edit.
Using Device Posture
Posture Tags In Security Policies
Once you have Device Posture Profiles defined to your liking, you can use the following posture-related tags as Session Tags in your Security Policies:
-
posture:none|low|medium|high- Matches on exact Posture Level.- Example: using
posture:none, you could deny access to all apps to all devices without any posture. - Example: using
posture:high, you could permit access to all apps to high-posture devices.
- Example: using
-
posture_ge:none|low|medium|high- Matches Posture Levels greater than or equal to the value entered.- Example: using
posture_ge:medium, you could permit access to certain applications to devices that haveposture:highorposture:medium.
- Example: using
-
posture_le:none|low|medium|high- Matches Posture Levels less than or equal to the value entered.- Example: using
posture_le:low, you could run devices withposture:loworposture:nonethrough a workflow before granting access to certain applications.
- Example: using
Viewing Device Posture Levels
The posture level for all devices can be seen in the Devices list, under the Posture Level column.
In addition, you can click into the details of a device to see its Posture Level and which of the Lacework Edge-defined attributes that it currently matches.