Tetration - Dynamic Policies and Vulnerability Detection

One of the awesome things that Tetration can do is create dynamic policies based on changing conditions and detect vulnerable software in workloads. In this blog post, I will briefly go over both of these features.

With a dynamic policy, we can change the level of access a workload has based on a condition changing or a condition on the endpoint itself. For example, if we wanted to create a policy that tells Tetration to look for any server running Docker and make sure it can’t access the campus networks, we can easily do so.

The above pictured policy basically states that if the workload is running the Docker process, it will be prevented from communicating with campus laptops and desktops. This policy would only go into effect if the Docker process was running. If it were not running, the policy on that workload would not deny access to those campus desktops and laptops.

If we next wanted to drill down to see exactly which servers are running the Docker service, we could click on the Docker_Process in the policy above and every server running the Docker process will be shown in the right-hand pane.

One great use case for the dynamic policy above is to couple it with Tetration’s ability to detect vulnerable software packages installed on the servers. Since Tetration takes an inventory of every software package installed in each endpoint and compares it to known CVEs, it has the ability to alert on any high-risk CVEs found. If we wanted to do more than just be alerted on those CVEs, we can take it a step further with a dynamic policy to limit exposure when those high-risk CVEs are detected.

In the above example policy, servers with critical CVEs will be denied access to the internet. This allows the server and users to still communicate if the CVE is detected so business is not disrupted but none of the servers with the vulnerability will be able to directly communicate with the internet as long as the CVE is detected by Tetration. As we can see from the above picture, one can also click on Critical_CVE in the policy and see the number of endpoints where those critical CVEs are detected in the right-hand pane. Since the policy is dynamic, as soon as the CVE is cleared and no longer detected on the server, the policy will automatically change and go about its normal operations.