Using Epiphany: A Quickstart Guide

This page describes a simple Epiphany workflow. It defines a few concepts and explains how to set up your data sources so Epiphany can access their data, and also describes setting up your users.

Simple Workflow

Epiphany is a decision intelligence tool, which means it provides highly correlated data in minutes that would otherwise take days or weeks to obtain, and then you would still need to figure out how and where to take action. This workflow shows an example of ways Epiphany can best be leveraged. Organizations vary on how they leverage information, therefore your usage may not completely match the workflow described here.

• Initial set up. You must first identify your organization's data sources and obtain credentials. Epiphany uses the credentials to ingest data from the data sources. The data sources are generally API-driven and typically the lowest level of privileges are required to access data. Typically read-only access is sufficient.

• Data acquisition. Epiphany's tools that analyze and present data are cloud-based, meaning that siloed tenants need to be created and secured as part of the activation process. Epiphany can also work with on-premise data sources (data sources that aren't cloud-based). A basic workflow looks like this:

  • You log into Epiphany and add credentials for your organization's data sources. See Source Management in this guide for information about setting up data sources.

  • There will be data sources that are local to your organization's physical environment (such as Microsoft Active Directory), requiring a local data collector. You will set those up as well. The local data collector must securely connect to the cloud-based platform. This means Epiphany requires access to the local collector and the cloud-based portal at the same time. See Site Collectors Setup in this guide for instructions on setting up Epiphany for collecting local data.

  • Data collection is scheduled and occurs.

  • Analyzed data is presented in various areas of the Epiphany console. Some data takes longer to appear in the console than others.

• Add users. You add additional users to the system.

  • Each user then configures their own dashboards. See User Management in this guide for information about setting up users.

• Refine the workflow. You can build or modify processes to determine how to make Epiphany's data actionable. Generally, the data from Epiphany provides the capability to do the following:

  • Identify the required work effort to install or reconfigure agents for recommended solutions.

  • Find and decommission rogue devices not known to be in use (this can include other non-computer devices such as PBXs and network tools.

  • Identify the required work efforts to manage and harden Active Directory, such as planned domain controller upgrades (as well as functional domain levels), audits and revisions of group memberships, removal or deactivation of stale accounts, and changing service account credentials and operational practices (for example, unsafe operational practices such as domain admins accessing non domain controller accounts).

  • Identify and audit environmental changes (such as system or account additions or reconfigurations) that have introduced new risks to the environment.

  • Strategize and work on best methods to remove the top 25 risks from the environment by audit, analysis of the recommended solutions, and execution. As the top 25 risks are resolved by internal processes, the next 25 then become the top 25, providing a continuous working cycle based on risk priority.

  • Identify the required work effort to patch in a manner prioritized on the risk to the business.

  • Identify and validate security controls at defined “chokepoints,” adding or increasing the level of auditing, alerting, or reconfiguring controls.

There are various other objectives and workflows that the tool may be used for, however, often the data outputs go to the following sources:

• A team that leverages data to configure or tune security information and event management (SIEM).

• A security operations center (SOC) team to execute on specific actions.

• A governance, risk, and compliance (GRC) group to audit, enforce, or modify policies and practices.

• An executive team to identify trends, provide metrics of effectiveness, or to expound on risk.

Getting Started

Here is a quick checklist of what you need to do to get started with Epiphany:

• Log into Epiphany.

• Set up data sources. See Source Management in this guide.

• Set up site collectors. See Site Collectors Setup in this guide.

• Set up users. See User Management in this guide.

But first, take a few minutes to learn about the Epiphany Tools.