Epiphany Intelligence Platform (EIP)

Approach and Resource Investment:

Epiphany was designed to easily integrate into your environment and provide results in hours as opposed to months using other tools and methods. We employ a simple methodology to integrate into environments that consists of planning the connected data sources, communicating with the data source owners, setting up connections, and finally providing decision intelligence.With the required data inputs, the solution can provide attack paths and mitigation steps in minutes, which is useful for incident response. In less emergent scenarios, a staggered integration approach is often used dedicating time to each of the system owners. Even in the latter scenario, there is generally less than 8 hours needed to fully integrate the solution.

Data Requirements:

Epiphany leverages data from Identity providers, such as Microsoft Active Directory, vulnerability platforms such as Qualys, endpoint protection such as Crowdstrike, and multiple network management systems to generate optimized attack paths. Other data sources are supported to extend the capabilities of the platform into disconnected environments as well. Furthermore, Epiphany has a structured process for integrating other data sources in weeks, as opposed to months with other tools that perform aggregation.

Customer Considerations:

Q: I'm concerned about the level of access the platform needs to perform analysis.

A: The Epiphany Intelligence platform leverages read only access in most cases, which is achieved via APIs developed and maintained by the manufacturer of the data sources. We operate on the principle of least privilege, which effectively minimizes risk of privilege abuse by the platform.

Q: I'm concerned the platform can see more of the environment than I wish to provide access to, especially since it leverages API connectivity for data.

A: In most cases, APIs developed by data source manufacturers can be limited to a subset or a scope of data. It is not uncommon for users of the Epiphany Intelligence platform to limit the scope of data integration to Microsoft Active Directory Organizational Units, leveraging service accounts or service principal names for APIs that are only able to leverage limited datasets.

Q: What are the minimum data requirements to get usable data from the platform?

A: Providing more data sources enriches the results from the analysis. For example, if you only integrate an identity data source such as Active Directory, the solution creates attack paths based on a concept referred to as "assumed breach". More data enriches the analysis of risk and therefore the existence and prioritization of attack paths and remediation guidance.

At a minimum, it is recommended that identity, vulnerability, and endpoint protection data sources are provided.

Q: What do you do with the data?

A: The data collected and utilized by the Epiphany Intelligence Platform is for the creation of attack paths and highlighting of risks within your environment. Epiphany will only store data that is relevant for providing context to risks Epiphany identifies. In most cases this is a very small subset of data that is contained in the original data source.

Q: What about false positives?

A: The Epiphany Intelligence Platform operates by showing the current state of the environment and as such only shows the output of deterministic systems. What this means is that Epiphany will only show something if it exists such as users being associated to devices, devices being attached to networks, or a vulnerability reported on a device by vulnerability scanner.

Q: How do you protect my data?

A: Epiphany employs security focused architecture which supports resilient protection against data loss even after multiple system failure or compromise. This architecture, coupled with our operational practices and controls make it incredibly difficult to access data in a form that can be tracked back to a customer.