Sevco Overview

The problems Sevco solves and the Sevco components

Sevco is a cloud-native asset intelligence platform that delivers converged asset inventory and generates real-time asset telemetry, then publishes both for use by other IT systems.

Sevco Enhances Security

Sevco exists to fix a decades-old problem: attackers know the networks they target better than the network owners. To solve this, we built an asset intelligence platform that delivers converged asset inventory, helping you get more from existing investments and improve security.

While organizations often own the right tools to secure their businesses, they have little insight into how these investments are deployed across their environments. This lack of visibility upends the foundation of every major security framework and presents a challenge to security teams: they can't protect what they can't see.

Challenges of Asset Inventory

The asset inventory challenge boils down to two critical pain points:

  • The first is siloed systems. Many tools report inventory but are limited to their perspective of the environment. Agent-based tools are only aware of where they are installed. Network tools only see what’s connected, which misses remote employees accessing cloud applications. Directory services (e.g., Active Directory) are only aware of registered accounts. No single system provides a comprehensive view of all assets, diluting the confidence in the security program’s efficacy.

    Critically, the teams responsible for managing corporate assets do not have an accurate inventory to work from, and without this, it’s impossible to have confidence security controls extend appropriately across the environment.

  • The second is maintaining accuracy in a dynamic environment. Current approaches to asset inventory rely on periodic snapshots but miss critical details of the changes between them. As an example, if total inventory changes from 4,902 to 5,112, we may incorrectly infer 210 new devices. Without continuous monitoring, we miss the reality: 150 devices have not been seen in 24 hours, and there are 360 new devices. Working with snapshots is like trying to understand a movie by looking up a series of static images and attempting to “fill in the blanks”.

Components of the Sevco Solution

Our solution has six key components, described below:

Data Collection

Sevco integrates with existing sources via native APIs to pull their view of asset inventory. The Sevco platform does not require any installed agents, deployed scanners, or remote access to be enabled to an on-premises installation. Our cloud-native platform integrates in seconds to existing tools via native-API to capture asset metadata. Sevco captures inventory reported from all sources every hour.

Cloud-Native Platform

We are cloud-native. We do not require any installed agents, deployed network scanners, or remote access to be enabled for an on-premises installation. We enable simple, easy deployments that take seconds to configure, with converged inventory results appearing moments later. The platform is fully elastic, can scale to support the largest global organizations and automatically respond to changes in scale in real-time. We are a single-instance multi-tenant, enabling us to serve both the smallest customers and the largest, while also allowing large customers and MSSPs to segment their data and permissions in a way that reflects their organization. Underpinning it all is an API-first design principle, that allows us to integrate cleanly into even the most complex IT ecosystems.

Correlation and Converged Inventory

Using identifying attributes from reported assets, Sevco’s Correlation Engine joins the otherwise disparate inventory reports to build the converged inventory. We maintain source and source attributes, enabling users to not only get their first-ever comprehensive inventory, but also to query the assets via arbitrarily complex conditions of the sources, such as “Show me all machines on my enterprise network in Active Directory but not running my patch management agent.”

Telemetry Generation

With each source’s inventory report, Sevco compares the currently reported state to the previously reported state and generates change events describing the change. Events are either Inventory Change Events (asset added, asset removed, asset became stale) or Attribute Change Events (IP changed, hostname changed, OS changed, MAC address changed). Events are generated both per source device and for the consolidated device. Telemetry provides detailed records of key attributes, critical to investigations, but also traceability for global inventory changes.

User Interface

We present both the converged asset inventory and asset telemetry events in our UI with rich, expressive queries. Our interactive Venn Diagram uniquely shows the “well managed” assets (devices seen across all key sources), devices that are missing specific controls, as well as known and “expected gaps.” (Windows devices are not expected to show up on JAMF.)

Publication to Other IT Systems

Finally, and most importantly, the data is published from Sevco back into the systems the IT teams use in their existing processes and procedures.

The asset telemetry events are generally published into SIEMs and log management platforms. The telemetry allows security and IT operations teams easy access to key data such as “who had what IP at what time?” or “which host has this MAC address?” right alongside security or operational alerts. We currently support four methods of telemetry integration:

  • publishing telemetry as events into Splunk/SIEMs like any other alert source
  • enriching existing log data in real-time through in-line pipelines such as a Logstash transform plugin
  • in-browser cross-product correlation with a Chrome extension-based Sevco overlay
  • custom integrations using the query API

Converged asset inventory is published into the CMDBs used by the service desk or infrastructure teams. The converged inventory allows IT operations teams to keep their existing procedures with little or no changes, but, by leveraging better data, they are immediately more effective and enterprise resiliency is improved. The converged inventory allows those teams to remediate common previously hard-to-find issues such as “the security agent isn’t installed” or “these machines aren’t joined to the domain” or “the vulnerability scanner is misconfigured.” This gives IT Operations teams a much-needed (and previously unavailable) feedback loop to validate the efficacy of their people, products and processes.

We currently support three methods of inventory publication:

  • third-party integrations to publish into CMDBs such as ServiceNow
  • manual CSV exports
  • custom integrations using the export API