Emergynt Instinct Engine™ 1.2

The Emergynt Instinct Engine™ identifies where organizations are the most exposed to future hacks and other digital incidents, prioritizing how badly these could impact the business bottom line (e.g., capital risk, strategic risk, market risk, etc.) so they can prioritize action and reduce the impact of an incident before it occurs. This intelligence can be used by an organization’s “second line of defense”—Chief Security or Risk Officers, the Executive Board, etc.—to support enterprise strategy decisions and mitigation investments.

The Emergynt Instinct Engine™ also gives security practitioners of digital organizations the ability to tell a multidimensional story of their cyber and digital risk exposures through the lens of future loss scenarios, including the projected business losses of those scenarios. The platform uses an organization’s existing data sources to gather enterprise telemetry, which is then used to assess hundreds of thousands of potential scenarios in real time.

On this page

Release history

Last updated: May 2018

Solution summary

The integration between the Emergynt Instinct Engine and Archer allows the user to build risk metrics from Archer reports, leveraging them for Second Line of Defense (Chief Risk Officer, Chief Executive Officer, Executive Board, etc.) risk reporting.

  • Easily create KPIs from Archer reports using

    • Compliance and risk data;

    • Policy data;

    • Security incident data;

    • Trends in assessment findigns, etc.

  • Uplifts Archer data, combined with other enterprise telemetry to dynamically report digital risk

  • Instinct Engine riks projections are updated as new data arrives in Archer

Partner Integration Overview

Archer Solution

This integration could apply to many or all of the Archer solution areas.*

Archer Use Case

This integration could apply to many or all of the Archer use cases.*

Archer Applications

This integration could apply to many or all of the Archer applications*

Uses Custom Application

No

Requires On-Demand License

No

*The example provided in this guide is Regulatory and Corporate Compliance - Issues Management - Exception Requests

Archer configuration

Before you begin 

This section provides instructions for configuring The Instinct Engine™ with the Archer Platform. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All Emergynt components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

Creating a Data Source and Metric for the Emergynt Instinct Engine™

Data Source functionality

An Archer Data Source retrieves, processes and aggregates search results from Archer. The query part of the metric using this data source can be one of following:

  • The name of a Report defining a search query - a string.

  • The ID of a Report defining a search query - an integer.

  • The GUID of a Report defining a search query - a string formatted as Report GUID.

  • The search query itself - a string containing XML describing the search query directly.

The extract using this data source is of format aggregation-function(xpath-query), where aggregation- function is one of many aggregation functions available in Instinct Engine, and xpath-query is an  xpath expression for selecting values to be aggregated from the search results XML returned by Archer.

The aggregation-function can be one of the following:

avg

Returns the average of the list of numbers returned from Archer

sum

Returns the sum of the list of numbers returned from Archer

min

Returns the minimum of the list of numbers returned from Archer

max

Returns the maximum of the list of numbers returned from Archer

count

Returns the count of the list of items returned from Archer

Example Data Source usage

The example provided below will show how to go from search results in Archer to a metric in Instinct Engine™. The simplest way to achieve this goal is to save an Archer search query as a report, and then later use the data source's ability to fetch results from a saved report, given its name.

Note: The Instinct Engine™ does not use cached data for Archer reports, (neither on the Archer nor the Instinct Engine™ side). The report is only used to retrieve its associated advanced search query. Therefore, the data returned to the Instinct Engine™ is always the most recent available.

To do this, perform the following steps:

  1. Perform a basic search query on Archer. You can use the basic search functionality in Archer to start designing a report. This functionality is accessed through the magnifier icon on the Archer's top bar.

    In this example, we're searching for policy Exception Requests.

  1. Configure a search query. The search UI allows users to configure what data (fields) will be queried and specify additional constraints and operations, like filtering results based on data in fields, as well as sorting the final results.

    The default configuration available upon entering this screen specifies a query for all data in Exception Requests Application. Add an Exception Description field to the Selected list will be useful if you want to preview the current set of results by pressing the Search button.

    For this example, we want to restrict our results to Exception Requests pertaining to a particular Control Standard. In order to do that, expand the Filters section and add Control Standards in the Field to Evaluate. Then select an appropriate value from the selection box provided by the Value(s) field.

    After configuring your search query, execute it with the Search button.

  1. Review the performed search query and prepare to save it. On the results screen of the search, take the opportunity to verify that the expected data has returned. In case of errors, we can always go back to the previous step by pressing the "Modify" button.

    After the results are verified, we continue on by pressing the "Save" button, which will allow us to save the search query we configured as a report.

  1. Save the search as a report, noting its name. The Save Report screen allows us to configure properties of the report in Archer. For integration with Instinct Engine, only two controls on the screen are important.

    1. First, we need to give a name to the report. This name will be used by Instinct Engine to find and execute report's underlying Search query.

    2. Second, the report needs to be accessible by the Instinct Engine. This is controlled by the Permissions control. Personal Report should be selected if and only if the Archer Data Source in Instinct Engine is configured to use the credentials of the user creating the report. Otherwise, if Instinct Engine is using a separate set of credentials, select Global Report.

    After the report is properly configured, press the Save button. The report will now be available for Instinct Engine to access.

  1. Configure a data source in Instinct Engine.

    In order to create a metric, we need to configure an Data Source through the Add Data Source feature of Instinct Engine. The Data Source configuration should contain URL to base of the Archer application. Login, Instance, and Password are the credentials for an existing user that will be used to access the Archer WS API.

    Note: It is a good idea to create a separate user for API access from Instinct Engine, if possible. The Instinct Engine will create its own session for communicating with Archer, and Archer may terminate all other active sessions of that user.

  1. Create a new metric in Instinct Engine

    We follow the standard process of creating a metric in Instinct Engine (described in the product documentation). Of note are here the Query field—which contains the name of the report we created earlier in Archer—and Extract measure from response using field—which defines an aggregation function and xpath query for the results coming from Archer. In this case, we opt to count the number of records (individual results) found.

    Note: we're using the count aggregation function in the Extract measure from response using field. In addition to all the standard aggregation functions used by Instinct Engine, the Archer Data Source supports additional test function that will return an XML subtree selected by the xpath query. The return result can be copied from the clipboard if you need to look at the details of the response. However, a metric using test function as an extract method is not considered valid in Instinct Engine, but this feature is useful to verify the exact data being aggregated.

    In order to be able to test and use the metric, we also need to select at least one business unit. After selecting it, we use the Back button to access the Test button on the previous screen.

  1. Test the metric. We now have a configured metric.

    Pressing Test should display, after a brief moment, a result of testing the metric. Actual API calls will be issued to Archer, and the number of exceptions of the type specified should be found under the raw-value field in the result.

    Note: The Instinct Engine normalizes all metrics to nervousness using a number of functions. In general, this is used to answer the question should this number make us nervous? See the  product documentation for more detail. In the example below, we are using a Min-Max function with a threshold of 5, where the metric becomes more nervous as the number of policy exceptions approaches 5. This nervousness is contributed to the objects in the system and combined into scenarios to assess.

    After completing additional configuration steps standard for all metrics in Instinct Engine (described in the product documentation), the Archer-based metric will be ready to use.

Additional note

In this example, we've created a new report from a search query in order to feed data from Archer to Instinct Engine. However, any existing report (accessible through credentials used by Instinct Engine) can be used for that purpose.

You can go back to Archer's Application selection screen and press the Reports button. This will produce the list of all reports defined for that Application. Beyond the report we've created in this example, it also shows other existing reports that could be suitable for use as a data source for Instinct Engine.

Certification environment

Date tested: May 2018

Product Name Version Information Operating System

Archer

6.3

Virtual Appliance

Instinct Engine™

1.2.1

RedHat Enterprise Linux