L1
CISO / CIO Questions
Overview
The CISO/CIO needs executive-level visibility into security posture, compliance status, and strategic technology planning. Questions focus on risk management, policy enforcement, and strategic decision-making.
Primary Components: Knowledge Graph, Experience Center, Copilot
Questions
Navigation
Q1: "What unapproved software is being used?"
Why it matters: Shadow IT represents unmanaged security risks, compliance violations, and potential data exfiltration vectors. Unapproved software bypasses security controls, lacks proper vetting, and creates blind spots in the security posture. Early detection enables proactive risk mitigation before incidents occur.
Telemetry Sources
Primary Sources:
- CASB (Cloud Access Security Broker): Cloud application usage, SaaS discovery, OAuth grants, data flows
- UEM/MDM: Installed applications inventory, mobile app usage, sideloaded apps
- Network Traffic Analysis: DNS queries, HTTP/HTTPS traffic patterns, unknown destinations
- Endpoint Detection: Process execution logs, application launches, DLL loads
Secondary Sources:
- Firewall Logs: Outbound connections to unapproved services
- Proxy Logs: Web traffic to SaaS applications
- IDP/SSO: Authentication attempts to non-sanctioned services
- Expense Reports: Software subscriptions purchased outside IT
Data Schema (Bronze):
casb_app_usage (
timestamp, user_id, app_name, app_category,
risk_score, sanctioned_status, data_volume,
oauth_permissions, device_id
)
uem_installed_apps (
device_id, app_name, app_version, publisher,
install_date, install_source, package_hash
)
network_traffic (
timestamp, source_ip, destination, protocol,
bytes_transferred, dns_query, user_agent
)
L1 Analytics (Bronze→Silver)
Normalization and Enrichment:
-- Unified software inventory with approval status
CREATE VIEW silver.software_inventory AS
SELECT
COALESCE(casb.app_name, uem.app_name, net.app_identified) AS software_name,
COALESCE(casb.user_id, device.user_id) AS user_id,
CASE
WHEN approved.software_id IS NOT NULL THEN 'APPROVED'
WHEN casb.sanctioned_status = 'unsanctioned' THEN 'UNAPPROVED'
WHEN uem.install_source NOT IN ('company_portal', 'managed_deployment') THEN 'UNAPPROVED'
ELSE 'UNKNOWN'
END AS approval_status,
casb.risk_score AS casb_risk_score,
uem.device_id,
net.destination AS network_destination,
MAX(COALESCE(casb.timestamp, uem.install_date, net.timestamp)) AS last_seen
FROM bronze.casb_app_usage casb
FULL OUTER JOIN bronze.uem_installed_apps uem
ON casb.app_name = uem.app_name AND casb.device_id = uem.device_id
FULL OUTER JOIN bronze.network_traffic net
ON casb.timestamp BETWEEN net.timestamp - INTERVAL 5 MINUTES
AND net.timestamp + INTERVAL 5 MINUTES
LEFT JOIN gold.approved_software_catalog approved
ON LOWER(software_name) = LOWER(approved.software_name)
WHERE approval_status = 'UNAPPROVED'
GROUP BY 1,2,3,4,5,6;
Deduplication Logic:
- Consolidate same software across CASB, UEM, and network sources
- Normalize software names (remove version numbers, standardize naming)
- Link user sessions across devices and platforms
L2 Analytics (Silver→Gold)
Risk Scoring and Classification:
-- Unapproved software with risk assessment
CREATE VIEW gold.unapproved_software_risks AS
SELECT
si.software_name,
si.user_id,
u.department,
u.role,
COUNT(DISTINCT si.device_id) AS device_count,
COUNT(DISTINCT si.user_id) AS user_count,
-- Risk scoring
CASE
WHEN si.casb_risk_score >= 8 THEN 'CRITICAL'
WHEN si.casb_risk_score >= 6 THEN 'HIGH'
WHEN si.casb_risk_score >= 4 THEN 'MEDIUM'
ELSE 'LOW'
END AS risk_level,
-- Risk factors
CASE WHEN casb.oauth_permissions LIKE '%read_email%' THEN 1 ELSE 0 END AS email_access,
CASE WHEN casb.oauth_permissions LIKE '%read_files%' THEN 1 ELSE 0 END AS file_access,
CASE WHEN casb.data_volume > 1000000000 THEN 1 ELSE 0 END AS high_data_volume,
CASE WHEN threat.software_name IS NOT NULL THEN 1 ELSE 0 END AS known_threat,
-- Business impact
SUM(casb.data_volume) AS total_data_transferred,
MAX(si.last_seen) AS most_recent_use,
MIN(si.last_seen) AS first_detected,
-- Categorization
casb.app_category,
CASE
WHEN casb.app_category IN ('File Sharing', 'Cloud Storage') THEN 'Data Exfiltration Risk'
WHEN casb.app_category IN ('Communication', 'Collaboration') THEN 'Information Leakage Risk'
WHEN casb.app_category IN ('Remote Access', 'VPN') THEN 'Access Control Risk'
ELSE 'General Security Risk'
END AS threat_category
FROM silver.software_inventory si
JOIN gold.user_directory u ON si.user_id = u.user_id
LEFT JOIN bronze.casb_app_usage casb ON si.software_name = casb.app_name
LEFT JOIN gold.threat_intelligence threat ON si.software_name = threat.software_name
WHERE si.approval_status = 'UNAPPROVED'
GROUP BY 1,2,3,4,7,8,9,10,11,15,16
ORDER BY risk_level DESC, device_count DESC;
Trend Analysis:
-- Shadow IT growth trends
CREATE VIEW gold.shadow_it_trends AS
SELECT
DATE_TRUNC('week', first_detected) AS week,
risk_level,
threat_category,
COUNT(DISTINCT software_name) AS new_unapproved_apps,
SUM(user_count) AS affected_users,
SUM(total_data_transferred) AS data_at_risk
FROM gold.unapproved_software_risks
GROUP BY 1,2,3
ORDER BY week DESC;
Cerebro Enhancement
Memory:
- Approved Software Catalog: Centralized registry of sanctioned applications with approval workflows
- Software Fingerprints: Hash signatures, network patterns, behavioral signatures for identification
- Historical Shadow IT Incidents: Past discoveries, remediation outcomes, recurrence patterns
- Risk Profiles by Category: Industry-specific risk assessments for software categories
- User Behavior Baselines: Normal software usage patterns per role/department
Intelligence:
- Shadow IT Detection Patterns: ML models identifying unapproved software through behavioral anomalies
- Risk Correlation: Cross-reference with CVE databases, threat feeds, dark web mentions
- Peer Comparison: Industry benchmarks for shadow IT prevalence and risk levels
- OAuth Permission Analysis: Risk scoring based on data access permissions granted
- Data Flow Mapping: Track data movement from corporate systems to unapproved apps
Reasoning:
- Prioritization Logic: "Critical risk unapproved software used by 50+ users in Finance department with email access permissions"
- Remediation Recommendations: "Block at firewall, revoke OAuth tokens, offer approved alternative (Slack vs. Discord)"
- Root Cause Analysis: "Users adopting file-sharing tools due to slow VPN performance - infrastructure issue identified"
- Policy Gap Detection: "80% of shadow IT in Marketing - policy awareness campaign needed"
- Proactive Alerts: "New OAuth grant detected for unapproved CRM - 3 users, Finance department - investigate immediately"
UI Representation
Component: Security Dashboard - Shadow IT Detection Module
Visualization:
┌─────────────────────────────────────────────────────────────────────┐
│ UNAPPROVED SOFTWARE - SHADOW IT DETECTION 🔴 42 │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Risk Heatmap (by Category & Volume) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ File Sharing ████████████ CRITICAL (156 users) │ │
│ │ Communication ██████ HIGH (89 users) │ │
│ │ Cloud Storage ████ HIGH (67 users) │ │
│ │ Remote Access ███ MEDIUM (34 users) │ │
│ │ Development ██ LOW (12 users) │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Top Risks Requiring Immediate Action │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 🔴 WeTransfer Pro │ │
│ │ Risk: CRITICAL | Users: 156 | Data: 2.3 TB transferred │ │
│ │ OAuth: File access granted | Dept: Marketing, Sales │ │
│ │ [Block Now] [Investigate] [View Users] [Approved Alt?] │ │
│ │ │ │
│ │ 🟠 Discord (Desktop) │ │
│ │ Risk: HIGH | Users: 89 | Last 7 days: 340 GB │ │
│ │ Concern: Unencrypted comms | Dept: Engineering │ │
│ │ [Block] [Investigate] [View Channels] [Migrate to Teams] │ │
│ │ │ │
│ │ 🟠 Dropbox Personal │ │
│ │ Risk: HIGH | Users: 67 | Files: 12,450 │ │
│ │ OAuth: Read/Write company OneDrive | Dept: Finance, HR │ │
│ │ [Revoke OAuth] [Investigate] [Data Recovery] [Policy] │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Trends (Last 90 Days) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ New Unapproved Apps: ↑ 12 │ Affected Users: ↑ 234 │ │
│ │ Data Transferred: 8.7 TB │ OAuth Grants: ↑ 45 │ │
│ │ Incidents Blocked: 23 │ False Positives: 3 │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ [View All Unapproved Software] [Configure CASB Rules] [Reports] │
└─────────────────────────────────────────────────────────��────────────┘
Interactions:
- Block Now: Immediately block at firewall/proxy, revoke OAuth tokens, push UEM removal policy
- Investigate: Drill into user list, data accessed, timelines, communication patterns
- View Users: List all users with device details, usage frequency, data volumes
- Approved Alternative: Suggest sanctioned replacement with migration path
- Revoke OAuth: Bulk revoke API access grants for cloud apps
- Policy: Generate policy violation notices, schedule training
Copilot Query Example:
"Show me all unapproved file-sharing apps used by Finance in the last 30 days with more than 100 MB transferred"
Answer: "I found 3 unapproved file-sharing applications used by Finance department in the past 30 days:
- WeTransfer Pro - CRITICAL RISK
- 23 users in Finance
- 1.2 TB transferred (invoices, budget files detected)
- OAuth permissions: Read company email, file access
- Recommendation: Immediate investigation - sensitive financial data at risk
- Dropbox Personal - HIGH RISK
- 12 users
- 450 GB transferred
- Detected: Tax documents, payroll files
- Recommendation: Revoke OAuth, migrate to company OneDrive, compliance review
- Firefox Send - MEDIUM RISK
- 4 users
- 120 MB transferred
- End-to-end encrypted - cannot inspect content
- Recommendation: Policy reminder, monitor for escalation
Immediate Actions: Block WeTransfer Pro at firewall, initiate incident response for data exfiltration review, schedule Finance team security training."
Q2: "Who specifically is using that unapproved software?"
Why it matters: Attribution is critical for incident response, policy enforcement, and targeted remediation. Understanding user identity, role, department, and access level enables risk-based prioritization - a CFO using unapproved software has different implications than an intern. User-level visibility supports accountability, training needs assessment, and pattern detection (e.g., entire departments bypassing controls).
Telemetry Sources
Primary Sources:
- IDP/SSO (Okta, Azure AD): User authentication logs, OAuth consents, identity attributes
- CASB: User-to-application mappings, session details, activity logs
- UEM/MDM: Device-to-user assignments, primary user, shared device usage
- HR System: User roles, departments, reporting structure, sensitivity level
Secondary Sources:
- VPN Logs: User IP associations for network traffic correlation
- Email Gateway: Email-based software invitations, sharing notifications
- Endpoint Agents: Logged-in user sessions, process ownership
- Active Directory: Group memberships, OU structure, privilege levels
L1 Analytics (Bronze→Silver)
-- Unified user view with unapproved software usage
CREATE VIEW silver.user_unapproved_software AS
SELECT
u.user_id, u.username, u.email, u.full_name,
u.department, u.title, u.role, u.manager_id,
u.security_clearance_level,
si.software_name, si.approval_status, si.risk_level,
MAX(casb.timestamp) AS last_activity,
COUNT(DISTINCT casb.timestamp) AS activity_count,
CASE
WHEN u.department IN ('Finance', 'Legal', 'Executive', 'HR') THEN 'HIGH_IMPACT'
WHEN u.security_clearance_level IN ('CONFIDENTIAL', 'SECRET') THEN 'HIGH_IMPACT'
ELSE 'STANDARD'
END AS user_impact_level
FROM gold.hr_user_directory u
JOIN silver.software_inventory si ON u.user_id = si.user_id
JOIN bronze.casb_user_activity casb ON u.user_id = casb.user_id
WHERE si.approval_status = 'UNAPPROVED'
GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,15;
L2 Analytics (Silver→Gold)
-- Detailed user attribution with remediation priorities
CREATE VIEW gold.unapproved_software_user_attribution AS
SELECT
uus.user_id, uus.full_name, uus.email,
uus.department, uus.title,
mgr.full_name AS manager_name,
uus.software_name, uus.risk_level,
uus.activity_count, uus.last_activity,
uus.user_impact_level,
CASE
WHEN uus.user_impact_level = 'HIGH_IMPACT' AND uus.risk_level = 'CRITICAL' THEN 100
WHEN uus.user_impact_level = 'HIGH_IMPACT' AND uus.risk_level IN ('CRITICAL', 'HIGH') THEN 85
WHEN uus.risk_level = 'CRITICAL' THEN 75
ELSE 50
END AS composite_risk_score,
CASE
WHEN composite_risk_score >= 85 THEN 'P0 - Immediate Action'
WHEN composite_risk_score >= 60 THEN 'P1 - Within 24 Hours'
ELSE 'P2 - Within 1 Week'
END AS remediation_priority
FROM silver.user_unapproved_software uus
LEFT JOIN gold.hr_user_directory mgr ON uus.manager_id = mgr.user_id
ORDER BY composite_risk_score DESC;
Cerebro Enhancement
Memory:
- User Behavior Profiles: Historical software usage patterns, typical work hours
- Violation History: Past policy violations, remediation outcomes, repeat offenders
- Training Records: Security awareness completion, policy acknowledgment dates
- Organizational Context: Reporting structure, project assignments, data access rights
Intelligence:
- User Risk Scoring: ML models predicting likelihood of policy violations based on role, behavior
- Anomaly Detection: Unusual software adoption patterns, sudden data volume spikes
- Intent Analysis: Distinguish between malicious intent vs. productivity workarounds
Reasoning:
- Attribution Logic: "CFO used WeTransfer to share Q4 earnings 24 hours before announcement - potential insider threat"
- Contextual Prioritization: "Engineering team using unapproved Slack due to Teams outage - low priority, policy reminder"
- Pattern Recognition: "5 new hires in Marketing all adopted same unapproved tool - onboarding gap identified"
UI Representation
Component: Security Dashboard - User Attribution Module
Visualization:
┌─────────────────────────────────────────────────────────────────────┐
│ USER ATTRIBUTION - UNAPPROVED SOFTWARE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ High-Priority Users (P0/P1 Remediation Required) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 🔴 P0 - Jane Doe ([email protected]) │ │
│ │ CFO │ Finance │ Risk Score: 100 │ │
│ │ Apps: WeTransfer Pro, Dropbox Personal │ │
│ │ Data: 1.2 TB │ Last Activity: 2 hours ago │ │
│ │ [Investigate] [Block Access] [Notify CISO] [Call User] │ │
│ │ │ │
│ │ 🟠 P1 - John Smith ([email protected]) │ │
│ │ Engineering Manager │ Engineering │ Risk Score: 85 │ │
│ │ Apps: Discord, GitHub Personal │ │
│ │ Data: 340 GB │ Last Activity: 15 mins ago │ │
│ │ [Investigate] [Block] [Notify Manager] [Schedule Meeting] │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Department Breakdown │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Finance (23 users) ████████ 1.8 TB │ P0: 3 │ P1: 12 │ │
│ │ Engineering (89 users) ██████ 890 GB │ P0: 1 │ P1: 8 │ │
│ │ Marketing (45 users) ████ 450 GB │ P0: 0 │ P1: 5 │ │
│ └──────────────────────────────────────────�───────────────────────┘ │
│ │
│ [View All Users] [Filter by Department] [Export for Review] │
└─────────────────────────────────────────────────────────────────────┘
Copilot Query Example:
"Show me all executives who used unapproved software in the last 7 days"
Answer: "I found 4 executives using unapproved software in the past 7 days:
- Jane Doe - CFO (CRITICAL)
- Apps: WeTransfer Pro, Dropbox Personal
- Data: 1.2 TB transferred (financial statements, board materials)
- Risk: Insider threat potential - earnings data shared before announcement
- Recommendation: Immediate CISO notification, forensic investigation
- Michael Chen - CTO (HIGH)
- Apps: Personal GitHub, AWS Personal Account
- Data: 450 MB (code repositories, architecture diagrams)
- Recommendation: Policy reminder, migrate to company GitHub Enterprise"
Q3: "Where is this software running?"
Why it matters: Location context is critical for incident response, compliance (data residency), and attack surface management. Understanding geographic distribution helps identify unauthorized access from high-risk regions, compliance violations (GDPR/CCPA data crossing borders), and infrastructure vulnerabilities.
Telemetry Sources
Primary Sources:
- UEM/MDM: Device GPS coordinates, network location, last check-in location
- Network Infrastructure: Switch/AP locations, IP geolocation, VPN endpoints
- CASB: Login locations from SaaS access logs, IP address geolocation
- VPN Logs: Connection origins, exit points, tunnel endpoints
Secondary Sources:
- Firewall Logs: Source IP geolocation for outbound connections
- Cloud Provider Logs: AWS/Azure/GCP region where workloads execute
L1 Analytics (Bronze→Silver)
-- Unified location view for unapproved software usage
CREATE VIEW silver.software_location_mapping AS
SELECT
si.software_name, si.user_id, si.device_id,
uem.city AS device_city, uem.country AS device_country,
site.site_name, site.site_type,
casb.city AS access_city, casb.country AS access_country,
CASE
WHEN uem.country IN ('US', 'CA', 'UK', 'DE', 'FR') THEN 'LOW_RISK_GEO'
WHEN uem.country IN ('CN', 'RU', 'KP', 'IR') THEN 'HIGH_RISK_GEO'
ELSE 'MEDIUM_RISK_GEO'
END AS geo_risk_level,
CASE
WHEN site.site_type = 'Corporate Office' THEN 'TRUSTED'
WHEN casb.vpn_detected = TRUE THEN 'VPN'
ELSE 'UNTRUSTED'
END AS network_trust_level
FROM silver.software_inventory si
LEFT JOIN bronze.uem_device_location uem ON si.device_id = uem.device_id
LEFT JOIN gold.site_registry site ON uem.site_id = site.site_id
LEFT JOIN bronze.casb_login_locations casb ON si.user_id = casb.user_id
WHERE si.approval_status = 'UNAPPROVED';
L2 Analytics (Silver→Gold)
-- Unapproved software location intelligence
CREATE VIEW gold.unapproved_software_locations AS
SELECT
slm.software_name, slm.risk_level,
u.full_name, u.department,
slm.device_city, slm.device_country,
slm.site_name, slm.network_trust_level,
slm.geo_risk_level,
CASE
WHEN slm.geo_risk_level = 'HIGH_RISK_GEO' AND slm.network_trust_level = 'UNTRUSTED' THEN 100
WHEN slm.geo_risk_level = 'HIGH_RISK_GEO' THEN 90
WHEN slm.network_trust_level = 'UNTRUSTED' THEN 60
ELSE 30
END AS location_risk_score,
CASE
WHEN slm.device_country IN ('EU', 'UK') THEN 'GDPR_RISK'
WHEN u.department = 'Finance' AND slm.device_country NOT IN ('US', 'CA') THEN 'SOX_RISK'
ELSE 'NO_COMPLIANCE_RISK'
END AS compliance_flag
FROM silver.software_location_mapping slm
JOIN gold.hr_user_directory u ON slm.user_id = u.user_id
WHERE slm.approval_status = 'UNAPPROVED'
ORDER BY location_risk_score DESC;
Cerebro Enhancement
Memory:
- Site Registry: Comprehensive database of corporate locations with trust levels
- Geo-Risk Intelligence: Country-specific threat intelligence, adversarial nations
- Travel Itineraries: Known business travel from calendar/expense systems
- Network Topology: Complete network map with trust boundaries
Intelligence:
- Anomalous Location Detection: "Device typically in NYC office now accessing from Moscow coffee shop"
- Compliance Mapping: Automatic GDPR/CCPA/SOX violation detection based on data flow geography
- Threat Correlation: Cross-reference locations with known threat actor infrastructure
Reasoning:
- Location Context: "User in Tokyo office (trusted) but accessing via ISP IP (not corporate VPN) - possible VPN bypass"
- Compliance Logic: "PII data accessed in EU via unapproved Dropbox - GDPR Article 44 cross-border transfer violation"
- Incident Prioritization: "Critical app accessed from high-risk country on untrusted network - immediate block"
UI Representation
Component: Security Dashboard - Location Intelligence Module
Visualization:
┌─────────────────────────────────────────────────────────────────────┐
│ LOCATION INTELLIGENCE - UNAPPROVED SOFTWARE │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Global Threat Map │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ [Interactive World Map] │ │
│ │ │ │
│ │ 🔴 Moscow, RU (12 devices) - WeTransfer, Discord │ │
│ │ 🔴 Beijing, CN (8 devices) - Dropbox Personal, GitHub │ │
│ │ 🟠 Mumbai, IN (45 devices) - WhatsApp Web, Telegram │ │
│ │ 🟡 London, UK (23 devices) - Slack Personal │ │
│ │ 🟢 New York, US (156 devices) - Various low-risk │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Critical Location Alerts │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 🔴 HIGH-RISK GEO + CRITICAL APP │ │
│ │ John Smith accessing WeTransfer from Moscow, Russia │ │
│ │ Device: iPhone 14 Pro │ Network: Untrusted WiFi │ │
│ │ Risk: State-sponsored interception possible │ │
│ │ [Block Immediately] [Force VPN] [Notify User] [Investigate] │ │
│ │ │ │
│ │ 🟠 GDPR COMPLIANCE VIOLATION │ │
│ │ Sarah Johnson (HR) - Dropbox Personal in Frankfurt, Germany │ │
│ │ Data: PII detected (employee records) │ 180 GB │ │
│ │ Violation: Cross-border data transfer without safeguards │ │
│ │ [Revoke Access] [DLP Review] [Compliance Report] [Legal] │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Location Breakdown │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Corporate Office (Trusted) 234 devices │ 45 unique apps │ │
│ │ Remote Office (Trusted) 89 devices │ 28 unique apps │ │
│ │ VPN (Corporate) 156 devices │ 67 unique apps │ │
│ │ Public WiFi (Untrusted) 78 devices │ 34 unique apps 🔴 │ │
│ │ High-Risk Countries 20 devices │ 12 unique apps 🔴 │ │
│ └──────────────────────────────�───────────────────────────────────┘ │
│ │
│ [View Map Details] [Filter by Risk Level] [Geo-Block Countries] │
└─────────────────────────────────────────────────────────────────────┘
Copilot Query Example:
"Show me unapproved software running in high-risk countries"
Answer: "I found unapproved software actively running in 3 high-risk countries:
Russia (CRITICAL RISK)
- 12 devices in Moscow
- Apps: WeTransfer Pro (8 devices), Discord (4 devices)
- Users: John Smith (Engineering Manager) - WeTransfer, 340 MB transferred
- Network: Public WiFi at Sheraton Hotel (untrusted)
- Risk: State-sponsored interception, FISA 702 compliance risk
- Recommendation: Immediate geo-block, force VPN, investigate data accessed
China (CRITICAL RISK)
- 8 devices in Beijing
- Apps: Dropbox Personal (5 devices), GitHub Personal (3 devices)
- Users: Engineering team attending conference
- Risk: IP theft, source code exfiltration
- Recommendation: Block Dropbox/GitHub access from China, mandatory VPN"
Q4: "If there's a vulnerability, where is it and how is it configured?"
Why it matters: Vulnerability management requires precise asset inventory, configuration awareness, and environmental context. Knowing which vulnerable software versions exist, where they're deployed, and how they're configured enables risk-based patching priorities and compensating controls. Misconfigurations often amplify vulnerability impact.
Telemetry Sources
Primary Sources:
- Vulnerability Scanners (Qualys, Tenable): CVE detections, CVSS scores, exploitability metrics
- UEM/MDM: Software versions, patch levels, configuration profiles
- CMDB: Asset inventory, software-to-server mappings, dependencies
- SIEM: Exploitation attempts, attack patterns, IOCs
Secondary Sources:
- CVE Databases (NVD, MITRE): Vulnerability descriptions, patches, workarounds
- Threat Intelligence Feeds: Actively exploited CVEs, weaponized exploits
- Configuration Management (Ansible, Puppet): System configurations, security baselines
- Cloud Provider APIs: Cloud resource configurations, security group rules
L1 Analytics (Bronze→Silver)
-- Vulnerability inventory with location and configuration
CREATE VIEW silver.vulnerability_inventory AS
SELECT
vuln.cve_id, vuln.cvss_score, vuln.severity,
vuln.software_name, vuln.affected_version,
dev.device_id, dev.device_name, dev.device_type,
dev.os_version, dev.ip_address,
loc.site_name, loc.building, loc.country,
config.configuration_profile,
config.firewall_enabled, config.antivirus_status,
config.admin_privileges_enabled,
CASE
WHEN vuln.cvss_score >= 9.0 THEN 'CRITICAL'
WHEN vuln.cvss_score >= 7.0 THEN 'HIGH'
WHEN vuln.cvss_score >= 4.0 THEN 'MEDIUM'
ELSE 'LOW'
END AS vulnerability_severity,
CASE
WHEN threat.actively_exploited = TRUE THEN 'ACTIVE_EXPLOIT'
WHEN threat.exploit_available = TRUE THEN 'EXPLOIT_AVAILABLE'
ELSE 'NO_KNOWN_EXPLOIT'
END AS exploit_status,
vuln.first_detected, vuln.last_scanned
FROM bronze.vulnerability_scan_results vuln
JOIN gold.device_inventory dev ON vuln.device_id = dev.device_id
LEFT JOIN silver.software_location_mapping loc ON dev.device_id = loc.device_id
LEFT JOIN bronze.device_configuration config ON dev.device_id = config.device_id
LEFT JOIN gold.threat_intelligence threat ON vuln.cve_id = threat.cve_id;
L2 Analytics (Silver→Gold)
-- Vulnerability risk analysis with configuration impact
CREATE VIEW gold.vulnerability_risk_assessment AS
SELECT
vi.cve_id, vi.software_name, vi.affected_version,
vi.cvss_score, vi.vulnerability_severity,
vi.exploit_status,
-- Asset details
vi.device_name, vi.device_type, vi.os_version,
vi.site_name, vi.country,
-- Configuration posture
vi.configuration_profile,
vi.firewall_enabled,
vi.antivirus_status,
vi.admin_privileges_enabled,
-- Risk amplification from configuration
CASE
WHEN vi.admin_privileges_enabled = TRUE THEN 1 ELSE 0 END AS privilege_risk,
CASE
WHEN vi.firewall_enabled = FALSE THEN 1 ELSE 0 END AS firewall_risk,
CASE
WHEN vi.antivirus_status != 'ACTIVE' THEN 1 ELSE 0 END AS av_risk,
-- Composite risk score
CASE
WHEN vi.exploit_status = 'ACTIVE_EXPLOIT'
AND vi.cvss_score >= 9.0
AND vi.admin_privileges_enabled = TRUE THEN 100
WHEN vi.exploit_status = 'ACTIVE_EXPLOIT'
AND vi.cvss_score >= 7.0 THEN 90
WHEN vi.cvss_score >= 9.0 THEN 80
WHEN vi.exploit_status = 'ACTIVE_EXPLOIT' THEN 75
WHEN vi.cvss_score >= 7.0 THEN 60
ELSE 40
END AS composite_vulnerability_score,
-- Remediation priority
CASE
WHEN composite_vulnerability_score >= 90 THEN 'EMERGENCY - Patch Immediately'
WHEN composite_vulnerability_score >= 75 THEN 'CRITICAL - Patch Within 24 Hours'
WHEN composite_vulnerability_score >= 60 THEN 'HIGH - Patch Within 7 Days'
ELSE 'MEDIUM - Patch Within 30 Days'
END AS remediation_priority,
-- Compensating controls available
CASE
WHEN vi.firewall_enabled = TRUE AND vi.antivirus_status = 'ACTIVE' THEN 'YES'
ELSE 'NO'
END AS compensating_controls,
vi.first_detected,
DATEDIFF(CURRENT_DATE, DATE(vi.first_detected)) AS days_vulnerable
FROM silver.vulnerability_inventory vi
ORDER BY composite_vulnerability_score DESC, days_vulnerable DESC;
Configuration Risk Analysis:
-- Vulnerable software grouped by configuration risk
CREATE VIEW gold.configuration_vulnerability_matrix AS
SELECT
software_name,
affected_version,
COUNT(DISTINCT device_id) AS affected_devices,
AVG(cvss_score) AS avg_cvss_score,
-- Configuration breakdown
SUM(CASE WHEN admin_privileges_enabled = TRUE THEN 1 ELSE 0 END) AS privileged_devices,
SUM(CASE WHEN firewall_enabled = FALSE THEN 1 ELSE 0 END) AS no_firewall_devices,
SUM(CASE WHEN antivirus_status != 'ACTIVE' THEN 1 ELSE 0 END) AS no_av_devices,
-- Geographic distribution
ARRAY_AGG(DISTINCT site_name ORDER BY site_name) AS affected_sites,
ARRAY_AGG(DISTINCT country ORDER BY country) AS affected_countries,
-- Exploit risk
MAX(CASE WHEN exploit_status = 'ACTIVE_EXPLOIT' THEN 1 ELSE 0 END) AS actively_exploited,
-- Remediation status
SUM(CASE WHEN days_vulnerable > 90 THEN 1 ELSE 0 END) AS overdue_90_days,
SUM(CASE WHEN days_vulnerable > 30 THEN 1 ELSE 0 END) AS overdue_30_days
FROM gold.vulnerability_risk_assessment
GROUP BY 1,2
ORDER BY actively_exploited DESC, avg_cvss_score DESC, affected_devices DESC;
Cerebro Enhancement
Memory:
- CVE Knowledge Base: Complete vulnerability database with descriptions, patches, workarounds
- Configuration Baselines: Approved security configurations, hardening standards (CIS benchmarks)
- Patch History: Historical patching timelines, success rates, rollback events
- Vulnerability Lifecycle: Time-to-patch metrics, SLA compliance tracking
- Asset Dependencies: Software dependency trees, critical system identification
Intelligence:
- Exploitability Prediction: ML models predicting likelihood of exploitation based on CVSS, threat actor TTPs
- Configuration Risk Scoring: Assess vulnerability severity amplification from misconfigurations
- Patch Compatibility Analysis: Predict patch success/failure based on environment characteristics
- Attack Path Modeling: Map how vulnerabilities could be chained for lateral movement
- Threat Actor Targeting: Identify CVEs actively targeted by specific threat groups
Reasoning:
- Prioritization Logic: "CVE-2024-1234 (CVSS 9.8) in Log4j on 45 internet-facing servers with admin privileges - Emergency patch required"
- Configuration Context: "Vulnerable Apache version BUT WAF rules block exploit vector - lower priority, monitor WAF logs"
- Remediation Recommendations: "Patch available for Windows 10 21H2, upgrade path to 22H2 required first - staged rollout plan"
- Compensating Controls: "Critical SQL vulnerability but network segmentation isolates DB - temporary mitigation until patch window"
- Business Impact Assessment: "Vulnerable software on POS terminals in 200 retail stores - schedule overnight maintenance window"
UI Representation
Component: Security Dashboard - Vulnerability Management Module
Visualization:
┌─────────────────────────────────────────────────────────────────────┐
│ VULNERABILITY INTELLIGENCE - CONFIGURATION RISK 🔴 89 │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Critical Vulnerabilities Requiring Immediate Action │
│ ┌───────────────────────────────────────────────────────────────��──┐ │
│ │ 🔴 EMERGENCY - CVE-2024-1234 (Log4j RCE) │ │
│ │ CVSS: 9.8 │ Exploit: ACTIVE IN THE WILD │ │
│ │ Affected: 45 internet-facing web servers │ │
│ │ Location: AWS US-East-1, Azure West-Europe │ │
│ │ Config Risk: Admin privileges enabled, no WAF │ │
│ │ Days Vulnerable: 3 │ SLA: BREACH IMMINENT │ │
│ │ [Emergency Patch] [Isolate Servers] [Deploy WAF] [IOC Scan]│ │
│ │ │ │
│ │ 🔴 CRITICAL - CVE-2024-5678 (Windows PrintNightmare) │ │
│ │ CVSS: 8.8 │ Exploit: Public PoC Available │ │
│ │ Affected: 234 workstations (Finance, HR departments) │ │
│ │ Location: NYC HQ, Chicago Office │ │
│ │ Config Risk: Print spooler enabled, local admin rights │ │
│ │ Days Vulnerable: 45 │ SLA: Overdue by 15 days │ │
│ │ [Patch Now] [Disable Spooler] [Restrict Admin] [Monitor] │ │
│ │ │ │
│ │ 🟠 HIGH - CVE-2024-9012 (OpenSSL TLS Vuln) │ │
│ │ CVSS: 7.5 │ Exploit: None known │ │
│ │ Affected: 89 Linux servers (databases, app servers) │ │
│ │ Location: On-prem data center │ │
│ │ Config Risk: TLS 1.1 enabled (deprecated), weak ciphers │ │
│ │ Compensating Control: Network segmentation, IDS monitoring │ │
│ │ [Schedule Patch] [Update TLS Config] [Review IDS Logs] │ │
│ └───────────────────��──────────────────────────────────────────────┘ │
│ │
│ Vulnerability Heatmap (by Severity & Exploit Status) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Active Exploit + Critical ████████ 12 CVEs │ 145 devices │ │
│ │ Active Exploit + High ████ 8 CVEs │ 67 devices │ │
│ │ Exploit Available + Critical███ 5 CVEs │ 89 devices │ │
│ │ Critical (No Exploit) ██ 15 CVEs │ 234 devices │ │
│ │ High (No Exploit) ██ 34 CVEs │ 456 devices │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Configuration Risk Amplifiers │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Vulnerable + Admin Privileges 🔴 45 devices │ │
│ │ Vulnerable + No Firewall 🔴 23 devices │ │
│ │ Vulnerable + Inactive AV 🟠 12 devices │ │
│ │ Vulnerable + Internet-Facing 🔴 67 devices │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Patch Compliance Dashboard │
│ ┌─────────────�────────────────────────────────────────────────────┐ │
│ │ Emergency SLA (24 hrs): ⚠️ 3 overdue │ 9 in progress │ │
│ │ Critical SLA (7 days): ⚠️ 15 overdue │ 23 in progress │ │
│ │ High SLA (30 days): ✅ On track │ 45 in progress │ │
│ │ Avg Time-to-Patch: 12.5 days │ Target: 10 days │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ [View All Vulnerabilities] [Patch Schedule] [Compensating Controls] │
│ [Configuration Hardening] [Threat Intelligence] [Compliance Report] │
└─────────────────────────────────────────────────────────────────────┘
Interactions:
- Emergency Patch: Initiate immediate patching workflow, notification to change management, rollback plan
- Isolate Servers: Network segmentation, VLAN isolation, firewall rule updates
- Deploy WAF: Push web application firewall rules to block exploit vectors
- IOC Scan: Search SIEM for indicators of compromise, check exploitation attempts
- Disable Spooler: Push UEM policy to disable vulnerable services
- Restrict Admin: Revoke local admin rights via GPO/MDM policy
- Monitor: Enhanced logging, IDS/IPS alerting for exploitation attempts
- Schedule Patch: Add to patch management queue with priority and maintenance window
- Update TLS Config: Push secure TLS configuration profile
- Configuration Hardening: Apply CIS benchmarks, security baselines
- Threat Intelligence: View threat actor campaigns targeting these CVEs
- Compliance Report: Generate audit report for SOC 2, ISO 27001 requirements
Copilot Query Example:
"Show me all critical vulnerabilities on internet-facing systems with active exploits"
Answer: "I found 3 critical vulnerabilities on internet-facing systems with active exploitation:
CVE-2024-1234 - Log4j Remote Code Execution (EMERGENCY)
- CVSS Score: 9.8 (Critical)
- Exploit Status: ACTIVE IN THE WILD (ransomware campaigns detected)
- Affected Assets: 45 web servers
- 23 in AWS US-East-1 (public subnet)
- 22 in Azure West-Europe (DMZ)
- Software: Apache Tomcat 9.0.45 with Log4j 2.14.1
- Configuration Risks:
- Admin privileges enabled on 18 servers
- No WAF protection on 12 servers
- Logging level set to DEBUG (increases attack surface)
- Days Vulnerable: 3 days (SLA breach imminent - 24hr emergency window)
- Business Impact: Customer-facing e-commerce platform (HIGH)
- Recommendation: EMERGENCY PATCH REQUIRED
- Immediate: Deploy WAF rules to block JNDI lookup patterns
- Within 1 hour: Apply Log4j 2.17.1 patch to all servers
- Scan SIEM logs for past 72 hours for exploitation attempts
- Consider temporary service suspension if patch deployment delayed
CVE-2024-3456 - Microsoft Exchange ProxyShell (CRITICAL)
- CVSS Score: 9.0 (Critical)
- Exploit Status: ACTIVE (APT groups targeting)
- Affected Assets: 8 Exchange servers (internet-facing OWA/ECP)
- Location: On-prem data center (DMZ)
- Software: Exchange Server 2019 CU11
- Configuration Risks:
- External Client Access enabled
- No MFA on OWA (bypasses authentication controls)
- Unified Messaging service running (deprecated, vulnerable component)
- Days Vulnerable: 12 days (SLA BREACH - critical patch window is 7 days)
- Business Impact: Email infrastructure, potential lateral movement
- Recommendation: CRITICAL PATCH OVERDUE
- Apply Microsoft Security Update KB5012345 immediately
- Enable MFA on all OWA/ECP endpoints
- Disable Unified Messaging service (not business-critical)
- Review Exchange logs for web shell uploads (IOC: *.aspx in unusual locations)
- Incident response: Forensic analysis for compromise indicators
CVE-2024-7890 - Apache HTTP Server Path Traversal (CRITICAL)
- CVSS Score: 8.6 (High/Critical)
- Exploit Status: Public exploit code available (Metasploit module)
- Affected Assets: 12 Apache web servers (reverse proxies)
- Location: AWS US-West-2, GCP US-Central
- Software: Apache HTTP Server 2.4.48
- Configuration Risks:
- Directory listing enabled (exposes file structure)
- Vulnerable CGI scripts accessible
- Running as root user (privilege escalation risk)
- Days Vulnerable: 8 days
- Business Impact: API gateways, potential backend system access
- Recommendation: PATCH WITHIN 24 HOURS
- Upgrade to Apache 2.4.51 or apply vendor patch
- Disable directory listing (update httpd.conf)
- Run Apache as non-privileged user (www-data)
- Review access logs for path traversal attempts (IOC: ../ sequences in URLs)
Overall Risk Assessment:
- Total internet-facing critical vulnerabilities: 65 devices
- Combined risk score: 95/100 (EXTREME RISK)
- Estimated blast radius: 2,500+ internal systems via lateral movement
- Regulatory impact: SOC 2, PCI-DSS compliance violations likely
Immediate Action Plan:
- Activate emergency change control process
- Deploy temporary mitigations (WAF rules, service isolation) within 1 hour
- Begin emergency patching starting with Log4j (highest risk)
- Initiate incident response procedures (forensic log analysis)
- Notify CISO, CTO, and Legal teams
- Prepare board communication if compromise evidence found
Shall I initiate emergency patching workflow and deploy WAF mitigations now?"
Q5: "Are we using software with known vulnerabilities?"
Why it matters: Proactive vulnerability identification prevents exploitation. Knowing which software versions contain known CVEs enables preemptive patching, risk acceptance decisions, and compliance demonstration. This question addresses strategic vulnerability posture, not just individual CVE incidents.
Telemetry Sources
Primary Sources:
- Software Inventory: Complete catalog of installed software with versions
- CVE Databases (NVD, MITRE): Vulnerability intelligence, CVSS scores, exploitability
- Vulnerability Scanners: Authenticated scans, network scans, agent-based detection
- SCA (Software Composition Analysis): Third-party library vulnerabilities, dependency trees
Secondary Sources:
- Vendor Security Bulletins: Oracle, Microsoft, Adobe security advisories
- Threat Intelligence Platforms: Exploit availability, active targeting campaigns
- Package Managers: npm, pip, Maven vulnerability reports
- SBOM (Software Bill of Materials): Component-level vulnerability tracking
L1 Analytics (Bronze→Silver)
-- Software inventory with vulnerability matching
CREATE VIEW silver.software_vulnerability_mapping AS
SELECT
inv.software_name,
inv.software_version,
inv.publisher,
cve.cve_id,
cve.cvss_score,
cve.severity,
cve.description,
cve.published_date,
-- Device/user context
inv.device_id,
inv.user_id,
u.department,
-- Patch availability
patch.patch_available,
patch.patch_version,
patch.release_date AS patch_release_date,
-- Exploit intelligence
threat.exploit_available,
threat.actively_exploited,
threat.exploit_maturity, -- Unproven, Proof of Concept, Functional, High
-- Asset count
COUNT(DISTINCT inv.device_id) OVER (PARTITION BY inv.software_name, inv.software_version) AS devices_affected
FROM gold.software_inventory inv
JOIN bronze.cve_database cve
ON inv.software_name = cve.software_name
AND inv.software_version BETWEEN cve.affected_version_start AND cve.affected_version_end
LEFT JOIN bronze.patch_catalog patch
ON cve.cve_id = patch.cve_id
LEFT JOIN gold.threat_intelligence threat
ON cve.cve_id = threat.cve_id
LEFT JOIN gold.hr_user_directory u ON inv.user_id = u.user_id
WHERE cve.cve_id IS NOT NULL;
L2 Analytics (Silver→Gold)
-- Strategic vulnerability posture analysis
CREATE VIEW gold.vulnerable_software_portfolio AS
SELECT
software_name,
software_version,
publisher,
-- Vulnerability summary
COUNT(DISTINCT cve_id) AS total_vulnerabilities,
SUM(CASE WHEN severity = 'CRITICAL' THEN 1 ELSE 0 END) AS critical_vulnerabilities,
SUM(CASE WHEN severity = 'HIGH' THEN 1 ELSE 0 END) AS high_vulnerabilities,
AVG(cvss_score) AS avg_cvss_score,
MAX(cvss_score) AS max_cvss_score,
-- Exploit risk
SUM(CASE WHEN actively_exploited = TRUE THEN 1 ELSE 0 END) AS actively_exploited_cves,
SUM(CASE WHEN exploit_available = TRUE THEN 1 ELSE 0 END) AS exploitable_cves,
-- Exposure
COUNT(DISTINCT device_id) AS total_devices_affected,
COUNT(DISTINCT department) AS departments_affected,
-- Remediation status
SUM(CASE WHEN patch_available = TRUE THEN 1 ELSE 0 END) AS patchable_cves,
SUM(CASE WHEN patch_available = FALSE THEN 1 ELSE 0 END) AS unpatchable_cves,
-- Age analysis
MIN(published_date) AS oldest_cve_date,
MAX(published_date) AS newest_cve_date,
AVG(DATEDIFF(CURRENT_DATE, published_date)) AS avg_cve_age_days,
-- Risk score
CASE
WHEN SUM(actively_exploited) > 0 AND SUM(critical_vulnerabilities) > 0 THEN 100
WHEN SUM(actively_exploited) > 0 THEN 90
WHEN SUM(critical_vulnerabilities) > 5 THEN 85
WHEN SUM(critical_vulnerabilities) > 0 OR MAX(cvss_score) >= 9.0 THEN 75
WHEN SUM(high_vulnerabilities) > 10 THEN 60
ELSE 40
END AS software_risk_score
FROM silver.software_vulnerability_mapping
GROUP BY 1,2,3
ORDER BY software_risk_score DESC, total_devices_affected DESC;
Portfolio Trends:
-- Vulnerability posture over time
CREATE VIEW gold.vulnerability_posture_trends AS
SELECT
DATE_TRUNC('month', published_date) AS month,
COUNT(DISTINCT cve_id) AS new_cves_published,
SUM(CASE WHEN patch_available = TRUE THEN 1 ELSE 0 END) AS cves_patched,
SUM(CASE WHEN patch_available = FALSE THEN 1 ELSE 0 END) AS cves_unpatched,
AVG(cvss_score) AS avg_severity,
COUNT(DISTINCT software_name) AS vulnerable_software_count,
SUM(devices_affected) AS total_exposure
FROM silver.software_vulnerability_mapping
GROUP BY 1
ORDER BY month DESC;
Cerebro Enhancement
Memory:
- Historical Vulnerability Trends: CVE publication rates, patch cycles, industry benchmarks
- Software Lifecycle Knowledge: EOL dates, vendor support timelines, upgrade paths
- Risk Tolerance Policies: Acceptable vulnerability age, CVSS thresholds, risk acceptance criteria
- Industry-Specific Vulnerabilities: Healthcare (HIPAA), Finance (PCI-DSS), Government (FedRAMP) specific risks
Intelligence:
- Predictive Vulnerability Analysis: "This software version historically receives 2-3 critical CVEs per quarter - upgrade recommended"
- Portfolio Optimization: "Consolidating 5 PDF readers to 1 approved vendor reduces vulnerability surface by 60%"
- Vendor Risk Scoring: "Adobe averages 45 days to patch, Microsoft averages 12 days - prioritize Microsoft stack"
- Dependency Chain Analysis: "Vulnerable Log4j version embedded in 23 different applications - systematic remediation required"
Reasoning:
- Strategic Recommendations: "15 applications running EOL Java 8 with 47 unpatched CVEs - Java 17 migration project justified"
- Risk Acceptance Logic: "CVE-2024-1234 affects offline lab equipment, network isolated - accept risk, document compensating controls"
- Prioritization: "Windows 10 has 12 critical CVEs but patch available; Oracle DB has 3 critical CVEs but no patch - prioritize Oracle workarounds"
- Compliance Mapping: "PCI-DSS requirement 6.2: patch critical vulnerabilities within 30 days - 8 systems non-compliant"
UI Representation
Component: Security Dashboard - Vulnerability Portfolio Overview
Visualization:
┌─────────────────────────────────────────────────────────────────────┐
│ VULNERABLE SOFTWARE PORTFOLIO 🔴 247│
├──────────────────────────────────────────────────────────────────��───┤
│ │
│ Risk Summary │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Critical Risk Software: 23 applications │ 456 devices │ │
│ │ High Risk Software: 67 applications │ 1,234 devices │ │
│ │ Actively Exploited CVEs: 12 CVEs │ 189 devices │ │
│ │ Unpatched Critical CVEs: 45 CVEs │ 890 devices │ │
│ │ EOL Software: 8 applications │ 123 devices │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Highest Risk Software (Immediate Attention Required) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 🔴 Oracle WebLogic Server 12.2.1.3 │ │
│ │ Risk Score: 100 │ Devices: 45 │ Departments: IT, Finance │ │
│ │ CVEs: 8 (5 Critical, 3 High) │ Actively Exploited: 2 │ │
│ │ Top CVE: CVE-2024-1234 (CVSS 9.8) - RCE, exploit in wild │ │
│ │ Patch: Available (12.2.1.4) │ Released: 15 days ago │ │
│ │ [Schedule Patch] [View CVEs] [Exploit Intel] [Mitigate] │ │
│ │ │ │
│ │ 🔴 Adobe Acrobat Reader DC 20.005 │ │
│ │ Risk Score: 90 │ Devices: 1,234 │ Company-wide │ │
│ │ CVEs: 23 (12 Critical, 11 High) │ │
│ │ Top CVE: CVE-2024-5678 (CVSS 9.3) - Arbitrary code exec │ │
│ │ Patch: Available (21.007.20091) │ Released: 3 days ago │ │
│ │ [Mass Deploy Patch] [View CVEs] [Usage Analytics] │ │
│ │ │ │
│ │ 🔴 Java Runtime Environment 8u291 (EOL) │ │
│ │ Risk Score: 85 │ Devices: 234 │ Departments: Engineering │ │
│ │ CVEs: 47 (8 Critical, 23 High, 16 Medium) │ │
│ │ Status: END OF LIFE - No security updates available │ │
│ │ Recommendation: Migrate to Java 17 LTS │ │
│ │ [Migration Plan] [View CVEs] [Risk Acceptance] [Isolate] │ │
│ └───────────────────────────────────────────────────�──────────────┘ │
│ │
│ Vulnerability Trend (Last 6 Months) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ New CVEs Patched Unpatched Avg CVSS │ │
│ │ Jan │ 45 │ 38 │ 7 │ 6.8 │ │
│ │ Feb │ 52 │ 44 │ 8 │ 7.2 │ │
│ │ Mar │ 67 │ 51 │ 16 │ 7.5 ⚠️ Trend worsening │ │
│ │ Apr │ 89 │ 62 │ 27 │ 8.1 ⚠️ │ │
│ │ May │ 103 │ 71 │ 32 │ 8.4 🔴 Action required │ │
│ │ Jun │ 127 │ 82 │ 45 │ 8.7 🔴 Critical │ │
│ └─��────────────────────────────────────────────────────────────────┘ │
│ │
│ Software Rationalization Opportunities │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ PDF Readers: 5 different applications (Adobe, Foxit, PDF-XChange)│ │
│ │ - Total CVEs: 67 across all versions │ │
│ │ - Recommendation: Standardize on Adobe Acrobat Pro DC │ │
│ │ - Risk Reduction: 60% fewer CVEs to manage │ │
│ │ [Start Rationalization Project] │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ [View All Vulnerable Software] [Patch Roadmap] [Compliance Report] │
│ [EOL Software Inventory] [Vendor Risk Analysis] [Portfolio Cleanup] │
└─────────────────────────────────────────────────────────────────────┘
Copilot Query Example:
"What software do we have with critical vulnerabilities that are actively being exploited?"
Answer: "I found 5 software applications with critical vulnerabilities being actively exploited in the wild:
1. Oracle WebLogic Server 12.2.1.3 (EXTREME RISK)
- Affected Devices: 45 servers (production app servers)
- Departments: IT Infrastructure (23), Finance ERP (22)
- Critical CVEs with Active Exploits:
- CVE-2024-1234 (CVSS 9.8): Remote Code Execution via deserialization flaw
- Exploit: Ransomware groups targeting (REvil, LockBit variants)
- First exploited: 5 days ago
- IOCs: Unusual Java processes, outbound connections to known C2 servers
- CVE-2024-2345 (CVSS 9.1): Authentication bypass
- Exploit: APT groups (China-linked threat actors)
- First exploited: 12 days ago
- Patch Status: Available (Oracle WebLogic 12.2.1.4, released 15 days ago)
- Business Impact: Finance ERP system, payroll processing, customer data
- Recommendation: EMERGENCY PATCHING REQUIRED
- Immediate: Isolate affected servers, review access logs for IOC matching
- Within 4 hours: Deploy patch to DEV/TEST environments
- Within 24 hours: Emergency change control, production patching
- Forensics: Engage IR team if exploitation evidence found
2. Microsoft Exchange Server 2019 CU11 (CRITICAL RISK)
- Affected Devices: 8 Exchange servers (email infrastructure)
- Critical CVEs with Active Exploits:
- CVE-2024-3456 (CVSS 9.0): ProxyShell RCE chain
- Exploit: Multiple APT groups, ransomware operators
- Known attacks: 2,300+ organizations compromised globally
- CVE-2024-4567 (CVSS 8.8): Privilege escalation
- Patch Status: Available (Exchange 2019 CU12, released 8 days ago)
- Business Impact: Email infrastructure, potential lateral movement to domain controllers
- Recommendation: CRITICAL - PATCH WITHIN 24 HOURS
- Deploy Microsoft Security Update immediately
- Enable MFA on all OWA/ECP endpoints
- Review for web shell artifacts (*.aspx in unusual directories)
3. Apache Log4j 2.14.1 (CRITICAL RISK)
- Affected Devices: 67 servers across multiple applications
- Critical CVE with Active Exploit:
- CVE-2021-44228 (CVSS 10.0): Log4Shell RCE
- Exploit: Widespread exploitation, automated scanners, ransomware
- Still being targeted 2+ years after disclosure
- Applications Using Vulnerable Log4j:
- VMware vCenter (12 instances)
- Apache Tomcat web apps (34 instances)
- Elasticsearch (21 instances)
- Patch Status: Available (Log4j 2.17.1 - MUST upgrade)
- Recommendation: EMERGENCY - SYSTEMATIC REMEDIATION
- Immediate: Deploy WAF rules blocking JNDI injection patterns
- Within 48 hours: Patch/upgrade all affected applications
- Use SBOM tools to identify hidden Log4j dependencies
4. Fortinet FortiOS 6.4.8 (HIGH RISK)
- Affected Devices: 12 firewall appliances (network perimeter)
- Critical CVEs with Active Exploits:
- CVE-2024-6789 (CVSS 9.6): Pre-auth RCE in SSL VPN
- Exploit: Nation-state actors (suspected Chinese APT)
- First exploited: 3 weeks ago
- Patch Status: Available (FortiOS 6.4.12, released 10 days ago)
- Business Impact: Network perimeter compromise, VPN credentials at risk
- Recommendation: URGENT - PATCH NETWORK INFRASTRUCTURE
- Schedule emergency maintenance window (low-traffic period)
- Upgrade all firewalls to 6.4.12
- Review VPN logs for unauthorized access attempts
- Reset VPN credentials post-patch if exploitation suspected
5. Citrix ADC 13.0 (HIGH RISK)
- Affected Devices: 6 load balancers (internet-facing)
- Critical CVE with Active Exploit:
- CVE-2024-7890 (CVSS 9.4): Buffer overflow RCE
- Exploit: Exploit code publicly available, active scanning detected
- Patch Status: Available (Citrix ADC 13.1, released 5 days ago)
- Business Impact: Load balancers front customer portal, API gateway
- Recommendation: HIGH PRIORITY - PATCH WITHIN 72 HOURS
- Deploy patches to standby load balancers first
- Failover traffic, patch production units
- Monitor for exploitation attempts (check access logs)
Overall Risk Summary:
- Total devices at extreme risk: 138 assets
- Combined risk score: 98/100 (CRITICAL - Immediate action required)
- Estimated potential impact: Enterprise-wide compromise, ransomware deployment, data exfiltration
- Compliance: SOC 2, ISO 27001, PCI-DSS violations likely if not addressed
Immediate Action Plan:
- Activate incident response team (standby for potential compromise)
- Begin emergency patching - priority order: Oracle WebLogic (45 servers), Exchange (8 servers), FortiOS firewalls (12)
- Deploy temporary mitigations (WAF rules for Log4j, network segmentation)
- Scan SIEM for IOCs related to these CVEs (past 30 days)
- Notify executive team (CISO, CTO, CEO) of critical risk exposure
- Prepare incident communication plan if compromise detected
Shall I create emergency change requests and initiate patching workflows?"
Q6: "Are terminated employees properly deprovisioned?"
Why it matters: Improper deprovisioning creates insider threat risks, compliance violations, and unauthorized access to sensitive data. Terminated employees retaining system access can exfiltrate data, sabotage systems, or provide access to malicious actors. Automated deprovisioning verification ensures consistent offboarding and audit trail compliance.
Telemetry Sources
Primary Sources:
- HR System: Termination dates, last day worked, resignation vs. termination, exit interview status
- IDP/SSO (Okta, Azure AD): Account status, last authentication, MFA device registrations
- UEM/MDM: Device return status, remote wipe execution, enrollment status
- IAM Systems: Access rights, role assignments, privileged account status
Secondary Sources:
- VPN Logs: Post-termination VPN access attempts
- Badge Access Systems: Physical access attempts post-termination
- SaaS Applications: OAuth tokens, API keys, application-specific accounts
- Email/Collaboration: Mailbox access, Teams/Slack memberships, shared file access
L1 Analytics (Bronze→Silver)
-- Terminated employee access verification
CREATE VIEW silver.terminated_employee_access_status AS
SELECT
hr.user_id,
hr.username,
hr.email,
hr.full_name,
hr.department,
hr.termination_date,
hr.termination_type, -- Voluntary, Involuntary, Retirement, Transfer
hr.last_day_worked,
-- Account status
idp.account_status, -- Active, Disabled, Deleted
idp.last_login,
idp.mfa_devices_enrolled,
idp.password_last_changed,
-- Device status
uem.device_id,
uem.device_status, -- Enrolled, Wiped, Returned, Missing
uem.last_check_in,
uem.wipe_initiated,
uem.wipe_completed,
-- Access rights
iam.active_roles,
iam.active_permissions,
iam.privileged_access,
-- Application access
COUNT(DISTINCT saas.app_name) AS active_saas_apps,
-- Deprovisioning lag
DATEDIFF(CURRENT_DATE, hr.termination_date) AS days_since_termination,
-- Compliance flags
CASE
WHEN idp.account_status = 'Active' AND days_since_termination > 0 THEN 'ACCOUNT_NOT_DISABLED'
WHEN uem.device_status = 'Enrolled' AND days_since_termination > 7 THEN 'DEVICE_NOT_RETURNED'
WHEN idp.last_login > hr.termination_date THEN 'POST_TERMINATION_ACCESS'
WHEN iam.privileged_access = TRUE AND days_since_termination > 0 THEN 'PRIVILEGED_ACCESS_RETAINED'
ELSE 'COMPLIANT'
END AS deprovisioning_status
FROM bronze.hr_employee_directory hr
LEFT JOIN bronze.idp_user_accounts idp ON hr.user_id = idp.user_id
LEFT JOIN bronze.uem_devices uem ON hr.user_id = uem.primary_user_id
LEFT JOIN bronze.iam_access_rights iam ON hr.user_id = iam.user_id
LEFT JOIN bronze.saas_user_licenses saas ON hr.user_id = saas.user_id AND saas.license_status = 'Active'
WHERE hr.employment_status = 'TERMINATED'
AND hr.termination_date >= CURRENT_DATE - INTERVAL 90 DAYS
GROUP BY 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,23;
L2 Analytics (Silver→Gold)
-- Deprovisioning compliance and risk assessment
CREATE VIEW gold.deprovisioning_compliance_report AS
SELECT
user_id, username, email, full_name,
department, termination_date, termination_type,
-- Account status summary
account_status,
last_login,
days_since_termination,
-- Deprovisioning compliance
deprovisioning_status,
-- Risk factors
CASE WHEN last_login > termination_date THEN 1 ELSE 0 END AS post_term_access,
CASE WHEN account_status = 'Active' THEN 1 ELSE 0 END AS active_account,
CASE WHEN privileged_access = TRUE THEN 1 ELSE 0 END AS privileged_access_retained,
CASE WHEN device_status != 'Wiped' AND device_status != 'Returned' THEN 1 ELSE 0 END AS device_not_secured,
CASE WHEN active_saas_apps > 0 THEN 1 ELSE 0 END AS saas_access_retained,
-- Device details
device_id,
device_status,
wipe_completed,
-- Application access
active_saas_apps,
active_roles,
-- Risk scoring
CASE
WHEN post_term_access = 1 AND privileged_access_retained = 1 THEN 100
WHEN post_term_access = 1 THEN 90
WHEN privileged_access_retained = 1 AND days_since_termination > 1 THEN 85
WHEN active_account = 1 AND termination_type = 'Involuntary' AND days_since_termination > 0 THEN 80
WHEN active_account = 1 AND days_since_termination > 7 THEN 70
WHEN device_not_secured = 1 AND days_since_termination > 14 THEN 60
WHEN saas_access_retained = 1 AND days_since_termination > 7 THEN 50
ELSE 20
END AS deprovisioning_risk_score,
-- Remediation priority
CASE
WHEN deprovisioning_risk_score >= 85 THEN 'CRITICAL - Immediate Action'
WHEN deprovisioning_risk_score >= 70 THEN 'HIGH - Within 4 Hours'
WHEN deprovisioning_risk_score >= 50 THEN 'MEDIUM - Within 24 Hours'
ELSE 'LOW - Routine Follow-up'
END AS remediation_priority
FROM silver.terminated_employee_access_status
WHERE deprovisioning_status != 'COMPLIANT'
ORDER BY deprovisioning_risk_score DESC, days_since_termination DESC;
Deprovisioning Metrics:
-- Organizational deprovisioning effectiveness
CREATE VIEW gold.deprovisioning_effectiveness_metrics AS
SELECT
DATE_TRUNC('month', termination_date) AS month,
termination_type,
department,
COUNT(*) AS total_terminations,
SUM(CASE WHEN deprovisioning_status = 'COMPLIANT' THEN 1 ELSE 0 END) AS compliant_deprovisions,
SUM(CASE WHEN post_term_access = 1 THEN 1 ELSE 0 END) AS post_termination_access_incidents,
SUM(CASE WHEN days_since_termination > 7 AND active_account = 1 THEN 1 ELSE 0 END) AS overdue_7_days,
-- Effectiveness rate
ROUND(100.0 * compliant_deprovisions / total_terminations, 2) AS compliance_rate_pct,
-- Average time to deprovision
AVG(CASE WHEN account_status != 'Active'
THEN DATEDIFF(idp.account_disabled_date, termination_date)
ELSE NULL END) AS avg_deprovision_time_days,
-- Target SLA: Same day for involuntary terminations, within 7 days for voluntary
SUM(CASE
WHEN termination_type = 'Involuntary' AND days_since_termination = 0 AND account_status != 'Active' THEN 1
WHEN termination_type IN ('Voluntary', 'Retirement') AND days_since_termination <= 7 AND account_status != 'Active' THEN 1
ELSE 0
END) AS sla_compliant,
ROUND(100.0 * sla_compliant / total_terminations, 2) AS sla_compliance_rate_pct
FROM silver.terminated_employee_access_status
GROUP BY 1,2,3
ORDER BY month DESC, compliance_rate_pct ASC;
Cerebro Enhancement
Memory:
- Deprovisioning Playbooks: Role-specific offboarding checklists (developer vs. finance analyst)
- Historical Incidents: Past unauthorized access incidents post-termination
- Exit Risk Profiles: Behavioral indicators (disgruntled employees, litigation, competitor moves)
- Compliance Requirements: SOX, HIPAA, PCI-DSS deprovisioning timelines
- Asset Tracking: Company devices, access badges, VPN tokens issued per employee
Intelligence:
- Risk Prediction: "Employee resigned to join competitor - high data exfiltration risk in final 2 weeks"
- Anomaly Detection: "Unusual data download activity 48 hours before termination date"
- Pattern Recognition: "Engineering department has 40% deprovisioning delay rate - process improvement needed"
- Proactive Alerts: "Employee termination effective tomorrow - automated deprovisioning scheduled"
Reasoning:
- Priority Logic: "Involuntary termination with privileged access to financial systems - immediate deprovisioning required"
- Risk Assessment: "Voluntary resignation, 2-week notice period - monitor data access, standard offboarding timeline"
- Remediation Recommendations: "Account disabled but SaaS OAuth tokens still active - revoke tokens immediately"
- Process Gaps: "14 employees deprovisioned but devices not returned - escalate to HR/Legal for asset recovery"
- Compliance Validation: "SOX audit requirement: All financial system access removed within 24 hours of termination - 3 violations detected"
UI Representation
Component: Security Dashboard - Deprovisioning Compliance Module
Visualization:
┌────────────────────────────────────────────────────────�─────────────┐
│ EMPLOYEE DEPROVISIONING COMPLIANCE 🔴 12 │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ Critical Deprovisioning Failures (Immediate Action Required) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 🔴 CRITICAL - John Doe ([email protected]) │ │
│ │ Department: Engineering │ Terminated: 5 days ago (Involuntary)│ │
│ │ Account Status: ACTIVE │ Last Login: 2 days ago ⚠️ │ │
│ │ Privileged Access: GitHub Admin, AWS Admin, Database SA │ │
│ │ Device: MacBook Pro 16" (Enrolled, Not Returned) │ │
│ │ SaaS Apps: 23 active licenses (Slack, Jira, GitHub, etc.) │ │
│ │ Risk: POST-TERMINATION ACCESS TO CRITICAL SYSTEMS │ │
│ │ [Disable Now] [Wipe Device] [Revoke All Access] [Investigate]│ │
│ │ │ │
│ │ 🔴 HIGH - Jane Smith ([email protected]) │ │
│ │ Department: Finance │ Terminated: 12 days ago (Involuntary) │ │
│ │ Account Status: Active │ Last Login: Before termination ✅ │ │
│ │ Privileged Access: Financial reports, payroll system │ │
│ │ Device: Dell Laptop (Not Returned) │ │
│ │ Risk: PRIVILEGED ACCESS RETAINED BEYOND SLA (7 days) │ │
│ │ [Disable Account] [Remote Wipe] [Revoke OAuth] [HR Notify] │ │
│ │ │ │
│ │ 🟠 MEDIUM - Mike Chen ([email protected]) │ │
│ │ Department: Sales │ Terminated: 21 days ago (Voluntary) │ │
│ │ Account Status: Disabled ✅ │ Last Login: Before term ✅ │ │
│ │ Device: iPhone 13 (Enrolled, Not Returned) │ │
│ │ Risk: Corporate device not returned (14-day SLA breach) │ │
│ │ [Remote Wipe] [Asset Recovery] [HR Escalation] │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Deprovisioning Compliance Dashboard │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Total Terminations (Last 90 Days): 47 │ │
│ │ Compliant Deprovisions: 35 (74.5%) ⚠️ Target: 95% │ │
│ │ Post-Termination Access Incidents: 3 🔴 (Investigation required)│ │
│ │ Overdue Deprovisions (>7 days): 8 🔴 │ │
│ │ Devices Not Returned: 14 🟠 │ │
│ │ Avg Deprovision Time: 3.2 days (Target: <1 day) │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Deprovisioning Breakdown by Department │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Engineering: 12 terms │ 8 compliant │ 4 overdue 🟠 │ │
│ │ Sales: 15 terms │ 13 compliant │ 2 overdue │ │
│ │ Finance: 8 terms │ 6 compliant │ 2 overdue 🔴 (SOX) │ │
│ │ Marketing: 7 terms │ 5 compliant │ 2 overdue │ │
│ │ HR: 3 terms │ 2 compliant │ 1 overdue 🔴 (PII) │ │
│ │ IT: 2 terms │ 1 compliant │ 1 overdue 🔴 (Admin) │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ Compliance Trend (Last 6 Months) │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ Month │ Terms │ Compliant │ Rate │ Post-Term Access │ │
│ │ Jan │ 8 │ 7 │ 87.5% │ 0 │ │
│ │ Feb │ 12 │ 10 │ 83.3% │ 1 │ │
│ │ Mar │ 15 │ 11 │ 73.3% │ 2 ⚠️ Declining trend │ │
│ │ Apr │ 18 │ 13 │ 72.2% │ 1 │ │
│ │ May │ 23 │ 16 │ 69.6% │ 3 🔴 Action needed │ │
│ │ Jun │ 19 │ 14 │ 73.7% │ 2 │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
│ [View All Terminated Users] [Audit Log] [SLA Report] [Process Review]│
│ [Automated Deprovisioning Rules] [HR Integration Health] │
└─────────────────────────────────────────────────────────────────────┘
Interactions:
- Disable Now: Immediately disable IDP account, terminate all active sessions
- Wipe Device: Initiate remote wipe command via UEM/MDM
- Revoke All Access: Bulk revoke OAuth tokens, API keys, VPN certificates, application-specific accounts
- Investigate: Forensic review of access logs, data downloads, email/file sharing activity post-termination
- HR Notify: Auto-generate escalation to HR for policy violation follow-up
- Asset Recovery: Generate equipment return reminder, escalate to legal if overdue
- HR Escalation: Notify HR manager and legal team for persistent non-compliance
- Audit Log: Complete audit trail of deprovisioning actions for compliance
- SLA Report: Generate compliance report for SOC 2, ISO 27001, internal audits
- Process Review: Analyze deprovisioning workflow for bottlenecks, automation gaps
- Automated Deprovisioning Rules: Configure IDP-HR integration for auto-disable on termination date
- HR Integration Health: Monitor API connectivity between HR system and IAM/IDP platforms
Copilot Query Example:
"Show me all terminated employees in the last 30 days who still have active accounts or devices"
Answer: "I found 5 terminated employees from the last 30 days with deprovisioning issues:
CRITICAL - Immediate Action Required:
1. John Doe ([email protected]) 🔴
- Department: Engineering (Senior DevOps Engineer)
- Terminated: 5 days ago (Involuntary termination)
- Account Status: ACTIVE ⚠️
- Last Login: 2 days ago (POST-TERMINATION ACCESS DETECTED)
- Privileged Access:
- GitHub Organization Admin
- AWS Root Account access (Production)
- Database Super Admin (PostgreSQL, MySQL)
- Kubernetes Cluster Admin
- Device: MacBook Pro 16" (Enrolled, Not Returned, contains source code)
- SaaS Applications: 23 active licenses
- Data Access Post-Termination:
- GitHub: 45 repository accesses (including proprietary code)
- AWS: 12 login sessions (EC2, S3, RDS activity)
- Slack: 156 messages sent/received
- Risk Assessment: EXTREME - Potential data exfiltration, sabotage, insider threat
- Compliance Violations: SOX (financial systems access), SOC 2 (access control)
- IMMEDIATE ACTIONS REQUIRED:
- Disable IDP account immediately (terminate all active sessions)
- Rotate all AWS root credentials, API keys, SSH keys
- Remote wipe device (initiate UEM wipe command)
- Revoke GitHub admin, audit repository access logs
- Initiate incident response investigation (CISO notification)
- Legal review for potential data theft, NDA breach
- HR escalation for involuntary termination protocol failure
HIGH - Within 4 Hours:
2. Jane Smith ([email protected]) 🔴
- Department: Finance (Financial Analyst)
- Terminated: 12 days ago (Involuntary termination)
- Account Status: Active (SLA BREACH - target: same day for involuntary)
- Last Login: 12 days ago (before termination) ✅
- Privileged Access:
- Financial reporting system (Hyperion)
- Payroll system (ADP)
- ERP system (Oracle Financials)
- Device: Dell Latitude 7420 (Enrolled, Not Returned)
- Risk: Financial data on unreturned device, potential SOX violation
- ACTIONS REQUIRED:
- Disable account immediately (overdue by 12 days)
- Revoke all financial system access
- Remote wipe device
- HR escalation for device return (legal asset recovery if not returned within 48 hours)
- SOX compliance report for audit (access control failure)
3. Mike Chen ([email protected]) 🟠
- Department: Sales (Account Executive)
- Terminated: 21 days ago (Voluntary resignation - joined competitor)
- Account Status: Disabled ✅ (3 days after termination)
- Last Login: 21 days ago (before termination) ✅
- Device: iPhone 13 Pro (Enrolled, NOT RETURNED - SLA breach 14 days)
- SaaS Applications: All licenses revoked ✅
- Data Concern: Salesforce data, customer contacts synced to personal device
- Risk: Customer data on unreturned device, potential competitive intelligence
- ACTIONS REQUIRED:
- Remote wipe device immediately (contains customer PII)
- HR/Legal escalation for asset recovery
- Review Salesforce data exports prior to termination (check for bulk downloads)
- Notify Sales leadership of potential customer poaching risk
MEDIUM - Within 24 Hours:
4. Sarah Johnson ([email protected]) 🟡
- Department: HR (HR Coordinator)
- Terminated: 18 days ago (Voluntary - Relocation)
- Account Status: Disabled ✅ (2 days after termination)
- Device: MacBook Air (Returned ✅, wiped ✅)
- Issue: Personal Gmail OAuth token still active (access to HR calendar, contacts)
- Risk: PII data accessible via OAuth grant to personal email
- ACTIONS REQUIRED:
- Revoke OAuth tokens for personal Gmail
- Review calendar/contact export activity (GDPR/HIPAA concern)
5. David Kumar ([email protected]) 🟡
- Department: Marketing (Marketing Manager)
- Terminated: 25 days ago (Voluntary)
- Account Status: Disabled ✅ (5 days after termination - SLA breach)
- Device: Returned ✅, wiped ✅
- Issue: Adobe Creative Cloud personal account still linked to corporate assets
- Risk: Brand assets, marketing materials accessible from personal Adobe account
- ACTIONS REQUIRED:
- Contact Adobe to transfer asset ownership from personal to corporate account
- Audit for other SaaS personal account linkages
Summary & Recommendations:
- Total Non-Compliant: 5 out of 47 terminations (10.6% failure rate)
- Critical Incidents: 1 (John Doe - post-termination access with privileged accounts)
- High Priority: 2 (overdue deprovisions with retained access/devices)
- SLA Compliance: 89.4% (Target: 95% - BELOW TARGET)
- Avg Deprovision Time: 3.8 days (Target: <1 day for involuntary, <7 days for voluntary)
Process Improvement Recommendations:
- Implement automated IDP-HR integration (auto-disable on termination date)
- Pre-termination access review (disable non-essential access 48hrs before last day)
- Enhanced monitoring for involuntary terminations (immediate disable + privileged access audit)
- Device return enforcement (hold final paycheck until equipment returned - Legal/HR policy)
- Weekly deprovisioning compliance review (proactive audit vs. reactive)
Shall I execute immediate remediation for John Doe (Critical) and Jane Smith (High), including account disablement, device wipe, and incident response initiation?"