The Environment: A Fragmented, Policy-Heavy Infrastructure
The organization in this case is a large national public-sector agency operating a highly distributed IT environment.
It consists of:
- A central headquarters
- Multiple regional and affiliated organizations
- Segmented internal and external networks
- A mix of permanent staff, contractors, and outsourced IT teams
Connectivity is provided through leased lines and secure gateways, creating a topology where trust boundaries shift constantly. In this environment, one problem dominated everything else:
Security policy existed but identity and device reality were always in motion.
The Tool Paradox: High Security Density, Low Control
Like many mature government organizations, the agency had accumulated a dense security stack:
- Endpoint protection and anti-ransomware
- Media and USB control
- Patch and integrity validation
- Network firewalls
- Log collection and SIEM
Yet daily operations revealed a dangerous gap:
- IPs looked valid, but users were ambiguous
- Devices were registered, but their runtime behavior was unknown
- Multiple agents conflicted, generating false positives and instability
- Policy violations were detected but rarely enforced at the network level
Security existed but it was disconnected from action.
Redefining Access: NAC as a Runtime Policy Engine
The agency’s first structural change was to redefine what “access” meant. They replaced static IP-based control with Network Access Control (NAC) acting as a real-time policy execution layer. Each connection was evaluated based on:
- Device identity: Hardware fingerprint, OS, and agent presence
- User authentication: Who is behind the keyboard
- Compliance posture: Patch level, mandatory security software, integrity state
- Session state: Continuous tracking of the connection
Access was no longer binary. It became a live calculation of eligibility.
The Residual Blind Spot: The Endpoint Black Box
NAC solved one problem: who is allowed in. But another remained. Once a compliant user on a trusted device connected, NAC could no longer see what happened inside the operating system’s execution layer.
NAC had no visibility into:
- Living-off-the-land activity (PowerShell, WMI, and native system tools) running inside the operating system (process and memory level)
- Memory-resident malware that never touched the disk
- Process-level lateral movement across systems
- Runtime circumvention of media and device controls
The network was controlled. The endpoint was opaque.
Moving Beyond EDR: Deploying an Endpoint Execution Platform
To close this gap, the agency deployed Insights E, not as a traditional EDR, but as an endpoint execution and behavior platform. Its purpose was simple: Observe and govern what actually runs on every device.
The platform delivered:
- Advanced threat detection: IOC, machine learning, and YARA-based identification of known, unknown, and fileless threats
- Behavior analytics (XBA): Full process lineage: which script launched which binary, what it touched, and where it connected
- Execution-level control: Process blocking, file and registry protection, device and USB control, and agent self-protection
This transformed endpoints from black boxes into observable execution environments.
The Breakthrough: NAC + Insights E = Closed-Loop Control
The turning point came when endpoint behavior was wired directly into network control. The logic became simple:
- NAC governs who and where
- Insights E observes what is executed
When Insights E detects:
- a malicious process
- a policy violation
- a suspicious execution chain
it signals NAC. NAC then, based on policy:
- isolates the device
- moves it to a quarantine network
- or cuts access entirely
Detection became enforcement. Containment happened before human escalation.
Why This Matters for Government Networks
In the public sector, security failure means more than downtime. It means:
- legal exposure
- audit risk
- loss of public trust
By linking access to execution, this agency replaced a passive monitoring model with a real-time control system. Security became something that acts, not just reports.
Beyond the IP
This case demonstrates a fundamental truth of modern security: An IP address proves location. It proves nothing about trust.
Only when network access is tied to endpoint behavior does policy become real. This agency built a system where: Visibility allowed isolation to occur exactly when policy required it.
That is what operational security looks like.
