Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Advancing Endpoint Protection and Compliance with
Promisec Endpoint Manager
A review by SANS analyst and instructor Jake Williams of Promisec Endpoint Manager (PEM). It discusses PEMs
effectiveness in detecting and remediating endpoint issues.
Copyright SANS Institute
Author Retains Full Rights
Advancing Endpoint Protection and
Compliance with Promisec Endpoint Manager
A SANS Product Review
Written by Jake Williams
December 2015
Sponsored by
Promisec
©2015 SANS™ Institute
Introduction
Managing endpoints on a network of any size is a serious challenge. Organizations
must worry about patch management, configuration management, software updates,
new software installations and third-party application updates. Often, the tools and
techniques for ensuring the performance of these tasks fail in their execution. Such
a failure in endpoint management can have devastating impacts for organizations,
including falling out of compliance with regulatory standards.
In today’s operational environments, security and IT professionals need tools and
techniques to ensure they are able to detect deviations from configuration baselines,
missing patches, unwanted applications and compromises in their environments.
For too long, systems administrators have tried to do this with patchwork collections
of scripts and tools that were not built for the job. However, with cyber attacks and
regulatory fines increasing, organizations have little room for error when it comes
to endpoint management. Simply stated, ensuring endpoints are running the latest
patched software that would prevent vulnerabilities that might expose the organization
to unwanted headlines and losses due to theft and fines is paramount and a top priority
for every executive.
Promisec Endpoint Manager (PEM) supports features for ensuring compliance, endpoint
inventory management and the investigation of security incidents, all without deploying
an agent. PEM has a depth of coverage for many uses cases. Incident responders will
appreciate PEM’s ability to assist in endpoint compromise investigations. Auditors will
likely be most impressed with PEM’s ability to detect deviations from configuration
baselines. IT staff will probably be amazed with PEM’s endpoint inventories, ensuring
that the organization pays only for software licenses it uses without risking an audit or
unnecessary license costs.
We reviewed PEM to evaluate its effectiveness in detecting and remediating endpoint
issues. PEM has a multitude of features—more than could be completely covered in a
single product review—supporting the core missions of the following:
t*OUSVTJPOEFUFDUJPO
t*ODJEFOUSFTQPOTF
t3FNFEJBUJPO
t&OEQPJOUJOWFOUPSZNBOBHFNFOU
t$POöHVSBUJPONBOBHFNFOU
t$POöHVSBUJPOESJGUEFUFDUJPO
t4FDVSJUZBOEDPNQMJBODFDPOUSPMT
4"/4"/"-:45130(3".
1
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Introduction
(CONTINUED)
Our evaluation focused on PEM’s security compliance, cybersecurity and inventory
management features, and we found PEM to be a capable tool in all areas tested. A
walkthrough of the PEM interface makes it clear that analysts who use the product
had influence in the design of PEM’s features and functionality. Navigation is intuitive,
and pivoting from one source of information to another is as easy as performing a
TJOHMFDMJDL3FQPSUJOHBOEDPOöHVSBUJPOBSFBMTPFBTZBOEJOUVJUJWFXJUIBOVNCFSPG
pre-defined reporting formats and templates available. These and other features are
discussed in the following report.
4"/4"/"-:45130(3".
2
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
The compliance features of PEM help organizations meet regulatory guidelines. Being
compliant isn’t just a point-in-time operation; instead, it requires ongoing, continuous
monitoring of endpoints and configurations. PEM’s out-of-box assessment features
include the following:
t&BTZFOEQPJOUJEFOUJöDBUJPOXJUIDSPTTQMBUGPSNTVQQPSU
t"VUPNBUFEHFOFSBUJPOPGCBTFMJOFDPOöHVSBUJPOEBUB
t"VUPNBUFEVQEBUFTPGCMBDLMJTUFETPGUXBSF
t'MFYJCMFSFQPSUJOH
t"EIPDBVEJUJOHGPSTQFDJöDFOEQPJOUEBUB
t1SFCVJMUBVEJUJOHUFNQMBUFTGPSQPQVMBSDPNQMJBODFGSBNFXPSLT
t-FWFSBHJOHPG8JOEPXTCVJMUJONBOBHFNFOUGFBUVSFT
t/FBSJOöOJUFFYUFOTJCJMJUZVTJOHDVTUPNVTFSEFöOFEDIFDLT
Endpoint Identification
Being compliant isn’t a
point-in-time operation. It
requires ongoing, continuous
monitoring of endpoints and
configurations.
Many endpoint tools in the space today have limited ways to identify endpoints. Some
only search by IP address range, while others accept only a list of hostnames. PEM solves
that problem by adopting a maximum flexibility in its ability to accept endpoint inputs.
We were able to identify and group endpoints by IP address lists, by address ranges or
VTJOH$MBTTMFTT*OUFS%PNBJO3PVUJOH$*%3
OPUBUJPO1&.BMTPJOUFHSBUFTXJUI.JDSPTPGU
Active Directory to allow input based on Organizational Units (OUs). Figure 1 shows
PEM’s Inventory Configuration Editor.
Figure 1. Inventory Configuration Editor
This is especially useful in cases where endpoint policies must be applied to logically
identical but network-disparate groups.
4"/4"/"-:45130(3".
3
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Inventory Features
Hardware and software inventory are critical in an organization—so critical, in fact, that
they are first and second among the CIS Critical Security Controls (CIS Controls) 1 and 2.1
Inventory is something many organizations do poorly, but it has significant security
implications. Organizations with complete inventories typically also realize significant
cost savings through reduced software licensing fees.
We evaluated PEM’s ability to both collect and display inventory data. Collection couldn’t
have been any easier thanks to PEM’s input options for identifying endpoints. Once
inventory was completed, our options for analysis are abundant and well thought out.
PEM’s support for natural-language queries, instead of requiring SQL, means analysts
should have an easier time using the tool. Figure 2 shows PEM’s data inventory list and
natural-language query screen.
Figure 2. Data Inventory with Natural-Language Query
If you can use a search engine, you can query the data with PEM without much new
learning or training.
1
4"/4"/"-:45130(3".
“CIS Critical Security Controls for Effective Cyber Defense Version 6.0,” Center for Internet Security,
www.cisecurity.org/critical-controls.cfm
4
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Supporting IR with Asset Inventory
Inventory of authorized and unauthorized devices (CIS Control 1) is critical to
JNQMFNFOUJOHQSPQFSJODJEFOUSFTQPOTF*3
"DPNNPOGBDUPSJOSFNFEJBUJPOGBJMVSF
is the belief that all endpoints have been checked for indicators of compromise (IOCs).
However, an incomplete inventory may lead incident responders to falsely believe
they have checked all endpoints and that the endpoints are clean when they may be
spreading the attack.
TAKEAWAY:
Without careful planning
and the right endpoint
management tools,
organizations may pay
licensing fees for software
they do not use or underpay
and be subject to steep
licensing audit fines.
If inventory is so critical, why do organizations routinely fail at this task? Admittedly,
inventory—particularly of software (CIS Control 2)—is difficult to get right on a
small scale, much less a large one. Collecting installed programs, version and patch
information from a single endpoint is one thing. Scaling that collection across hundreds
or thousands of endpoints is slightly more difficult, but not daunting. The problem
DPNFTXIFOJUTUJNFUPNBLFTFOTFPGBMMPGUIFEBUB1&.TTVQQPSUGPS*3DBQBCJMJUJFTJT
covered later in this paper.
Realizing Savings in Software Licensing
Organizations that audit their use of licensed software sometimes find they are paying
for licenses they don’t use. (Even if users aren’t requesting special preference for unique
tools, they might receive duplicate licenses when receiving a new machine.) Because
PEM tracks the last execution time and execution frequency for applications, analysts
can easily locate licensed software that is gathering dust, possibly realizing significant
cost savings. This alone might be enough to justify the cost of using PEM in many
environments.
4"/4"/"-:45130(3".
5
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Asset Reporting
We tested PEM’s support of discovered assets in a number of formats. We were able to
input queries into asset ownership databases or other tools to increase the value of the
data discovered with PEM. Figure 3 shows a typical asset inquiry.
Figure 3. Querying the PEM Asset Database
3FQPSUTDBOCFDVTUPNJ[FECBTFEPOVTFSEFöOFERVFSJFTXIJDIXFSFBMTPFBTZUPVTF
4"/4"/"-:45130(3".
6
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Configuration Auditing (Whitelisting)
Collecting all the information an auditing tool needs can be daunting because that
might include:
t"MMDPOöHVSFETUBSUVQEBUB
t5PPMCBST
t3VOOJOHQSPHSBNT
t4FSWJDFT
t*OTUBMMFEBOEBMMPXFE
BQQMJDBUJPOT
t-PDBMBENJOJTUSBUPSBDDPVOUT
t*OTUBMMFEVQEBUFT
Of course, as soon as the configuration is documented, it changes, creating an everlosing battle of updating auditing tool configurations. With PEM, we directed it to a
system configured with the “golden image,” and PEM’s audit configurations read the
settings.
This makes it easy to detect deviations from the golden image across all machines on
the corporate network, which is usually a complicated proposition. With PEM, it was a
matter of querying systems against the golden image to find deviations. Figure 4 shows
such a query.
Figure 4. Golden Image Query to Locate Deviations
Of course, organizations may have multiple golden images, if only to account for
differences between one model of approved hardware and others.
4"/4"/"-:45130(3".
7
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Detecting Configuration Changes
Configuration changes are especially important for Internet-facing servers where
a single configuration change can make a server vulnerable. Using PEM, we easily
detected changes to critical files, including changes to the
files that control
security of an IIS web server. Figure 5 shows the detection of one such change.
TAKEAWAY:
Auditing changes to key
website files using an
endpoint management
solution can detect
adversaries who may have
bypassed detection by the
web application firewall or a
security information and event
management (SIEM) tool,
providing a defense in depth.
Figure 5. Detecting Configuration Changes
Attackers also modify legitimate websites with active content (e.g., ASP.NET Web Forms
or PHP scripts), planting backdoors and web shells.2 Auditing for changes to these
website files using file integrity monitoring features of PEM can provide early warning
to the organization that an attack is under way, potentially allowing it to respond before
critical data is stolen.
2
4"/4"/"-:45130(3".
“Closing the Door on Web Shells,” Anuj Soni,
https://digital-forensics.sans.org/summit-archives/dfir14/Closing_the_Door_on_Web_Shells_Anuj_Soni.pdf
8
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Ad Hoc Auditing for Specific Data
We evaluated PEM’s ability to check endpoints for user-specified registry items, files,
running processes and installed applications. Configuration was point-and-click. PEM’s
flexible reporting was also useful. For configuration use cases, we wanted to quickly see
only those endpoints that were missing installed applications, such as antivirus, that are
part of the gold build. Figure 6 shows the results of such an inquiry.
Figure 6. Auditing for Specific Information
The same capabilities are useful for cybersecurity. For instance, we also used it to locate
all machines with a particular registry key known to be involved with malware.
4"/4"/"-:45130(3".
9
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Updating Software Blacklists
Promisec updates the blacklist monthly based on questionable-use applications (e.g.,
computer games) they see proliferating in corporate environments. In this review, we
configured PEM to include a custom blacklist for unwanted applications. When PEM
queried our test machines, it discovered blacklisted software and gave us options to
uninstall it automatically or remove it with a single click if we prefer to do so ourselves.
Figure 7 shows the discovery of blacklisted software.
Figure 7. Discovering Blacklisted Software
Automatic removal of unauthorized software may be wise when the application isn’t
recognized whatsoever, while manual uninstallation (after appropriate inquiries) may be
more appropriate in cases involving senior management or “skunk works” departments.
Infinite Extensibility with WMI
When evaluating products, we often try an operation that looks like it should be easy,
but the product doesn’t support it. This is especially frustrating when all the building
blocks of the operation are already present in the software but the application developer
thought nobody would need these features and so didn’t include them specifically.
4"/4"/"-:45130(3".
10
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
PEM includes very extensible filtering to which we could add features. We were able to
write filters and detection patterns using Windows Management Instrumentation (WMI)—
effectively a skeleton key for the Windows OS. Figure 8 shows a custom WMI filter.
Figure 8. Custom Filter for WMI
With WMI, you can unlock every conceivable bit of information from an endpoint and
answer questions you never thought to ask, but its Achilles’ heel is kludgy reporting. PEM’s
easy-to-navigate reporting interface that taps into WMI does away with this awkwardness
and extends the scope of endpoint reporting even beyond native WMI capabilities.
4"/4"/"-:45130(3".
11
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Assessment and Discovery
(CONTINUED)
Auditing Templates—Don’t Build from Scratch
1&.TVQQPSUTJNQPSUTPG"DUJWF%JSFDUPSZ(SPVQ1PMJDZöMFTGPSBVEJUTUIPVHIXFEJEOU
test this). PEM also supports auditing against the CIS CSC benchmarks and National
Institute of Standards (NIST) audit and assessment standards out of the box. Figure 9
shows typical templates for auditing AD group policies.
Figure 9. Auditing Templates for AD Group Policy
If your organization must comply with NIST cybersecurity standards, PEM can audit
endpoints for these standards right out of the box with no tedious configuration
needed—just what you’d expect (but don’t often get) from an endpoint
management solution.
4"/4"/"-:45130(3".
12
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
PEM has several features useful for supporting common cybersecurity functions,
such as identifying missing security software, removing unwanted software, using
filesystem analysis for deep investigations, retrieving network data automatically
and remediating endpoint threats by killing malicious processes and/or uninstalling
unwanted software packages.
Installing Missing Software Packages
When auditing an endpoint, PEM may identify software it should have but doesn’t—
possibly because the user uninstalled it. For example, we reviewed a case frequently
seen in organizations where users with local admin privileges disable antivirus software.
Sometimes this is the malicious act of an external threat, but more likely the user simply
thinks the machine runs faster without antivirus software, so they remove it to get it out
of their way. No matter the cause, PEM enabled us to quickly identify all endpoints that
are missing a particular antivirus software package and install it remotely with a single
click. Figure 10 shows this feature in action.
Figure 10. Detecting Disabled Antivirus Software
3FNFEJBUJPOPQUJPOTBQQFBSJOUIFMPXFSSJHIUDPSOFS
4"/4"/"-:45130(3".
13
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Removing Unwanted Software
3PHVFTPGUXBSFJOTUBMMBUJPOTBMTPQSFTFOUCPUITFDVSJUZBOEDPNQMJBODFSJTLTUPBO
PSHBOJ[BUJPO(JWFOUIBUXFVTFE1&.UPJEFOUJGZVOBVUIPSJ[FETPGUXBSFPOPVSTBNQMF
endpoints. Although this is especially common in environments where users have local
admin permissions, increasing numbers of applications enable users to install software
in their own user directories without admin privileges. PEM can automatically uninstall
unwanted applications without requiring administrator intervention, thereby supporting
operations and compliance policies.
For example, peer-to-peer (P2P) file sharing software is a recognized threat to
organizations, and PEM both detected and removed these applications automatically
when we configured it to do so. We also used PEM to discover and remediate these
unwanted software installs. Figure 11 shows PEM removing unauthorized applications.
Figure 11. Removing Unauthorized Applications
Other file sharing applications (e.g., Dropbox) are harder to detect on the network
because they use standard web protocols, but they still pose data exfiltration,
compliance and e-discovery risks when users install them without corporate oversight
and security controls.
4"/4"/"-:45130(3".
14
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Managing Exceptions
3FQPSUJOHDBOCFBEJóDVMUXIFONBOZFOEQPJOUTEFWJBUFGSPNUIFCBTFMJOF5IFSFBSF
many unusual cases where a software package may be authorized for one endpoint
but not others. Such exceptions can clutter a report, making it more difficult to find
reportable items of value. We evaluated PEM’s ability to acknowledge outliers on the
report and remove them from future reporting using a single click. A typical PEM
exception listing appears in Figure 12.
Figure 12. Exception Listing
Naturally, analysts should document such exceptions when needed for audit purposes
or future reference.
4"/4"/"-:45130(3".
15
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Investigating More Deeply
When endpoint scans show anomalous data, analysts often require more information
to determine if the endpoint has been compromised or if the result can be explained
by other data. We emulated this through PEM, which enabled us to easily pivot to the
specific endpoint to obtain such data, including running processes and all installed
applications. Figure 13 shows details of a typical endpoint.
Figure 13. Viewing Detailed Endpoint Information
Such under-the-hood views are invaluable when correlated with outside threat
information, as discussed later under “Integrating Threat Intelligence Data.”
4"/4"/"-:45130(3".
16
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Remote Visibility
We enacted one of the most useful support features of PEM for forensic investigations—
the ability to acquire the contents of the master file table (MFT) from a remote endpoint
with a single click. A typical MFT listing appears in Figure 14.
Figure 14. Typical MFT Listing
The MFT interface processed records for all files and directories on our targeted machine,
including creation, modification and access times. Timeline analysis has long been a
valuable technique for investigating compromises and following intrusions to their point
of origin.3 Time records are also critical for compliance.
3
4"/4"/"-:45130(3".
“Timeline Analysis – A One Page Guide,” Forensic Focus, www.forensicfocus.com/timeline-analysis-one-page-guide
17
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Cleaning Artifacts
By emulating an unwanted or malicious program installed on an endpoint, we were able
to review PEM’s ability to understand how it got there and to see if any related artifacts
remained that may need cleaning. Figure 15 shows unwanted artifacts.
Figure 15. Unwanted Artifacts
PEM acquires the MFT and parses it into “body file” format, a standard for forensic tools.4
Importing to Forensics Tools
Importing this data into other tools facilitates reconstruction of activity around the time
of the compromise without asking forensics investigators to learn new products.
4
4"/4"/"-:45130(3".
“Body file” (entry), SleuthKitWiki, http://wiki.sleuthkit.org/index.php?title=Body_file
18
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Integrative Function
We also viewed multiple options to
continue the investigation using other
specialized endpoint investigation
tools. Figure 16 shows the options for
investigative tools.
From there, we could open a remote
desktop session to the endpoint,
supporting further investigation on the
machine. If the analyst needs even more
information and prefers not to use a
(6*BSFBMMJBCJMJUZPOMPXCBOEXJEUI
connections to remote offices), PEM
enables users to open a command
prompt on the workstation in question.
Such features help PEM stand out as
an analyst’s best friend. Promisec offers
analysts maximum flexibility to choose
their investigative methods.
Working with the Network
Figure 16. Investigative Tool Options
As telling as endpoint data can be, analysts often need to confirm findings by analyzing
network traffic. Network traffic can answer questions such as these:
t8JUIXIJDISFNPUFTJUFTIBTUIFJNQBDUFEIPTUDPNNVOJDBUFE
t8IBUEBUBIBTUIFBUUBDLFSUSBOTNJUUFEPVUPGUIFOFUXPSL
t8IBUDPNNVOJDBUJPOTUPPLQMBDFCFUXFFOQPUFOUJBMMZDPNQSPNJTFEFOEQPJOUT
4"/4"/"-:45130(3".
19
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
PEM supports easy integration with network monitoring tools. In our example, we
connected to BlueCoat network monitoring software to obtain packet data sent from
our target endpoint under investigation. This took only a single click. Figure 17 shows
captured packet data.
TAKEAWAY:
Seamlessly integrating
endpoints to network data is
key in quickly identifying and
remediating cyberthreats.
Figure 17. Captured Packet Data
The BlueCoat network sensor also supports SSL decryption, allowing investigators
to see full packet contents and detect the most common data exfiltration against
malware intelligence.
Even if SSL decryption is not enabled, we can still use data from third-party network
monitoring tools to quickly discover malware command and control servers and other
IOCs in the network data. These IOCs feed other portions of the overall investigation,
which begins when PEM identifies an anomaly (e.g., a deviation from the configuration
baseline) on an endpoint.
4"/4"/"-:45130(3".
20
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Finding Other Compromised Hosts
Once we used PEM to identify file- or registry-based IOCs on our infected endpoint, we
needed to see if that malicious registry key resided on any other endpoints in our sample
OFUXPSL3JHIUDMJDLJOHPOUIFJUFNBOETFMFDUJOHi2VJDLöMUFSCZUIJTPCKFDUwFOBCMFE
us to pivot quickly and identify all endpoints with that particular file or registry key. This
allowed us to quickly determine whether a particular endpoint threat targeted a single
endpoint or affected multiple endpoints on the network. Figure 18 shows endpoints
with a malicious key.
Figure 18. Endpoints with a Malicious Key
Most important, PEM performs this function without any agents installed on the
endpoints. This is helpful because in complex enterprises, endpoint agents may not
be practical. In addition, relying solely on endpoint agents may pose a false sense of
security; malware wanting to hide itself—or a user who feels the agents impede his
work—will typically remove or disable agents.
4"/4"/"-:45130(3".
21
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Integrating Threat Intelligence Data
More than half of organizations are devoting at least some resources to CTI, according
to the 2015 SANS survey on cyberthreat intelligence (CTI). Nevertheless, only 36 percent
of these same organizations had integrated their threat intelligence feeds into their
forensics platforms, which was the largest category of response they’re integrating
intelligence feeds into.5
Integrating threat data (often provided as lists of domains, IP addresses, file hashes,
registry keys or registry values) on the network is relatively simple, but checking all
TAKEAWAY:
If your organization can’t
effectively leverage CTI feeds
across all of your endpoint
data, including file hashes
and registry keys, you’re not
getting everything you’re
paying for.
hosts in the enterprise for the presence of files matching a particular hash is challenging
for many organizations. Organizations should ensure they are receiving maximum
value from their investments in CTI feeds by deploying tools that can easily search for
endpoint data, including file hashes and registry keys.
PEM helps to solve the challenge of integrating CTI feeds. We input a list of file hashes
from a CTI feed and searched all the endpoints in our sample organization for the file. We
also tested the automated form of this feature by configuring PEM to obtain the list of
known bad hashes on the filesystem. Figure 19 shows PEM’s configuration for CTI feeds.
Figure 19. Configuring CTI Feeds
Once configured, we only needed to update the configuration file to add new hashes
and then PEM automatically searches them out on our endpoints.
5
4"/4"/"-:45130(3".
“Who’s Using Cyberthreat Intelligence and How?” Table 2, p. 15,
www.sans.org/reading-room/whitepapers/analyst/who-039-s-cyberthreat-intelligence-how-35767
22
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Cybersecurity Features
(CONTINUED)
Remediating a Cyberthreat
If investigation into an anomaly reported on the endpoint confirms that a threat exists,
PEM can be used to remediate the threat. SANS tested the ability to terminate processes
running on the impacted endpoint with a single click.
Easy access to terminating processes
from the endpoint management system
can prove to be quite useful during an
incident, particularly when combined
with the ability to remotely uninstall
unwanted applications, as discussed
earlier.
We further reviewed the remediation
operations by opening a remote
command prompt on the impacted
machine. From this vantage point, we
could easily perform virtually any action
required to remediate the threat. Figure
20 shows the remediation options.
This degree of remote access is all the
more impressive, given PEM’s agentless
design.
Figure 20. Remediation Options
4"/4"/"-:45130(3".
23
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Conclusion
Today’s operational environment requires the ability to easily view and manage
endpoints. Organizations that don’t have this capability will find themselves struggling
to remain compliant with increasingly strict compliance frameworks. Holistic endpoint
management is about more than just compliance; it includes inventory management
and the management of endpoint threats. It also needs to include robust support for
forensics and remediation.
Promisec Endpoint Manager supports all of these features without deploying any
agents to the endpoints, helping organizations ensure a more secure and compliant
environment, while also providing a range of customizable options for discovery,
reporting and incident response and lowering operational management overhead.
One of the biggest benefits is its native support for incident response and intelligence,
DPVQMFEXJUIUIFBCJMJUZUPUJFJOUPNPTUNBKPS*3WFOEPSUPPMTUPDPNQMFUFBDUJPOTBUUIF
endpoint. If that weren’t enough, PEM also works directly with network tools, bypassing
the need for agents on each endpoint to examine traffic, application calls, data and other
indicators of compromise.
By automating many of the inventory and assessment processes that have plagued IT
departments and linking them to incident response and remediation, Promisec helps
organizations achieve the visibility they need to maintain security and remove threats in
the enterprise.
4"/4"/"-:45130(3".
24
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
About the Author
Jake Williams is a SANS analyst, certified SANS instructor, course author and designer of several
NetWars challenges for use in SANS’ popular, “gamified” information security training suite. Jake
spent more than a decade in information security roles at several government agencies, developing
specialties in offensive forensics, malware development and digital counterespionage. Jake is the
GPVOEFSPG3FOEJUJPO*OGP4FDXIJDIQSPWJEFTQFOFUSBUJPOUFTUJOHEJHJUBMGPSFOTJDTBOEJODJEFOU
response, expertise in cloud data exfiltration, and the tools and guidance to secure client data against
sophisticated, persistent attack on-premises and in the cloud.
Sponsor
SANS would like to thank this paper’s sponsor:
4"/4"/"-:45130(3".
25
Advancing Endpoint Protection and Compliance with Promisec Endpoint Manager
Last Updated: October 1st, 2016
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
SANS Seattle 2016
Seattle, WAUS
Oct 03, 2016 - Oct 08, 2016
Live Event
SANS Oslo 2016
Oslo, NO
Oct 03, 2016 - Oct 08, 2016
Live Event
SANS Baltimore 2016
Baltimore, MDUS
Oct 10, 2016 - Oct 15, 2016
Live Event
SANS Tokyo Autumn 2016
Tokyo, JP
Oct 17, 2016 - Oct 29, 2016
Live Event
SANS Tysons Corner 2016
Tysons Corner, VAUS
Oct 22, 2016 - Oct 29, 2016
Live Event
SANS San Diego 2016
San Diego, CAUS
Oct 23, 2016 - Oct 28, 2016
Live Event
SOS SANS October Singapore 2016
Singapore, SG
Oct 24, 2016 - Nov 06, 2016
Live Event
SANS FOR508 Hamburg in German
Hamburg, DE
Oct 24, 2016 - Oct 29, 2016
Live Event
SANS Munich Autumn 2016
Munich, DE
Oct 24, 2016 - Oct 29, 2016
Live Event
Pen Test HackFest Summit & Training
Crystal City, VAUS
Nov 02, 2016 - Nov 09, 2016
Live Event
SANS Sydney 2016
Sydney, AU
Nov 03, 2016 - Nov 19, 2016
Live Event
SANS Gulf Region 2016
Dubai, AE
Nov 05, 2016 - Nov 17, 2016
Live Event
DEV534: Secure DevOps
Nashville, TNUS
Nov 07, 2016 - Nov 08, 2016
Live Event
SANS Miami 2016
Miami, FLUS
Nov 07, 2016 - Nov 12, 2016
Live Event
European Security Awareness Summit
London, GB
Nov 09, 2016 - Nov 11, 2016
Live Event
DEV531: Defending Mobile Apps
Nashville, TNUS
Nov 09, 2016 - Nov 10, 2016
Live Event
SANS London 2016
London, GB
Nov 12, 2016 - Nov 21, 2016
Live Event
Healthcare CyberSecurity Summit & Training
Houston, TXUS
Nov 14, 2016 - Nov 21, 2016
Live Event
SANS San Francisco 2016
San Francisco, CAUS
Nov 27, 2016 - Dec 02, 2016
Live Event
SANS Hyderabad 2016
Hyderabad, IN
Nov 28, 2016 - Dec 10, 2016
Live Event
MGT517 - Managing Security Ops
Washington, DCUS
Nov 28, 2016 - Dec 02, 2016
Live Event
ICS410@Delhi
New Delhi, IN
Dec 05, 2016 - Dec 09, 2016
Live Event
SANS Cologne
Cologne, DE
Dec 05, 2016 - Dec 10, 2016
Live Event
SEC 560@ SANS Seoul 2016
Seoul, KR
Dec 05, 2016 - Dec 10, 2016
Live Event
SANS Dublin
Dublin, IE
Dec 05, 2016 - Dec 10, 2016
Live Event
SANS Cyber Defense Initiative 2016
Washington, DCUS
Dec 10, 2016 - Dec 17, 2016
Live Event
SANS Amsterdam 2016
Amsterdam, NL
Dec 12, 2016 - Dec 17, 2016
Live Event
SANS Frankfurt 2016
Frankfurt, DE
Dec 12, 2016 - Dec 17, 2016
Live Event
SANS DFIR Prague 2016
OnlineCZ
Oct 03, 2016 - Oct 15, 2016
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced