Promisec endpoint manager using the cyber configurations cyber white-paper

1. Keeping Malware in check with Promisec Endpoint Manager using the Cyber Configurations WHITE PAPER

2. » White Paper INTRODUCTION A known limitation of anti-virus and their associated agents is they often do not detect the entire malware chain found running on a system. Polymorphic and mutating viruses make it impossible for any AV vendor to detect all malware with the constant changing and emerging threats. Some vendors are better than others at detecting known threats and some are updated more frequently than others. It’s not possible to manage and run every AV program available on the market today in your network to make up for gaps. However you can leverage the Promisec PEM solution to augment this daunting task by very simply utilizing the Cyber Configurations for validation of file integrity. The goal of this paper is to help organizations develop a defensive posture to protect their critical assets, infrastructure, and information through continuous, automated protection and monitoring of their IT infrastructure the use of the Promisec Endpoint Manager with Cyber configurations. The Cyber configurations will enable customers to readily identify changes to their endpoint files and registry and enable them to determine if this change is consistent with an emerging or known threat. By implementing, auditing and measuring the changes to the endpoint files, organizations will be in a better position to reduce compromises, minimize the need for recovery efforts, and have lower associated costs. Two Guiding Principles: “Protection is nice but detection is a must” and “the boogie man is already inside” 1

3. » White Paper FILE INTEGRITY MONITORING WITH HASHING AND WHY IT IS IMPORTANT IN THE ENTERPRISE A “hash” of a file is a kind of checksum calculation of its contents. A real world analog is a tamper- evident seal on a software package: you know it’s the original contents if the seal is intact, if you alter the contents of the package (ie change the file), the broken seal would reveal this. Think of creating a checksum like putting a tamper detection seal on all your files. It gives you a way to easily check the integrity of each file for compromise. Anytime you move a computer file there is a chance it can be corrupted, with the result that you might not end up with the same file with which you started with on your endpoint. This can happen due to a variety of reasons including bad storage media, download or upload transmission errors, errors while copying or moving files around, as well as targeted malware attacks on an endpoint that are so popular of late. Some professionals in IT industry consider hash based checksums similar to FIM or file integrity manage- ment solutions. Promisec bridges all IT “silos’’ to bring visibility to the enterprise with its “agentless” technology. File integrity monitoring has been available in the market for some time now. These solutions are available as individualized endpoint solutions and centrally managed solutions. Unfortunately, these solutions require an agent to work in the enterprise. The centralized FIM solution requires consulting services to have their respective agent rolled out. With the Promisec solution, time to value is in the matter of hours not weeks or months due to not needing to deploy an agent. Promisec recently added new Cyber functionality to Promisec’s Endpoint Manager 4.10. This will allow enterprises to inspect Windows EXE’s, DLL’s and MSI for specifically MD5, SHA1 and SHA256 hashes. This also includes the ability detect a specific file located anywhere on the endpoint with- out installing an agent. PEM also has the ability validate if a specific registry value has changed as well. Promisec provides clear visibility with zero “False Positives” if a file hash on the respective file or process has changed. Below is an overview of how this new feature works: 1. PEM authenticates to the Windows operating system and does basic inspections that include compli- ance checks and then the cyber hash checks. 2. PEM inspects all Windows EXE’s, DLL’s and MSI and gathers the data into the PEM database. 3. PEM can notify if any specific file or Windows process has been modified indicating more action re- quired. 4. PEM can then take the gathered hashes and can manually or automatically forward them to any reputation service that enterprises utilize and in parallel can report, send to SIEM for correlation and if required, take action to remediate utilizing the user defined capabilities which offer abilities to custom- ize for any customer scenario. 5. Review the results from a third party reputation service that gives a validate perspective on the results. 2

4. » White Paper PEM CYBER USE CASE – INSPECTING In this use case below we have setup the Cyber Configurations user interface to collect the hashes on all the Windows DLL’s and EXE’s and a specific file. We have selected MD5 and SHA256 level of hash check. We can select to execute from a local sentry on the network segment or go to the local endpoint to execute the queries. 3

5. » White Paper PEM CYBER USE CASE – FILE INTEGRITY MONITORING Changes that have occurred on a specific file or process indicate to the enterprise there could be an issue with these files and potential malware infection bypassing the AV solu- tion. With this indication, you can then right click on the selected event and choose to send to a third party validation reputation service. In this use case we are forwarding to VirusTotal utilizing a user defined action specific to file integrity items. This action can be automated as well utilizing the Automation capabilities of PEM. 4

6. » White Paper PEM CYBER USE CASE – CLOSE THE LOOP USING VIRUS TOTAL Below is a report from VirusTotal based on the selection previously. The report indicates that the change was benign and is not a vulnerability that could affect the enterprise or more importantly endpoints. The Promisec results have run against Virus Total’s 55 inde- pendent A/V scanner give the enterprise piece of mind. 5

7. » White Paper PULLING IT ALL TOGETHER Promisec’s PEM solution is not a replacement for AV software. Promisec only checks the hash- es on the running processes and files at the time of the inspection. This new functionality in PEM adds the ability to check your systems running processes for file change and in this scenario outlined above, against over 50 AV scan engines without having to run or maintain them all on your network and systems. Promisec complements and delivers certainty that all existing management tools and pro- cesses are operational ensuring 100% deployment and complete visibility. IT departments invest a large amount of resources to deploy critical systems, and full deployment is essen- tial to ensuring full compliance. In today’s environment, having any IT asset not configured properly or missing updates is simply not acceptable. Our Customers inform us that 15-25% of the machines in their Organization are disabled or miss-configured. Promisec eliminates this unacceptable state. Promisec provides an independent framework for the most accurate, comprehensive, and reliable solution for monitoring and reporting of corporate policy deviations and configu- rations. Through its unique, agentless approach, Promisec provides complete visibility and control providing IT and security executives with the confidence that their organization is protected and secure. “Cyber attacks have more than doubled and the financial impact has increased by nearly 40% in a three year period. HP Ponemon 2012 Cost of Cyber Crime Study 6

8. » White Paper Promisec Endpoint Manager Highlights • 100% visibility across all endpoints from a single console • Agentless: fast and efficient, minimal impact on bandwidth • Rapid deployment: deploy enterprise wide in a matter of hours, not weeks • Security monitoring & alerting: identifies policy deviations such as disabled anti-virus soft- ware • Remediation: automatic actions according to pre-defined rules, examples include deploy- ing applications, removing software, maintaining registry settings, reverting service con- figuration, eliminating processes, etc. • Holistic aggregated view across disparate enterprise tools • Alerts and exception reports to enforce policy compliance • Allows for optimizing existing security and IT controls “ In fact, in my opinion, it’s the greatest transfer of wealth in history,” Alexander said in a statement. “Symantec placed the cost of IP theft to the United States companies in $250 billion a year, global cybercrime at $114 billion annually ($388 billion when you factor in downtime), and McAfee estimates that $1 trillion was spent globally under remediation. And that’s our future disappearing in front of us. So, let me put this in context, if I could. We have this tremendous opportunity with the devices that we use. We’re going mobile, but they’re not secure. Tremendous vulnerabilities. Our companies use these, our kids use these, we use these devices, and they’re not secure.” US Army General Keith B. Alexander Director, National Security Agency Chief, Central Security Services 7

9. About Promisec: Promisec is a pioneer in endpoint visibility and reme- diation, empowering organizations to avoid threats and disarm attacks that can lead to unwanted headlines and penalties. Our technology assures users that their end- points are secure, audits are clean, regulations are met, and vulnerabilities are addressed proactively. » Come See What We See: Get Free Demo and Trial sales@promisec.com I www.promisec.com/try-it