How Promisec keeps endpoints in compliance

Most companies generally fall into one of two categories in terms of their cybersecurity posture. You have very large organizations, often with very robust, well-staffed defenses that are nonetheless having trouble maintaining security due to nearly constant attacks and the sheer volume of servers, clients and mobile devices that they need to protect. And then you have smaller organizations with fewer assets to guard, but also likely less budget, staff and expertise to secure their enterprise.

Both groups could do with a little help from products in the managed detection and response (MDR) category. A common misconception is that MDR needs to be deployed as a service, with an outside contractor managing cybersecurity. But that is not the case. The Promisec PEM (Promisec Endpoint Management) software can be installed completely on-premises, and gives visibility, advice, and even remediation help for all kinds of threats, unwanted programs and compliance issues that crop up within almost every network over time. Promisec can bring those endpoints into compliance, and keep them from wandering back off again.

Promisec PEM is deployed on a server that acts as the management hub for the system. You only need one, regardless of how large your network is, since it is only used to set up scans, white and blacklisting, and other management tasks. You do need to deploy smaller management programs called sentries, with one sitting within each logical group of endpoints within a network. So, you might have one sentry for Los Angeles and another for New York, or one for your Finance and one for your Sales group. The sentries are tiny and simply report scan results back to the main management console.

There is no need to install agents of any type on the endpoints themselves. Simply having access to the registry is enough for full visibility. As such, deploying the management console and whatever sentries are needed to cover an enterprise can be accomplished in a couple hours at most. There is also a cloud-based version of PEM, though our testing for this review used the on-premises solution.

Configuring PEM

Once installed, IT teams can begin configuring PEM, telling it what to look for in terms of compliance and security. Regulatory compliance statutes like HIPAA or PCI are included. Other more unique ones like specific state laws can be defined to the program and included in scanning too. Administrators can also very easily whitelist and blacklist programs that they need, or definitely don’t want, running on their network. PEM also accepts so-called golden baseline images for devices if an organization has them, setting up future scans to ensure that no endpoint has drifted away from its preferred, golden configuration.

John Breeden/IDG

The user interface to set all this up is extremely user-friendly. It’s designed so that organizations with less expertise in cybersecurity or compliance regulations can still configure scans to catch problems on endpoints. But mature cybersecurity organizations also get a lot out of the program, starting with the fact that it will discover every endpoint asset within an enterprise, and give information about what it is running and what is installed. And, although designed to function completely on its own, it also integrates into SIEM programs like Splunk or ArcSight.

John Breeden/IDG

Once configured, triggering manual scans or setting them up to run on a routine schedule is likewise very easy. It can be broken down into groups, too, so you can trigger an overall network scan of everything once a day, for example, but have each endpoint in the finance group examined every few hours. Because PEM is agentless and only reading registries, scans are quick and didn’t add very much burden to our test network. 

Testing PEM

For our first test, we blacklisted specific programs that we didn’t want to see within out network. One of those was TeamViewer, which is often used for technical support to give remote IT professionals visibility into a remote system they are fixing. But we didn’t want it on our network for security reasons. We also defined several programs that each system needed to have, such as an antivirus program. Our testbed was loaded with systems with all kinds of configurations, including the blacklisted programs.

The report that came back following our first scan found all instances where TeamViewer was running and also flagged each system without an antivirus program. Most regulatory compliance documents require some form of endpoint antivirus, so finding systems where there is none is important. But in terms of TeamViewer, it was just a program that could be used for nefarious purposes, so we wanted to find and eliminate it.

Once identified, we had the option of manually uninstalling TeamViewer from the PEM console. It only took a couple of clicks to eliminate it. Thereafter, a new scan confirmed that the unwanted program was eliminated. We also blacklisted the program, telling PEM that it was okay to automatically uninstall it any time it found a new instance. Of course, we reinstalled it and ran another scan. Sure enough, the report that came back from PEM not only stated that the program was present again, but that it had been automatically uninstalled as instructed.

John Breeden/IDG

PEM could also be helpful for very large organizations that need visibility into what is happening on their endpoints. For example, with the recent WannaCry ransomware, Microsoft had released a system patch that would have prevented it from activating, but not everyone installed the patch. We could use PEM to check every endpoint in our enterprise, alerting us about which have already been patched and which were still vulnerable. Either a very specific query like that, or a general one about the health of endpoints, are both easy to trigger using the main console.

In addition to an easy-to-use interface for administrators, Promisec also provides an executive dashboard that shows, graphically, all information about the health of endpoints across the enterprise. It’s designed for C-level users, taking all the technical terms and breaking them down into plain language describing the various issues that could affect network health and security. It also updates with new scans, so if a CEO sees a troubling issue in the dashboard, they can also see when the problem has been fixed by their IT teams.

Every organization can use a little help managing their detection and response of threats, and the many issues that crop up every day within their enterprise. Promisec can provide that help, wrestling endpoints into compliance, automatically if desired, and keeping a watchful eye over them to ensure they stay that way. It can act as a force multiplier for large organizations with mature cybersecurity architectures, or as a perfect first step for smaller and medium-sized companies discovering that their size is no defense against threats and regulatory concerns. Every organization has endpoints, and Promisec can help properly protect and manage them.