Review: Promisec goes the extra step to secure PCs

In the past year we've seen an influx of endpoint detection and response (EDR) tools that promise to bring order, through greater visibility, to the wild west of endpoints within a large organization. The scenario is all too common: IT security usually doesn't know all of the hardware and software assets that need to be protected, yet has to protect them. Even as we struggle to put security controls in place for prevention, we know that many of these endpoints are already compromised by active threats that need to be detected, assessed, quarantined, and remediated.

EDR tools are built for detection and response (hence the category name), and most leave it at that. Promisec adds sophisticated remediation to Promisec Endpoint Manager (PEM), which is precisely why I was interested in getting a close look at the product. Like other EDR products, PEM can scan endpoints on a schedule to detect anomalies or abnormalities and verify that security controls -- such as required applications, patches, settings, and so on -- are in place. Unlike other products in the category, PEM can also launch scripts on the endpoints to take corrective action.

My focus in this review was on finding abnormalities on endpoints indicative of malware, in which case PEM can push the suspect binaries to sandboxes (Blue Coat, Palo Alto Networks, FireEye) for analysis, correlate with SEIM tools for reporting, issue alerts, and orchestrate remediation. PEM is also useful for incident response, where it can help you build a complete understanding of the full scope of the infection and revert endpoints back to their original uninfected state.

PEM architecture

Promisec Endpoint Manager consists of the Promisec Endpoint Management Server, which manages communications; the Promisec Endpoint Management Analyzer, which analyzes incoming scans, comparing the objects found on endpoints to the database; a Microsoft SQL Server database, which stores object definitions and scan results (such as the objects discovered on endpoints); and the Promisec Endpoint Management Control Center, which is the administrative console through which you define the configuration policies for your endpoints and the actions to take when those policies are violated.

PEM Sentry is software that gets deployed through PEM Control Center to scan endpoints on a network segment. The Sentry software runs as a Windows service and does not require a dedicated machine. The Sentry interrogates endpoint operating systems (supporting Windows, MacOS, and Linux) using presupplied credentials, formats and encrypts the information it discovers, and forwards it to PEM Analyzer to be compared against policy and placed in the database.   

Finally, PEM is agentless. It performs not only scanning but also remediation remotely, pushing scripts to the command line of the target endpoints. Due to the agentless architecture, deployment is very fast, as all you need are domain (or endpoint administrator credentials) to allow the sensor to scan everything. It also eases maintenance, as you don’t need to keep updating the agent. On the downside, whenever an endpoint is off the network, PEM is unable to scan or remediate it. Also, there are no proactive protections against malware as those would necessarily be agent-based. 

I tested an all-in-one version of PEM supplied by Promisec to speed customers through proof of concept. The all-in-one version includes a simplified installer that loads all PEM components onto a single Windows Server. Detailed and easy-to-digest documentation was provided as a PDF.

PEM Control Center

The PEM Control Center is packed with all the features needed to set, enforce, audit, and report configuration policy. The product is separated into five main areas, each accessible from the initial launch screen: Compliance, Automation, Power Manager, Inventory, and Management. Documentation and help are also available from the launch screen.

The first stop, Management, is used to deploy Sentries, set up scans, create and manage objects, build configurations, manage the database, and apply application updates. Objects include everything from registry settings and files to applications, processes, and services. PEM ships with many predefined objects, certainly more than any single organization would need. The first scan of an environment creates an inventory of the objects that PEM finds, and it was simply a matter of checking off new ones to add. I could easily create new user-defined objects by drawing on a list of items that can be customized, like applications, files, processes, and registry items. You type in the application path or process or the registry key and value.

Configurations are groups of objects used to build a policy. I created a new configuration based on a predefined template and began editing it. Objects are grouped together into self-explanatory categories such as Unauthorized Items, Unauthorized Hardware, Policy Compliance, White-List Monitors Baseline, and Repair Operations. Each category has subcategories. For example, Unauthorized Items include P2P Applications, Remote Control, Network Management, Hacking Tools, Files, and User Defined categories, each of which contains lists of applications further grouped together for easy management. I easily could decide whether to include all cloud file-sharing applications or only Dropbox in my scans.

Any item in a configuration can be used for a white list or a black list. Unauthorized hardware and software build a black list, while white lists can be built to verify that security software, patches, and other agents are installed and running. It was a matter of checking boxes to make configurations as simple or as complex as I wanted.

Security admins may not care about the latest UI bells and whistles, and they will certainly care more that PEM Control Center packs a lot of features, but the no-frills interface seems a bit dated compared to the stylish mobile-friendly GUIs provided by others in the EDR field. PEM Control Center is reminiscent of a 10-year-old Windows application.

PEM workflow

Once I built my configurations, I could set up scans by setting a schedule and selecting the hosts to be inspected, which can be done by host name, by IP address, through AD, or by IP range. PEM makes it easy to create configuration policies by letting you establish the results of a scan (file system, registry, processes) as the baseline. In essence, what that happens, subsequent scans are run, results are compared to configurations, and exceptions are flagged for remediation.

Clicking on Compliance from the launch screen opens up the Compliance Console. This is a sortable, filterable list of events discovered by comparing scans to configuration and discovering exceptions. Any exception can be used to build an action, which can be anything that is scriptable from the command line such as shutting down processes, quarantining files, and reinstalling security agents. A helpful wizard walked me through creating new actions.

In the Compliance Console list, I could right-click on any event, then choose from a variety of analysis and remediation actions. The most basic is to accept the change. I could explore by seeing where else this exception has occurred, which is useful for investigating a malware infection or an attack. I could launch an NMAP scan to see if an endpoint's network configuration has changed. I could retrieve a file hash to submit to VirusTotal or a malware analysis sandbox. All of my user-defined actions were also available from this menu.

Beyond detection 

I thought PEM was helpful enough when remediation was a right-click away from the Compliance Console, but where it gets really helpful is that remediation can be automated. Any remediation can quickly be turned into an automated task using the Automation Console. Remediation includes any configured action, software install/uninstall, or for more complex instances, running a script you create in PEM. (A GUI walks you through generating PEM scripts, which can be executed on endpoints directly or used to call Visual Basic scripts.) Remediation can be scheduled to run right after a scan or on an independent schedule. Users can be notified of remediation if so desired.

One use case that I enjoyed was establishing a white-listed file system (such as a baseline hierarchy of folders and files), then scanning for deviations. When deviations are found, I could get VirusTotal scoring on the hash from the Compliance Console. I could right-click to remove the suspected malware file, see a list of other hosts running this malware, or take any action I wanted, such as launch my endpoint protection product on that endpoint, run a scan, and clean up an infection. I could also build white lists for startup applications, processes, and services, as well as use the same methodology.    

PEM also comes with predefined configurations to enforce standards like NIST.

Auditing and reporting

PEM includes thorough reporting. The product ships with 67 customizable reports, including summary reports, detailed reports, and regulation specific reports such as PCI. Reports can be filtered by date, configuration policy, hosts, and a variety of other factors. Reports are not fully customizable, but they are flexible enough for almost anything I could think of. PEM also includes a full audit trail of scans, exceptions, and actions.

Alerts can be issued via Syslog, SNMP, and email for almost any condition that PEM encounters from scans and from any error that the system discovers in itself like a down Sentry. I didn't see sophisticated routing for alerts. Alerts are either on or off, and they can't be sent to different people based on severity or error condition. This lack of specificity or granularity is found throughout PEM. There is no way to assign groups of hosts or applications to specific administrators, to limit the function of an administrator, or to apply any other role-based permissions within the console.  

The Inventory Console uses the data gathered from interrogating the endpoints to build a dynamic report of hardware and software inventory. Inventory is tracked from scan to scan, and changes are flagged. Once flagged, changes can be accepted or rejected. I could drill down into hosts (broken out into servers and workstations or combined), hardware, or applications.

I could also search. Drilling down into a host showed me installed applications and version information and installed hardware. The inventory of applications included how many instances were discovered, licenses (entered manually), and the lowest and highest versions installed.

EDR with something extra

PEM does a great job of inspecting endpoints, flagging exceptions, and moving the administrator through an analysis and remediation workflow. It allows you to discover exactly what’s running on all of your endpoints; to create policies that allow some applications, processes, files, and settings, as well as forbid others; to detect when those policies are violated; and to remove or replace these objects to remediate endpoints that have strayed from policy.

The only real shortcomings are a general lack of polish with an outdated Windows interface and absence of role-based administration. All of the information that can be obtained by querying an operating system is placed at the administrator's fingertips. While there are a number of predefined remediation actions, to really leverage the product's power you'll have to do a fair amount of scripting.

Nevertheless, the ability to detect an anomaly from the baseline and trigger a scripted response separates PEM from the usual EDR product. Instead of simply reporting the deviation from the baseline and providing forensics, PEM helps you take the next step -- and even automate the actions to take (like uploading binaries to VirusTotal and deleting files) to address the problem.