Feeds

Promisec Endpoint Manager: So we gotta cope with BYOD... Help!

Don't shy away from grappling your users' wonky endpoints

3 Big data security analytics techniques

Review The explosion of internet-connected gadgets, sensors and other devices that underpins the "internet of things" concept makes my head hurt.

When combined with the completely new security model presented by IPv6, BYOD and cloud computing, automation of endpoint management is rapidly becoming non-optional.

I've started taking a look at some of the vendors in this space and Promisec Endpoint Manager (PEM) has jumped out at me as an interesting case.

Earlier this year I looked at over 100 endpoint management companies and then bashed together a quick overview of what the space looked like. There was not nearly enough space (or time) to report on them all, but the crux of the issue shone through: there's an endpoint management company for just about any combination or configuration of endpoints you could possibly want.

In my experience, most endpoint management companies are obsessed with getting as many different OSes as possible integrated into their application. Promisec differs in that it is not busy spamming OS support for everything under the sun - it supports Windows and Unix/Linux.

Promisec's approach to mobile devices is to identify them for you and say: "this widget is Android, this one is iOS." From there you can manage it with your preferred application for that device type. Promisec is content to take it a little slower and try to get everything right with one OS at a time before adding support for more.

How to judge this? On the one hand, Promisec comes out looking to some like a company that isn't keeping up with the rest of the industry. On the other, the majority of the endpoint management industry flails around like headless chickens spewing buzzwords but failing to inspire confidence.

Managing endpoints is big business, in no small part because your network is done for if you screw it up. Given this, I respect the company that chooses to do one thing well rather than try to be all things to all people.

How PEM works

To make the thing go the system installs a "sentry" onto one of your sites. They can be installed on any Windows system (including virtualized machines). The “sentry” gathers info and acts on what it discovers. This approach – called by various names such as agent, sentry or observer, depending on the company involved – is pretty typical of the endpoint management space; the biggest caveat being that you need one agent per subnet.

This means that there is nothing installed onto the endpoint you're going to manage. It scans your network using a variety of protocols in a manner that reminds me of LANguard sweeps, although Promisec is continuous and uses a different inspection methodology.

PEM manages more than just the OS; it also uses multiple APIs to scan for apps and it performs Network Access Protection (NAP)-like checks on the devices it uncovers. Is the OS joined to the domain? Is a given patch/app installed? Is a required service up? Make it so!

There is a white-list baseline service. Point the application at a "known good" system and pull a list of startup items, running processes, services, apps, etc. From there you can use that baseline to hunt non-compliant items on the network and kill them. Part of this is a Secunia-PSI-like update tracker that finds updates for third-party apps (such as Java) and gets them updated.

PEM has the ability to lock out unauthorized hardware (USB, CD-ROM, etc.) and otherwise carries the endpoint management items you would expect to see. I am intrigued about how Promisec has combined these abilities together into a policy compliance engine.

PEM has "policy scanners" that check for things like CIS, NIST, PCI compliance and so forth. It will scan GPOs, Active Directory, etc. to make sure it all complies. You simply select a policy that you need to comply with, run the scan and it tells you what you need to fix.

The rah-rah selling feature of the whole thing is "right click remediation." Install the patch, app, start service, and so on, all from a single context menu in the management application. Combine this with the policy scanner idea and I like what's on the table here.

There's a place for this

I use a combined manager for my own network, and my weapon of choice is Mmsoft's PC Monitor. This is good enough for the needs of my three-person company and – most importantly, given my recently validated privacy paranoia – Mmsoft is Irish, not American. Though my current choice of provider is different, I can see a place for Promisec's PEM in the larger networks I manage.

I find myself constantly running into the issue of ignoring the desktops and even my servers. They feel old and comfortable. I know those computers. The operating systems and the applications that run on them fit like an old glove. Comfort leads to contempt and in the IT industry that is very dangerous.

I may well know my operating systems, applications and systems inside and out. The problem is that so does everyone else. The threat model I have to defend against is constantly evolving. My network isn't.

I'm up to my ears in planning for the next generation of server upgrades or trying to figure out what to do about BYOD, mobiles, cloud computing and the rest. In this environment, something like Promisec's PEM is a good thing. It keeps an eye on the old guard for me while I try figure out what to do about the rest of the stuff out there.

If nothing else, the sheer diversity of endpoint management products is worth debate. What is your take, dear Register readers? Leave your thoughts in the comments. ®

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.