Promisec Endpoint Manager: So we gotta cope with BYOD... Help!
Don't shy away from grappling your users' wonky endpoints
Review The explosion of internet-connected gadgets, sensors and other devices that underpins the "internet of things" concept makes my head hurt.
When combined with the completely new security model presented by IPv6, BYOD and cloud computing, automation of endpoint management is rapidly becoming non-optional.
I've started taking a look at some of the vendors in this space and Promisec Endpoint Manager (PEM) has jumped out at me as an interesting case.
Earlier this year I looked at over 100 endpoint management companies and then bashed together a quick overview of what the space looked like. There was not nearly enough space (or time) to report on them all, but the crux of the issue shone through: there's an endpoint management company for just about any combination or configuration of endpoints you could possibly want.
In my experience, most endpoint management companies are obsessed with getting as many different OSes as possible integrated into their application. Promisec differs in that it is not busy spamming OS support for everything under the sun - it supports Windows and Unix/Linux.
Promisec's approach to mobile devices is to identify them for you and say: "this widget is Android, this one is iOS." From there you can manage it with your preferred application for that device type. Promisec is content to take it a little slower and try to get everything right with one OS at a time before adding support for more.
How to judge this? On the one hand, Promisec comes out looking to some like a company that isn't keeping up with the rest of the industry. On the other, the majority of the endpoint management industry flails around like headless chickens spewing buzzwords but failing to inspire confidence.
Managing endpoints is big business, in no small part because your network is done for if you screw it up. Given this, I respect the company that chooses to do one thing well rather than try to be all things to all people.
How PEM works
To make the thing go the system installs a "sentry" onto one of your sites. They can be installed on any Windows system (including virtualized machines). The “sentry” gathers info and acts on what it discovers. This approach – called by various names such as agent, sentry or observer, depending on the company involved – is pretty typical of the endpoint management space; the biggest caveat being that you need one agent per subnet.
This means that there is nothing installed onto the endpoint you're going to manage. It scans your network using a variety of protocols in a manner that reminds me of LANguard sweeps, although Promisec is continuous and uses a different inspection methodology.
PEM manages more than just the OS; it also uses multiple APIs to scan for apps and it performs Network Access Protection (NAP)-like checks on the devices it uncovers. Is the OS joined to the domain? Is a given patch/app installed? Is a required service up? Make it so!
There is a white-list baseline service. Point the application at a "known good" system and pull a list of startup items, running processes, services, apps, etc. From there you can use that baseline to hunt non-compliant items on the network and kill them. Part of this is a Secunia-PSI-like update tracker that finds updates for third-party apps (such as Java) and gets them updated.
PEM has the ability to lock out unauthorized hardware (USB, CD-ROM, etc.) and otherwise carries the endpoint management items you would expect to see. I am intrigued about how Promisec has combined these abilities together into a policy compliance engine.
PEM has "policy scanners" that check for things like CIS, NIST, PCI compliance and so forth. It will scan GPOs, Active Directory, etc. to make sure it all complies. You simply select a policy that you need to comply with, run the scan and it tells you what you need to fix.
The rah-rah selling feature of the whole thing is "right click remediation." Install the patch, app, start service, and so on, all from a single context menu in the management application. Combine this with the policy scanner idea and I like what's on the table here.
There's a place for this
I use a combined manager for my own network, and my weapon of choice is Mmsoft's PC Monitor. This is good enough for the needs of my three-person company and – most importantly, given my recently validated privacy paranoia – Mmsoft is Irish, not American. Though my current choice of provider is different, I can see a place for Promisec's PEM in the larger networks I manage.
I find myself constantly running into the issue of ignoring the desktops and even my servers. They feel old and comfortable. I know those computers. The operating systems and the applications that run on them fit like an old glove. Comfort leads to contempt and in the IT industry that is very dangerous.
I may well know my operating systems, applications and systems inside and out. The problem is that so does everyone else. The threat model I have to defend against is constantly evolving. My network isn't.
I'm up to my ears in planning for the next generation of server upgrades or trying to figure out what to do about BYOD, mobiles, cloud computing and the rest. In this environment, something like Promisec's PEM is a good thing. It keeps an eye on the old guard for me while I try figure out what to do about the rest of the stuff out there.
If nothing else, the sheer diversity of endpoint management products is worth debate. What is your take, dear Register readers? Leave your thoughts in the comments. ®