Promisec PEM’s updates are in step with the recent Cyber Threat Report issues by The Israel Cyber Threats Prevention Authority. As a courtesy to you we are including the aforementioned report in both a long and short form. As you read this report please don’t forget to review the section comparing the report’s finding with those of the NSA, NIST and ASD.
Should you need assistance in implementing the solutions mentioned in the attached report please do not hesitate to contact us at firstname.lastname@example.org. We can help you elevate the level of Endpoint security on your network like we and our partners do on a regular basis.
|Recommended Control||Control details||Promisec solution|
|1.Enable Operating system
|Enable EMET and DEP system||-|
|2. Application whitelisting||White List Authorized Application and processes To prevent malware execution||Using Promisec’s baseline monitors allows cyber defense teams to white-list all running components on the End-point including: Applications, Processes, Startup Components, Toolbars and more.
If an unauthorized Item has been found, Promisec PEM can alert using a variety of methods (Emails, On screen alerts, scheduled reports, custom dashboard, integration with SIEM and more) and remediate the compromised endpoints using semi or automated procedures.
|3.Use an updated Anti-virus suite (reputation, heuristic)||Running an Updated antivirus program which includes signature based engine , Heuristics and Reputation services||Using Promisec PEM, cyber defense teams can verify that all endpoints are equipped with the relevant corporate antivirus program and all its components (Real-time, reputation services, DLP, etc.) . Additionally Promisec PEM can alert cyber defense teams (via mail, On screen alert or send alert to the SIEM system) and allow them to remediate if: Antivirus program is not installed, signatures or client are not up to date or the Antivirus service (or one of it secondary services) is down.
Reports about the “Corporate antivirus compliance Level “can be produced on schedule (and be sent by mail) or on demand.
Standards “gap reports” (i.e. NIST, PCI and more) can be created if needed.
|4.Patch management - Operating systems||Verify all The latest critical patches are installed on all endpoints, It is recommended not to use windows XP which is not supported by Microsoft any more||With Promisec PEM , system administrators can scan endpoints for
“OS updates“ , Promisec PEM can verify that the endpoint is installed with the latest patches by either selecting the wanted updates from a list or connecting to the endpoint’s update source to check which updates are available.
After the scan, Promisec PEM can remediate the endpoint via an automatic procedure or by manually selecting which endpoint to remediate.
As with all findings, Promisec PEM can share this data with third party product which can be used to remediate the endpoint such as SIEM or a Patch management product.
|5.Patch management - Applications||Verify that all Applications on the endpoint are updated with the latest’s application versions, especially:
Java, PDF viewer, Flash, web browsers and Microsoft Office.
|Promisec PEM can check all running (past and present) applications on The endpoint. Furthermore, Promisec will check which version of the application is installed on each endpoint.
Using Promisec PEM BI module (or other BI product which can analyze our data), a system administrator can cross reference between application version installed on the endpoint to a known vulnerability on the application (CVE). If a vulnerable application was detected, system administrators can either update the vulnerable application with Promisec PEM automation module or manually from the compliance console (2 clicks).
|6. Disable local administrator accounts||Disable the local administrator accounts on the endpoints in order to prevent installation and propagation of malware and other malicious files across the network||By using Promisec PEM’s “Local administration group“ monitor, cyber defense teams can verify all users and groups in this group both for “unwanted” or missing users (user which should be on the local administration group). If required, Promisec PEM can remediate by using the automation module or manually by the compliance console.|
|7. Secure configuration – Hardening
(operating Systems & Applications )
|OS and Applications hardening based on the accepted “hardening standards “ , including removal of unneeded or unwanted processes and services , removal of all “default “ users (i.e.-guest , administrator etc. ) , device control and more .
||Promisec PEM can make sure all hardening setting on the servers and workstations are enforced to the required level , i.e. – services and their state , Indication for connected (Past and present) USB devices, running processes and more.
In addition, Promisec PEM can scan the endpoints and servers against known or requested standard’s which can be loaded from our blacklist or manually by adding an xml file with all the requirements.
|8. Limit Workstation-to-Workstation
communication and direct internet access
|Prevent communication between endpoint in the same network segment in order to prevent different “Local networks attacks “ (i.e.-PTH-Pass the hash ), in addition, prevent direct(not thought proxy ) internet access of endpoints and servers||-|
|9. Host Intrusion Prevention System (HIPS)||Detect and prevent abnormal activities on the running applications and processes , including :
injection, keystroke logging, driver loading and persistence
|Promisec PEM’s “FIM” module (File Integrity Monitoring ) create HASHes of all running processes (including exe files , dll’s , msi files and “all file types “scan ). After the initial scan, Promisec PEM creates a baseline of those HASHes and does a reputation test using VirusTotal API for any changed HASH. By doing so Promisec PEM :
Promisec PEM can also help detect persistent threats by monitoring all startup components on the endpoint and comparing them to the “baseline “. If an unknown component is found, it will be checked with FIM to verify if it is a known file (malicious or not ) or maybe an unknown file (and in that case should be checked for more information). If required, Promisec PEM can remediate the indication when possible (i.e. – Kill process, Remove startup component or even run a removal tool if exists).
|10. Network segmentation and segregation||Create segmentation and separation of different network by functionality (i.e. – servers, users, Test etc.)in order to prevent or mitigate different network malwares and viruses||-
|11. User training & awareness||Guidance and training for employees to teach General basic rules regarding “Information security safety” Including : Phishing, Safe browsing, Social engineering and more||Promisec can help raise the information security awareness across the organization by helping in disseminating “awareness campaign’s “(i.e. messages in the screen saver or on screen). These campaigns can be delivered on the spot or on schedule or as on screen alerts in case the
user has done (or doing) something which is not allowed.
All these can add another layer of user awareness and protect the organization.
|12. Logging & Audit & Monitoring||Constant monitoring , Logs collection and colorations , reporting and alerting||-|
|13. Secured WEB Gateway||Using a Secure Gateway including :
|14. Securing Emails||Inbound mail scanning including:
|15. Recovery||Create a Recovery and Backup Plans for a malicious files attack incident (I.e. – Ransomware\
CryptoLocker and other )