SanerNow AE - Asset Exposure
SanerNow PA - Posture Anomaly Management
SanerNow VM - Vulnerability Management
SanerNow CM - Compliance Management
SanerNow RP - Risk Prioritization
SanerNow PM - Patch Management
SanerNow EM - Endpoint Controls Management
Overview
Continuous Posture Anomaly Management Essentials
The start of every cyberattack is reconnaissance where cybercriminals are studying the target IT environment and building an attack vector map. The attackers will always look at the easiest form of attack tactic. Most often than not, they succeed in using these tactics. It is recommended to use the best vulnerability management tool to avoid attacks.
In the diverse IT environment, IT security admins struggle to analyze the cluttered data and the organization’s IT environment deeply. Inadequate insights into the IT environment open the door for cybercriminals to enter through narrow lanes of your IT infrastructure. Also, IT security admins miss out on the important piece of the puzzle of cyber hygiene measures. These measures can be followed by using a patch management solution.
Ask these simple questions to validate that you have enough insights into your IT infrastructure:
- Do you understand your IT environment deeply enough to know what is in it and what is not?
- Is there unnecessary IT? Unwanted installations and configurations?
- Are there outlier systems, and outlier configurations?
- Are basic security controls deployed and functioning well?
- How are these systems interacting with each other?
SecPod SanerNow introduces a Continuous Posture Anomaly Management platform to discover risk exposures that are fundamental to the cyber-attack prevention journey to implement maximum protection.
What are Posture Anomalies?
Posture Anomalies (PA) are outliers and deviations present in devices against known-good when the system’s security postures are evaluated collectively. The anomalies are either statistically determined, machine learning computed, or deviations derived out of security best practices.
Statistical anomalies:
Organizations have 100s of systems in their IT environment. It is obvious that IT security teams become blindsided, not knowing if all the systems are configured a certain way and if all the systems are behaving a certain way.
Every security tool, like a vulnerability management tool, whether prevention or detection based, always looks at security from an individual system point of view. They never look at the entire IT system collectively as one entity and analyze the deviations.
In every organization, there will be commonalities across the devices, common security policies, common security controls, application policies, device control policies, common security products and protocols, and common behavioural traits. The problem is when IT security admins don’t have visibility to deviations against acceptable commonalities. These outliers will help us understand the IT infrastructure holistically and act against anomalies if they are exposed to a potential threat.
Security control anomalies:
It is important to ensure that only authorized or approved security controls and hygiene measures are implemented throughout the organization’s IT systems. Across all the systems, getting visibility to what is running on them, how the security controls are configured, and whether they are staying as they were configured is a critical need for ensuring an accepted baseline. Any deviations from the standard measures are to be marked as anomalies. Further, appropriate actions must be applied to remove the anomaly for safe and secure IT infrastructure.
Posture Anomalies: What to Look Out For?
SanerNow Continuous Posture Anomaly Management looks at 100s of device artifacts collectively across devices to uncover posture anomalies that are helpful to know and ensure particular cyber hygiene is maintained across all devices. It’ll identify devices that are configured so differently from others, with unique postures when compared to others. It’ll predict a potential risk that must be dealt with.
| Vulnerable process making outbound network connection. |
| Unique software applications determined in select few systems |
| Irregular Host IP to MAC address maps found across devices in ARP table |
| Anomalous events found in Windows Event log |
| Applications are found to make outbound connections to unusual ports |
| Irregular Domain to IP address maps found across devices in ARP table |
| Unique processes are running in select few systems |
| Unusual software license keys determined |
| Unusual command execution found in Windows Run Command history |
| Atypical Desktop Firewall configuration |
| Unusual tasks are scheduled in Task Scheduler |
| Unique services are running in select few systems |
| MAC Addresses are found to be changed |
| IP Address are found to be changed |
| Hostnames are found to be changed |
| Unusual entries in Autorun |
| Increasing Critical vulnerability count |
| Increasing High vulnerability count |
| Increasing Medium vulnerability count |
| Trending Low Vulnerabilities Anomaly |
| Anomaly was found in users with elevated privilege |
| Anomaly detected in IP Forwarding status |
| Unusual entries determined in Environment Variables |
| Less number of Users (UID) are mapped to Groups (GID) |
| Atypical Kernel version found |
| Unusual Run level entries determined |
| Unique RPC services are running in select few systems |
| Increasing trend of CCEs observed |
| Unique BIOS Manufacturer determined |
| Unknown disk type or Mass Storage devices connected |
| Anomaly detected in Service counts |
| Anomaly detected in Process count |
| Anomaly detected in Application count |
| Unusual Kernel modules are loaded |
| Unusual Kernel parameters are found |
| Unwanted Network Ports are configured |
| Unwanted Services |
| Unwanted Processes |
| Unwanted Startup Applications |
| Unwanted Environment Variables |
| Unwanted Devices |
| Unknown disk type or Mass Storage devices connected |
| Antivirus application is either not running, not enabled or signatures not up to date |
| Firewall disabled |
| User Account Control (UAC) policy are not configured properly |
| SELinux disabled |
| Address Space Layout Randomization (ASLR) is disabled |
| System Data Execution Prevention (DEP) Policy is disabled |
| Bit Locker is disabled |
| Keychain policy is not configured |
| Gatekeeper is disabled |
| Unified Extensible Firmware Interface (UEFI) is not enabled |
| High RAM or CPU utilization detected |
| Available Disk Space is less than 100MB |
| Wi-Fi Security is disabled |
| Wi-Fi encryption is disabled |
| Wi-Fi authentication algorithm is not set |
| Empty Password is set for user |
| Inactive user found |
| Autologin is enabled |
| Outdated software applications are installed |
| Blacklisted software applications are installed |
| Outdated Operating System found |
| Outdated Operating System Service Packs found |
| Cloud applications are installed |
| Web Conferencing applications are installed |
| Instant Messaging applications are installed |
| VPN Software is installed |
| P2P Apps are installed |
| Gaming applications are installed |
| File Transfer Apps are installed |
| Applications with unknown publisher found |
| Unsigned Apps are allowed |
| Guest users are enabled |
| Time Synchronization is not enabled |
| Device Share is enabled |
What is Continuous Posture Anomaly Management?
Continuous Posture Anomaly Management (CPAM) helps IT security admins to discover risk exposures that are so fundamental to the cyber-attack prevention journey, which, when implemented, gives maximum protection. It detects the aberrations, deviations, and outliers in your IT by holistically assessing your devices and monitoring 100s of parameters across devices.
Benefits of Continuous Posture Anomaly Management
-
Discover hidden risks and achieve perfect security posture:
Due to the rapid growth of complex cyberattacks, having visibility over all the network devices in your IT infrastructure is not enough! In order to deal with all the sophisticated cyberattacks attackers are invading, you need to have real visibility of your network.
Continuous Posture Anomaly Management helps in discovering any deviations or aberrations that are present in your network that would lead to potential cyberattacks.
A few hidden risks that could threaten the security of your organization include abnormal services, processes, unsigned applications, unusual commands, abnormalities in your event logs, multiple login attempts, critical vulnerabilities and much more.
-
Improve Operational Efficiency:
By detecting hidden risks and deviations present in your organizational network you will be able to improve efficiency. Continuous Posture Anomaly Management can provide you with intelligent insights that could help in discovering and remediating these unnoticed security loopholes before implementing other security measures.
-
Gain Control of your IT infrastructure:
With Continuous Posture Anomaly Management, you will have a comprehensive view of the IT infrastructure and be more aware of the security risks that were once hidden. You can implement more effective security measures that will reduce risk exposure significantly.
Along with managing vulnerabilities using a vulnerability management tool, misconfigurations, and other security risks, you will have control over the security posture anomalies that could have unleashed massive attacks.
Top Use Cases of Continuous Posture Anomaly Management:
Continuous Posture Anomaly Management redefines the way you look at your IT environment. From helpful insights about your infrastructure to posture anomalies plaguing them, CPAM can help you with a number of use cases.
Binocular View of your IT:
A birds-eye view of your IT infrastructure can shed light on things you might have missed before, and you could be surprised by what you find. Continuous Posture Anomaly Management provides you with a birds-eye view of your network devices by collecting and computing patterns from data over several days, which might’ve been missed if looked at once.
Machine learn your IT:
Basic information about your IT assets, even when collected every day, isn’t sufficient enough to take action. But Continuous Posture Anomaly Management collectively looks at your IT, applies artificial intelligence over the data to machine learn your IT, and detects outliers through statistical anomaly computation. This allows you to detect and assess outliers in your apps, services, and various other workstation properties.
Known-Good your IT:
Your IT infrastructure consists of thousands of assets, both hardware, and software. But do you need them all to function without any hiccups? Only by collectively looking at your IT can you detect and declutter the unnecessary.
By eliminating the unnecessary software that can affect productivity and cause potential risk, Continuous Posture Anomaly Management helps you known-good your IT network. Further, you can also take control of your Software Bill of Materials, cut costs while improving your organization’s security posture.
Monitor Security Controls deviation:
Security controls are a critical layer of defense in your network devices, but are they functioning correctly? Security control deviations can be an easy way for an attacker to get access to your network and wreak havoc.
But with Continuous Posture Anomaly Management, you can monitor security controls, detect deviations that could put your IT infrastructure at risk, and fix them immediately. CPAM helps you exponentially reduce your attack surface arising from security posture anomalies and deviations.
Normalize and Organize your IT from Chaos:
Abnormalities, anomalies, deviations, and unnecessary assets in your IT cause chaos and disorder. Further, these security risks can often become the easiest way for an attacker to enter your network.
But with Continuous Posture Anomaly Management, you can normalize your IT by fixing the issues plaguing IT and eliminating the chaos.
