What would it be like if an Endpoint and Saner communicated?
Endpoint: Someone entered?
Saner: Hello Endpoint! I am Saner Version 2.1, Family Supported- Linux, Mac and Windows.
Endpoint: Welcome Saner. I am Endpoint (hostname), alias 192.168.1.X (IP address), A2:B1:C4:A3:B2:C1 (Mac address), Processor X, RAM 8GB and Storage 500GB
Endpoint: Welcome to my world Saner. What is the purpose of your visit to my world?
Saner: Will answer that! But before that I will report my arrival to your organization’s administrator.
Endpoint: Organization’s administrator? Why do you want to report?
Saner– Organization’s administrator is the one who is maintaining all the systems in this network. Organization’s administrator has sent me here to protect/monitor you.
Endpoint: Protect/Monitor me? LOL!
Endpoint: Did you see my configuration?
Saner: Yes. You’re amazing, but are you able to perform as much?
Endpoint – You got me!! This user is trying to install so many applications and not maintaining it and the integrity of my data is at stake. There are applications that can rip my RAM apart.
Saner: That’s why I have been sent here. Let me update my intelligence and scan you entirely.
Saner: It seems like you have many vulnerabilities and most of the configuration settings are improper.
Endpoint: Vulnerability? Improper configuration?
Saner: Let me explain. Vulnerability is a weakness that allows an attacker to reduce a system’s information assurance. Misconfiguration is any incorrect or inappropriate setting applied to you.
Endpoint: Oh God! What should we do now?
Saner: I have already sent your report to organization’s administrator.
Meanwhile, system shutting down…
Endpoint: Hey Saner! I am going down. Will meet later.
Saner: Goodbye Endpoint.
System Coming up…
Endpoint: Hello Saner.
Saner: Hello Endpoint!
Endpoint: What’s up?
Saner: Activating current status with organization’s administrator.
Endpoint: Activating?
Saner: Every time when I come up, will update my presence to organization’s administrator.
Endpoint: Good. Any news?
Saner: I haven’t received any ‘Job’ or ‘Rule’ to perform.
Endpoint: Job? Rule?
Saner: Job -This allows setting remediation for currently installed vulnerable application. Rule – This ensures that all software application currently present or installed henceforward will be automatically remediated. This feature minimizes the need for constant monitoring.
Mean while time is 11.00 AM…
Saner: Let me perform my daily intelligence update.
Endpoint: Do you have to update everyday?
Saner: Not only intelligence update but will also scan everyday. But by default at 11.00 AM will get any updates and at 12.00 PM same day will rescan, and upload latest report to organization’s administrator.
Endpoint: But?
Saner: What?
Endpoint: What if I am down at that time?
Saner: No worries. Whenever I come up, I will automatically detect and perform the task.
Endpoint: Cool!
Saner: It looks like our administrator has set a Job to perform.
Endpoint: What will happen now?
Saner: I will remediate all harmful applications and correct your configuration settings.
Endpoint: Let’s start.
Saner: Organization’s administrator sets to perform task after next-scan. It seems your user is performing some important work.
Endpoint: Next scan?
Saner: Everyday at 12.00 PM I will perform scan. Do you remember?
Endpoint: Yes. But the time is 11:00:05.
Saner: Yeah, in the meanwhile I will continue to monitor you.
Endpoint: Monitor?
Saner: Organization’s administrator has enabled monitoring. Now I can look at everything happening in you.
Endpoint: What do you monitor?
Saner: Files- any change in files for example, add, delete and modify
Device- adding new device, removing device
Network- all network activities
Processes- any new process that is started or stopped
I am here to report changes to the organization’s administrator.
Endpoint: Wow! If you’re doing so much then you will be killing me as well.
Saner: I am a background process. I need less CPU and consume less memory. While monitoring, I queried all your running process and sent performance report to organization’s administrator. Luckily, there were no malware.
Based on the report, I received multiple incident response tasks- terminated unwanted processes, cleaned up junk files, started patch management service, also installed an anti-virus application.
Did you notice that?
Endpoint : 🙂 🙂
Time 12.00 PM…
Saner: I have started scanning with new intelligence.
Endpoint: Yeah!!
After 10 minutes…
Saner: I have remediated 25 vulnerable applications and more than 1000 misconfigurations.
Endpoint: Thank you. Since you are here to secure me, my organization can concentrate on other important tasks.
Endpoint: Actually, what all can you do?
Saner: To know more about me, contact me at [email protected] for a demonstration.
– Arvindh Varadarajan (aravindhv{[at]}secpod.com), works as Software Developer at SecPod Technologies