Review: Promisec goes the extra step to secure PCs

Endpoint Manager 4.12 goes beyond discovery and detection to automate corrective action

At a Glance
  • Promisec Endpoint Manager 4.12

In the past year we've seen an influx of endpoint detection and response (EDR) tools that promise to bring order, through greater visibility, to the wild west of endpoints within a large organization. The scenario is all too common: IT security usually doesn't know all of the hardware and software assets that need to be protected, yet has to protect them. Even as we struggle to put security controls in place for prevention, we know that many of these endpoints are already compromised by active threats that need to be detected, assessed, quarantined, and remediated.

EDR tools are built for detection and response (hence the category name), and most leave it at that. Promisec adds sophisticated remediation to Promisec Endpoint Manager (PEM), which is precisely why I was interested in getting a close look at the product. Like other EDR products, PEM can scan endpoints on a schedule to detect anomalies or abnormalities and verify that security controls -- such as required applications, patches, settings, and so on -- are in place. Unlike other products in the category, PEM can also launch scripts on the endpoints to take corrective action.

My focus in this review was on finding abnormalities on endpoints indicative of malware, in which case PEM can push the suspect binaries to sandboxes (Blue Coat, Palo Alto Networks, FireEye) for analysis, correlate with SEIM tools for reporting, issue alerts, and orchestrate remediation. PEM is also useful for incident response, where it can help you build a complete understanding of the full scope of the infection and revert endpoints back to their original uninfected state.

PEM architecture

Promisec Endpoint Manager consists of the Promisec Endpoint Management Server, which manages communications; the Promisec Endpoint Management Analyzer, which analyzes incoming scans, comparing the objects found on endpoints to the database; a Microsoft SQL Server database, which stores object definitions and scan results (such as the objects discovered on endpoints); and the Promisec Endpoint Management Control Center, which is the administrative console through which you define the configuration policies for your endpoints and the actions to take when those policies are violated.

PEM Sentry is software that gets deployed through PEM Control Center to scan endpoints on a network segment. The Sentry software runs as a Windows service and does not require a dedicated machine. The Sentry interrogates endpoint operating systems (supporting Windows, MacOS, and Linux) using presupplied credentials, formats and encrypts the information it discovers, and forwards it to PEM Analyzer to be compared against policy and placed in the database.   

To continue reading this article register now

How to choose a low-code development platform