“So… What does ANAMO CDM do?”
1st, let’s breakdown CDM
- Continuous Always on, always comparing, always reporting and always updating
- Diagnostics Learn what’s changed, added, deleted, modified, etc. & guard forensics
- & Mitigation Launch investigations and locally update software w/ live validation…
Software Package Vulnerabilities
Anamo is an integrated vulnerability detection and management platform. As software names, versions, and vendor revisions are sent by client servers, Anamo checks each instance against the national vulnerability database and other trusted data sources. That yields rapid visibility into the state of your software vulnerabilities across your entire enterprise.
Servers may be grouped by department or by tag. For many (if not most) businesses, looking up all vulnerabilities for a particular unit can take dozens of hours. With Anamo, this knowledge is gleaned in seconds.
Anamo shows you all vulnerabilities on your server found in the National Vulnerability Database. This includes displaying the associated CVE number, exploitability risk, attack vector, and determined severity of the risk.
Anamo provides technical details for every every vulnerable package found on any of your servered ranked by its severity score so you know what to prioritize for remediation. In addition, Anamo also displays the exploitability likelihood, a measure of how simple or complex a known vulnerability is to actually use against a server manifesting that vulnerability.
You can also look back at your server at various points in time to see how many vulnerabilities existed then to see your progress towards securing your enterprise environment.
Anamo’s trend analysis makes quantifying risk over time easy.
Anamo also lets you drill down into an individual package to see all associated risks, as one version of software can of course have multiple vulnerabilities. Package data (sepecially lower-level dependencies) are described so you know what you’re dealing with. This all part of Anamo’s mission to bring to the surface and collect useful data in one place so that you can make informed information security decisions.
A particularly unique feature of Anamo is knowing why a vulnerability was fixed. With Anamo’s vulnerability timeline, you can see what specific version of software (typically a more up-to-date one) actually ended up remediating a vulnerability. This also helps quantify trends and how effective the response was, because it shows how long a vulnerability existed before it was remediated by another version.
Software Packages: Version History
Anamo tracks when new software packages are added, when the version of existing software packages change (whether the version is upgraded or downgraded), and (3) when software packages are removed.
Anamo is all about getting the right data to the surface quickly. Its software version history capabilities let you pick a package on a server and review its entire version history. This can show if any versions were vulnerable at any point in time.
Currently supported packages include: rpm, pip, deb, and Ruby gem. Windows support, including OS and individual software packages, is coming later in 2018.
Ports are like openings on a sever that allow data to flow in and out. From an information security perspective, knowing what ports should be open is kind of like knowing who has keys to your house: if that changes, you would certainly want to know.
Anamo’s Port Events functionality tracks when new ports open, existing ports close, and when ports are updated.
Anamo also shows port definitions, even the weird ones. Often, IT administrators have to look up what a port does or what program it is associated with. Anamo saves time by showing you what services or functions are associated with a particular port.
Open, Closed, and Updated Ports
Open ports could be caused by a malicious actor opening a port to exfiltrate data from your system or by a program running locally that opens a port as part of its functionality. Whether or not the intent is malicious, an knowing when ports open is crucial. An open port can cause communication external to your server or network to talk to your server, or can cause your server to communicate with the outside world.
Closed ports may similarly indicate a security risk. The team at US ProTech has seen ports close when a malicious actor seeks to block information from reaching security monitoring tools. Similarly, a closed port can cause services that depend on those ports to cease functioning normally.
Changed port rules can be innocuous or indicative of a malicious move. For example, suppose a firewall rule is configured to only allow port 3306 to talk to an IP address of 127.0.0.1. If that rule is updated such that port 3306 is now allowed to communicate with both 10.20.30.40 and 127.0.0.1, that change event could indicate an overly-permissive set of rules that an attacker could take advantage of.
|Risk Area||What Anamo Collects||End Result|
Automated Record Keeping.
One of the most frustrating challenges when it comes to cybersecurity is keeping track of subtle changes. Server filesystems posses thousands of files, directories, and other resources. Keeping track of when those changes occur is both overwhelming and incredibly important.
What if, though, software that ran 24/7 did it for you, keeping an eye on the entire state of your filesystem at different dates and times. That would allow you to know what users and groups owned what resources and what permissions were set to.
Anamo is an incredible search engine and alerting tool for keeping track of the vast tree of a Linux or Windows (later in 2018) server system.
Global Permissions Search
Octal permissions refer to what users, groups, and others can do in terms of reading, writing, and executing resources on your servers. Figuring out where liberally excessive permissions exist across all of your servers would not unreasonably be a serious undertaking for many companies.
Anamo, however, is wicked fast. It can search and compare what octal permissions currently exist and how they were set in the past. If you’d like to find where permissions of 777 exist across your systems, simply enter it and go. Anamo pulls the latest transaction date and time, searches against that, and presents the file name, type, and path for you to easily find and fix it.
Before and After
Anamo tracks when permissions change in two ways: when ownership changes or when octal permissions change. Both are incredibly important security metrics.
When a new owner, whether a user or group, gets associated with a particular file or directory, that could be evidence of a slip-up by an IT staff member or a malicious attempt to escalate privileges.
Anamo also tracks octal permissions for files and directories. When certain users or groups are given more or less access to files or directories, this can certainly be indicative of anomalous activity.
Searchable Filesystem Tree
One of Anamo’s unique features is that it acts like a forensics time machine for your filesystem. Simply pick a transaction date and time and Anamo quickly loads key security information about your filesystem at that point, including file and directory ownership, resource names, and permissions. Coming in March 2018 will be the last modified time of the file or directory and its size.
Users and Groups
Anamo keeps an investigating-eye on your server’s permissions per user and group, what users + groups exist, and their relationships to one another.. In terms of securing your data, these categories are intimately connected because users and groups have permissions to perform certain functions. These are among the most overlooked aspects of information security because these types of specific changes are rarely noticed by most IT staff or other security applications.
Anamo keeps track of user and group data in all Linux servers and Windows servers are being added with our next update. In our team’s collective security experience, any modification to a user, group, or group membership is significant. It could be an errant, negligent employee making a mistake, a vengeful employee or contractor looking to cause insider harm, or evidence of an external, malicious attacker seeking to elevate their privileges.
Anamo also acts as a time capsule into the existence of past users, groups, and group memberships providing deep forensic capabilities. Anamo’s ability to track user and group activities provide invaluable data toward investigations. For example, if you could prove that a departing employee went on a vengeance streak this data would be essential.
Anamo can provide strong evidence to rebut negligence or individuals who might pursue monetary damages (this feature of Anamo was inspired by a contract to help a law firm prove that suspicion after an internal investigation). In the event of a breach, Anamo also provides the ability to see that attack vector; example, a privilege escalation that allowed an unauthorized user to join a group that had the permissions that he or she desired.
Organize Your Server Data Around Your IT Practices
Anamo allows you to categorize servers into a department. This helps limit visibility from members of your organization who do not need to see what’s happening in other groups while giving CISO, legal, and risk/compliance/governance professionals the information insights they need to provide proper oversight.