This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
Price: Starts at $20,000 for 500 clients
The endpoint security is today's hot button information security issue, and the marketplace is flooded with solutions ranging from costly appliances to distributed software agents. Promisec's Spectator offers a nice compromise, providing a flexible, centrally managed tool that doesn't require installing agents on client systems. Rather, it uses a combination of remote registry access and remote procedure calls to collect data and perform administrative actions on endpoints.
Spectator allows you to inspect host systems for an impressive variety of items. You can inspect hardware settings, checking, for example, whether the system has a modem, multiple NICs, removable media or synchronization software indicative of a portable hardware device. Spectator also checks compliance with your organization's security polices by verifying the presence of antivirus software from 18 manufacturers and the most recent Microsoft service pack for the relevant operating system.
Spectator's real strength lies in Promisec's monthly database updates of peer-to-peer and remote control applications signatures. At the time of our review, Spectator was able to detect 342 P2P file sharing applications, 455 instant messaging applications, and 146 remote control packages. The Spectator management interface allows you to scroll through the listings of applications and specify those whose presence or absence you would like Spectator to alert on. You may specify alerts based on the application (AIM, PC Anywhere, etc.) or category (e.g., P2P, remote control). For example, we instructed Spectator to alert on the presence of any P2P applications and on the absence of antivirus software.
In addition to the built-in policy items, Spectator allows you to create user-defined policies based upon specific Microsoft hotfixes, applications, registry entries, file names/types, and processes/services running on the endpoint. You may specify user-defined hotfix policies by providing the Microsoft hotfix ID. User-defined policies for applications, processes and services require the relevant object's name. Spectator's registry inspection capability allows you to provide the name of a registry key and specify the value or data element of that key. You may also provide a replacement value and use Spectator to set registry entries on managed clients.
We ran into a few glitches configuring our first client in the management interface. Specifically, we had to reconfigure the security settings on the client operating system to allow inbound file sharing access and remote registry access from the Promisec server. We ironed out those issues with assistance from Promisec's technical support group, and the addition of subsequent workstations went smoothly.
Spectator offers a number of options for selecting the hosts you wish to scan. In addition to specifying individual hosts by name or IP address, you may import a list of hosts from a text file, specify a network range or select Active Directory OUs. The AD integration, for both the endpoint enumeration and authentication, leverages your existing OU structure, eliminating the need to update your Spectator configuration when systems join or leave the network.
If you choose to work with OUs, you may choose to either perform a one-time import or a dynamic update that changes the hosts to scan based upon current OU membership. You may conduct scans on-demand and/or on a scheduled basis.
The Spectator console provides a dashboard-style view of scan results, including the name of the client, the last logged-on user and the details of policy violation(s). Administrators may remediate violations by right-clicking on the vulnerability to invoke the relevant Windows management interface. For example, during our testing, we were able to remotely close open file shares on managed endpoints.
To evaluate Spectator, we intentionally created several policy violations on managed systems. We installed software that conflicted with our "alert on presence" policy, opened unauthorized file shares, and installed software that differed from the authorized baseline. Spectator successfully identified every policy violation.
When we tested its ability to perform remote remediation of policy violations, it successfully closed file shares on managed endpoints. However, Spectator didn't perform as well when we asked it to uninstall three software packages that weren't included in our established application baseline, failing to remove one of them, a VPN client. We subsequently removed the client manually.
Spectator offers several remediation options. You may force the automatic uninstallation of software, enable alert notifications, and start antivirus software that is installed but not running. Additionally, Spectator integrates with two third-party products. If you are running a Check Point Firewall-1, you may automatically block non-compliant systems either permanently or for a specified time period. Spectator can also provide monitoring reports to a Tivoli Monitoring Server.
Spectator allows the creation of an HTML executive summary report that includes scan statistics, details on problematic hosts and policy objects and summary graphs suitable for management reports. You can also export data to comma-delimited text files, filter report results and create differential reports to compare with previous findings.
You cannot, however, create customized reports within Spectator. Any customization requires importing the results into third-party software. Spectator allows you to export a detailed report as a CSV formatted file or an executive summary in HTML format.
Overall, Spectator is a solid product for monitoring endpoint policy compliance. It's especially useful for organizations that do not wish to incur the overhead of installing, maintaining and running software agents on each endpoint.
Promisec says its latest version, announced in March but unavailable when this evaluation was conducted, offers enhanced reporting, UNIX platform support and audit trails tracking for forensics and in-depth analysis.
Testing methodology: We tested Spectator in a Windows XP environment running under VMware Workstation.
This was first published in April 2008