BeyondTrust
I honestly believe we have the best pre-sales, post sales, and technical support departments in the security industry. They are responsive, technical, and can customize BeyondTrust solutions to match individual business requirements, even when they are pretty comprehensive outside-of-the-box. Based on their work, we have an internal process and external knowledge base to document these configurations and make them available to any prospect or client that wants to do even more with the solution. Recently, we did a review of these installations and found that there are some very simple tips and tricks to using Retina CS (and Retina Insight) that can go along way for any business. I have documented the Top 5 below and want to give a big shout out to my teams for their excellent work and making these available to everyone. So, here it goes, the Top 5 Tips and Tricks for Retina CS: #1 – Creating a Smart Rule for Assets with No Operating System Identified This tip helps administrators document which assets are not being properly identified by their operating system during a Retina scan. This could be due to firewalls, anti-virus solutions, and IDS/IPS security solutions preventing (as they should) what the operating system is for a device. First, create a Smart Rule and specify the following regular expression: To show only assets with OS unidentified use "does not match" --> ^[a-zA-Z0-9] To show only assets with OS identified use "matches regular expression" --> ^[a-zA-Z0-9]

Asset Selection Criteria-img1

Then, as an action, specify a Smart Group or an email alert. When assets are identified with no matching operating system, the smart group will automatically populate or an email which will be sent to an administrator. #2 – Dynamically Change PowerBroker for Windows Policy Based on Asset Location (IP Address Range)

With the introduction of Retina CS 4.5 and PBW 6.0, PBW can receive policy from Active Directory Group Policy (GPO Based) or the Retina CS Threat Management Console. Policy from Retina CS is assigned via a Smart Rule / Smart Group. In order to have a PBW agent dynamically change policy based on location (IP Address), simply add the Address Group to the Asset Selection Criteria.

Asset Selection Criteria-img2

When the asset (in this case win8-wm) is located within the Address Group range "Cricklewood" it will receive the policy "Cricklewood Sample". Next the user needs to create a second duplicate Smart Rule with another IP range excluding "Cricklewood". This would be any address foreign to your internal network or trusted VLAN. When the PBW agent checks in (assuming routing Retina CS is made available publicly), it will then receive the alternate policy (not shown) that could potentially be more restrictive since the asset is not on a trusted network. This allows policy to change dynamically on a PBW agent based on location and when not connected via Active Directory (I.e. Non domain machines or even eDirectory). #3 – Assigning Assets to Retina CS Patch Management Retina CS has an automated engine via Smart Rules to change a client's WSUS settings to the system managed by Retina CS for Patch Management. Sometimes, this process will fail if the device is not online reliably or remote registry access is not permitted. In that case PowerBroker EPP (as an agent) can be used to assist with the change (if installed) or you can deploy the settings for Active Directory as a remote registry file. Below is a sample of this file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate] "ElevateNonAdmins"=dword:00000001 "WUServer"="http://192.168.1.204:80" "WUStatusServer"="http://192.168.1.204:80" [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU] "NoAUShutdownOption"=dword:00000001 "AutoInstallMinorUpdates"=dword:00000001 "NoAutoUpdate"=dword:00000000 "AUOptions"=dword:00000004 "ScheduledInstallDay"=dword:00000000 "ScheduledInstallTime"=dword:00000017 "AUPowerManagement"=dword:00000001 "IncludeRecommendedUpdates"=dword:00000001 "RebootRelaunchTimeoutEnabled"=dword:00000001 "RebootRelaunchTimeout"=dword:00000005 "DetectionFrequencyEnabled"=dword:00000001 "DetectionFrequency"=dword:00000001 "UseWUServer"=dword:00000001 Change the IP Address and Port in the top lines to your WSUS server (IP Address or Hostname) and modify any of the values in the second section based on Microsoft's Knowledge Base. This will allow you to configure assets for Retina CS integrated WSUS Patch Management even when they are restricted to automate configuration from the console itself. This works great in a lab too when you are testing out the solution for the first time! #4 – Advanced Vulnerability Reporting on Mobile Devices Retina CS has advanced Mobile connectors for Microsoft ActiveSync, BlackBerry, and Android Agents. These connectors allow you to inventory and report vulnerabilities on a wide variety of mobile devices and show the results as Assets within Retina CS.

Retina CS-img3

One of the coolest tips for the solution is that these Assets are stored just like every other Asset and can be used against every report in the system just like a Server or Workstation; including common regulatory reports like HIPAA and PCI. All an administrator needs to do is Run a Report on Existing Data against a mobile Smart Group and the results will appear just like any other Asset in the System. Below is a snippet from a HIPAA report against these Android devices:

Admin-Safeguards-img4

#5 – Retina Insight Pivot Grid

If you have seen a pre-sales demonstration of our technology, you have probably seen the Retina Insight Pivot Grid. This component of the technology allows users to build customized reports when none of the over 260+ canned reports meet their needs. Administrators can open the Pivot Grid and drag and drop Measures and Metrics for almost all of the data collected by Retina CS to create custom reports. Below is a sample of Assets and Vulnerabilities mapped to the presence of Zero-Day Vulnerabilities.

assets-vulnerabilities-zero-day-maps-img5

These report templates can be exported / imported such that they can be transported from a lab to production, and then saved and published just like any other Retina Insight report. It truly gives you the power to create custom reports well outside-of-the-box.

If you have found any other tips and tricks in your travels, please comment below. We would like to hear from you.

Morey J. Haber

CISO at BeyondTrust

Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In: