SOLUTION
SCENARIO
There are blind angles in termial security schemes for installing agent software, and the number of devices without perfecting installation is constanly growing in most enterprise:
• Versions of many online devices of enterprises are not updated regularly, and exteral intrusion nodes easily occur; how to ensure the accurate operation of antivirus software and application programs of enterprises?
• Unknown external devices are used for data access, resulting in confidential data leakage and blackmail risks.
• How to ensure the compliance with governemental regulations of internal devices of enterprises and units, and control their health?
SOLUTION
• UPAS ITAM offers asset management and security monitoring by automatically scanning endpoint devices, collecting software and system details, and integrating vulnerability databases for automated identification and patching of system vulnerabilities.
• Convenient remote management includes remote desktop control, file distribution, and message push/ group broadcasting functions for efficient device management by administrators.
• Enhanced trust assessment and access control evaluate trust scores based on device security and identity authentication, determining access permissions. It also offers device security inspection, trust score details, and access history to aid administrators in making access decisions.
FEATURES
Monitor installed software of compliance and copyright in real-time
UPAS ITAM is able to check the legal software copyright for Windows, Mac and Linux OS. Further compliance information, including the installation/version/update of the antivirus software and virus signature, is provided for Windows OS. You can define appropriate policy for non-compliant devices to be blocked or remediate.
Automatic software blocking policy
Windows OS can be prohibited from running specific applications (including portable software), and the non-compliant applications will be blocked to eliminate the risk.
User-defined USB access policy
It allows you to control the access of USB device, memory card, mobile device, USB network card, and external CD drive, and set read and write permission to prevent unauthorized, rogue and impersonating device connection. This policy also embraces Zero Trust security by enforcing least-privilege access based on identification.
Identify the risk and threats, and remediate in time
By interfacing with the NVD database, all known security vulnerabilities are synchronously updated. If there are devices in the environment with risky software installed or Windows KB not updated to a secure version, it will be displayed on the management page, and administrators will be notified promptly for action.
Enhancing the device compliance ratio
Promptly identify devices that are not compliant with antivirus and Windows updates. Non-compliant devices will be blocked and remediate upon connection. Enhancing the device compliance ratio up to 98% prevents threats from existing infrastructure.
Passively detect potential risk of unmanaged devices
UPAS ITAM is able to identify devices’ application installation state without agent that reducing the risk of business disruption, and remediate the device with the redirect page of installation files.
Quarantine inspection of all newly connected devices
To avoid the risks of new devices, when they access the network for the first time, their ability to connect to the network is immediately blocked, and security checks and repairs are carried out at the same time. Only after they have reached the required security specifications, will they be re-authorized.
Complete device maintenance and software installation remotely
When the device has maintenance requirements or the software version has loopholes thar needs to be updated, remote connection and software delivery can be achieved on the management page, and the security maintenance of multiple devices can be completed at one time.
Easily set device GCB to maintain network security
Provide the GCB principles currently being used by the public sector, users can strengthen the specifications according to their needs and achieve higher security. After setting, it can be applied to the specified device, and avoiding unauthorized modification of the device through continuous inspection to maintain network security
MODULES
Patch Management
Through the Agent deployed in terminal devices, it can scan periodically and capture the software list of a intranet-access devices, its Windows operating system version No./KB, and its antivirus software information and virus signature versions; based on the collected software list, it can also check the quantity of required software, blocked software and copyrighted software, software versions, and feedback to WSUS Server, etc.
Device Management
Through the Agent deployed in terminal devices, it can identify and control external USB devices, such as USB storage devices, memory cards, action devices, USB authority of computers for accessed devices, such as the authority of device access and revision, etc., to avoid confidential data leakage. It can also establish a USB storage device allowlist to prevent unauthorized unknown USB storage devices from data transmission and access. Besides, it can detect and forbid the connection of devices to wireless network or bluetooth, to prevent confidential data transmission via personal network through bypassing the corporate network.
Remote operation and maintenance
Through the Agent deployed in terminal devices, it collects various software and hardware models and specifications of devices, and performs remote operations management. It has the functions of Remote Desktop management, file sending, and software deletion. It can realize silent install of files with the parameter directives. It can also provide functions of information push and group broadcasting to facilitate the administrator's management and maintenance to terminal devices. A user can also send a remote desktop request to the administrator, explains the problems through Agent UI, and asks the administrator to handle the problems in a timely manner.
Trust Inference Management
TIM module checks device information as reference for device security evaluation. The security data collected, with identify authentication and device authentication, can be regarded as the evaluation standards of trust scores for resource access, and the decision-making controller determines the access results. The module includes functions of device security detection, trust score information, panel statistics and historical records.
GPO Repairing Detection
GPO management module support the latest TWGCB, and can detect the device GPO application within the domain without having the highest WMI domain authority in the context of highly-complete asset inventory, and execute automatic or manual patching for GPO non-compliant devices, and automatically reports the application results, and provides patching records. It has the function of one-click status recovery, and can recover devices to the status before GPO application to avoid that devices cannot work well after GPO application.
Vulnerability Alert and Notification System
Integrate the NVD vulnerability database, automatically compare the weaknesses of computer software assets in the network environment, and uniformly query whether the enterprise computer software assets have CVE vulnerabilities announced by NVD. CVE can be used to detect Microsoft and non-Microsoft vulnerabilities, device KBID can be used to detect the quantity of devices of installing software with CVE vulnerabilities, and vulnerabilities can be patched through software update check, software distribution, Agent UI, page redirection, etc. It also supports the exporting of CPE list and one-click upload to the VANS system of the Institute of Cyber Security, which realizes adulting easily.
