SOLUTION
SCENARIO
The explosion of unmanaged and IoT devices continues to be a critical challenge for every organization. Can you identify laptops running an unpatched version of Windows? Can you maintain the compliance of devices by updating antivirus software and virus signature constantly? Real visibility means you need to see more than devices, but vulnerable applications running on those devices. Further management method is needed to enforce the security policies of installation and compliance on the network. By designing trust zones for external devices, you can mitigate the effects of information breaches and related incidents.
SOLUTION
UPAS ITAM can identify and monitor every device continuously with deep and detailed information. The system automates the identification and remediation of application installation with a real-time application list. By connecting to the NVD database, UPAS can ensure software compliance without security risks in your network. Building a trusted zone for external devices limits accesses from/to vulnerable devices, enforcing the security policy with a Zero Trust architecture. Remotely maintenance can help you solve problems by installing software remotely. On the other hand, hardware such as USB storage devices can be set to an allowlist for use.
FEATURES
Monitor installed software of compliance and copyright in real-time
UPAS ITAM is able to check the legal software copyright for Windows, Mac and Linux OS. Further compliance information, including the installation/version/update of the antivirus software and virus signature, is provided for Windows OS. You can define appropriate policy for non-compliant devices to be blocked or remediate.
Automatic software blocking policy
Windows OS can be prohibited from running specific applications (including portable software), and the non-compliant applications will be blocked to eliminate the risk.
User-defined USB access policy
It allows you to control the access of USB device, memory card, mobile device, USB network card, and external CD drive, and set read and write permission to prevent unauthorized, rogue and impersonating device connection. This policy also embraces Zero Trust security by enforcing least-privilege access based on identification.
Identify the risk and threats, and remediate in time
UPAS ITAM provides continuous and real-time security information of endpoints, including the installation and update rate of device OS, antivirus software and virus signature. Any possible risk and damage can be avoided by imposing policy-based controls and rapid response to incidents.
Enhancing the device compliance ratio
Build a real-time inventory of every device’s configuration and compliance state. Non-compliant devices will be blocked and remediate upon connection. Enhancing the device compliance ratio up to 98% prevents threats from existing infrastructure.
Passively detect potential risk of unmanaged devices
UPAS ITAM is able to identify devices’ application installation state without agent that reducing the risk of business disruption, and remediate the device with the redirect page of installation files.
Quarantine inspection of all newly connected devices
To avoid the risks of new devices, when they access the network for the first time, their ability to connect to the network is immediately blocked, and security checks and repairs are carried out at the same time. Only after they have reached the required security specifications, will they be re-authorized.
Complete device maintenance and software installation remotely
When the device has maintenance requirements or the software version has loopholes thar needs to be updated, remote connection and software delivery can be achieved on the management page, and the security maintenance of multiple devices can be completed at one time.
Easily set device GPOs to maintain network security
Provide the GPO principles currently being used by the public sector, users can strengthen the specifications according to their needs and achieve higher security. After setting, it can be applied to the specified device, and avoiding unauthorized modification of the device through continuous inspection to maintain network security
MODULES
ARPScanner
The UPAS NOC main module uses the patented ARP packet analysis technology, which can perform data collection, device identification and high-strength access control without installing Agent. The key functions are IP/MAC management, assets inventory, device access management (NAC, Network Access Control), and network blocking. Multiple bindings between IP / MAC / DHCP segment / computer name / hardware fingerprint (UUID) can be performed on all connected devices to achieve IP protection, IP reservation, IP invalidate, IP conflict prevention, and MAC impersonating. With the built-in reports, managers can manage intranet IP resources and devices in real-time.
Patch Management
PM can periodically scan and obtain the software summary of the intranet connected devices, Windows OS version/KB, anti-virus software information and virus signature version by deploying Agent on the endpoint device. Through the collection of the software summary table, the following checks can also be performed: permit software, prohibited software, software copyright quantity, software version.
If there is a non-compliance event (it should be installed but not installed, should not be installed but installed, using pirated software, should be updated but not updated), the network connection can be blocked and the redirect page will show up to inform the reason. Non-compliant devices can be set to different levels of authority to facilitate the stable operation of the device and still guide the repair to comply with the security policy.
Device Management
By deploying Agent on endpoint devices, DM module can identify and manage USB storage devices, memory cards, USB ports, USB network cards, and optical disk drives. It can set up the authorities for USB devices, such as whether have authority to read and write, to prevent from leaking confidential data, and can set USB device allowlist to prevent unauthorized USB devices from accessing and transmitting data.
In terms of device network management, it can detect and prohibit devices from using wireless networks or Bluetooth, preventing the use of private networks to transmit sensitive data by bypassing corporate networks.
Vulnerability Alert and Notification System
Integrate the NVD vulnerability database, automatically compare the weaknesses of computer software assets in the network environment, and uniformly query whether the enterprise computer software assets have CVE vulnerabilities announced by NVD. From the perspective of CVE, it inspects the software in the environment and the software vulnerabilities of Microsoft OS, lists the installed computer, and fixes the vulnerabilities through software update, remotely software installation, AgentUI, and redirecting the page.
Remote operation and maintenance
It can automatically detect the models and specifications of various software and hardware installed in the endpoint device. The hardware information includes CPU, motherboard, memory, SSD, HDD, graphics card, and network card. With the remote desktop management function, device connection can be easily done, convenient for administrators to perform remote maintenance. Through the remote software installation and deletion function, files can be uploaded to the specified folder in the selected device; file types such as .exe, .msi, and .bat can run automatically, or delete software remotely. With the message delivery function, you can deliver messages to individual devices or groups.
GPO Repairing Detection
The application of GPO is important for intranet management. In the zero-trust network, every device must comply with the security policies to lower the possibility of being attacked.
Under a highly completed assets inventory situation, the UGR module can perform GPO inspection on devices in the domain. With network blocking, UGR can force non-compliant devices to apply GPO. In addition, UGR provides GPO application details for each device to ensure security consistency in the intranet.