What: secRMM is short for “Security Removable Media Manager”. secRMM is Windows security software built specifically to address removable media security issues.
Why: secRMM addresses the shortcomings of monitoring and access control for write activity to removable media devices. Today, people can copy files to removable media without anyone knowing: 1. what they copied, 2. who copied, 3. how they copied, 4. when they copied and 5. from where they copied. The secRMM monitoring component allows you to answer these questions. This is important for all the privacy regulations that are prevalent in the business world (medical, financial, credit card, etc) today.
In addition to solving monitoring of removable media, secRMM lets security and IT administrators control access (for writing) to removable media. The secRMM access control module is very easy to use yet is extremely powerful. You can perform such tasks as: 1. locking down a computer so no removable media write activity can occur, 2. allow specific users only, 3. allow specific removable media serial numbers only, 4. allow specific programs only, 5. limit from where on the network or local drives a user can copy files from, 6. limit what file types (via file extensions) a user can copy.
With secRMM in your environment, security and IT administrators will be able to account for all files written to removable media. If a Wiki-leaks type of security incident does occur involving removable media, you will be able to track it to the exact user, file, date/time, computer, program and removable media device. Of course, secRMM is designed to help you prevent security incidents from occurring in the first place.
What makes secRMM different from the other removable media solutions?
- On-demand software – Unlike other solutions, secRMM is not always running. It automatically gets loaded by Windows when a removable media device is plugged into the computer. Most of the other solutions have an agent running all the time.
- Capture full path of source file(s) in the forensic data collected - secRMM is the only solution on the market today that can capture the full path of the source file being written to the removable media device. All of the other solutions on the market today do not capture this information, they ONLY list the name of the file as it resides on the removable media device. Squadra Technologies believes that the source file is one of the most important pieces of information that should be caputured when dealing with removable media.
- Capture detailed forensic data on the process/program being used to perform the write – secRMM performs special processing for Windows Explorer, CMD (DOS window) and scripts to collect additional details so that security and IT administrators can completely understand what the end user did to perform the file write to the removable media device.
- No framework required – secRMM installs to workstations and servers without the need for a separate server, database, web server or console. secRMM requires only the features of the base Windows Operating System. The secRMM monitoring data is written to the Windows Security event log. secRMM also writes the event data to its own event log named secRMM. Therefore, secRMM double logs the event data to both the Security and the secRMM event log. Security and IT administrators configure secRMM via the Microsoft MMC Computer Management program.
- Works with all hardware and software encryption solutions – secRMM does not interfere with encryption solutions you may already have in place in your environment. An example of a software encryption solution is Microsoft BitLocker. There are many encryption usb drives on the market today.
- Easy integration into systems/enterprise management products and SIEM products – Most IT environments have a framework/program that monitors the health and state of the IT environment. Some of the most popular frameworks/programs are Microsoft Operations Manager, IBM Tivoli/Director, HP OpenView, CA UniCenter, etc. All of these programs can read events from the Windows event logs. Hence, they are capable of reading the secRMM event data (either from the Security or secRMM event log). In addition, secRMM supports generating SNMP traps (equivalent to the event log data). secRMM can generate SNMP v1, v2 and v3 traps.
- 100% scriptable and 100% .Net integration – Many IT environments rely on automation to perform repetitive tasks to reduce human intervention and to reduce delay. The backbone of automation is typically done with scripts. secRMM is 100% scriptable and can therefore be integrated into the automation implementation of the IT environment.
- End-User application (GUI) to write to removable media – secRMM ships with a Windows GUI program called SafeCopy. secRMM can “force” end-users to use SafeCopy. If the user attempts to write to a removable media device using any other program (except SafeCopy), the write operation will fail. Of course, secRMM will record the write operation failure. SafeCopy works in conjunction with the base secRMM program to record additional details/events about what the end-user is doing regarding the removable media devices. When you use secRMM with SafeCopy, not only do you get an advanced level of removable media monitoring but you can also implement an “enforcable two man policy” when writing to removable media.
- Enforceable two man policy – secRMM SafeCopy can require two individuals (one must be an administrator) to be involved when writing to removable media. The two man policy is a common practice in high security environments such as the military and government.
- Restrict input directories to copy from - Since secRMM can capture the source file, it has a property that restricts the directories that the end-user can copy files from. This is a feature of secRMM but is amplified when the end-user uses SafeCopy since SafeCopy disables (“greys out”) the directories that the end-user cannot access.
- Device tracking – When you use secRMM SafeCopy, you will be able to (given the actual removable media device) tell: 1. who last wrote to the removable media device, 2. what computer they used, 3. the date/time they used the removable media device, 4. If the two man policy is active, who the administrator who approved the use is. Device tracking is useful for lost or stolen removable media devices. If you are operating in a high security environment, you can perform audits of the removable media devices at any time.
- Simple to deploy - Since secRMM does not require a separate framework (i.e. dedicated server, database, web server or console), deployment of secRMM is very simple. For large deployments, secRMM can be done using Active Directory Group Policy Objects or any deployment product (such as Microsoft Configuration Manager/SMS).
- Very little training required – Since secRMM uses the features of the base Operating System, security and IT administrators will require little additional knowledge to begin using secRMM.
- Solves a specific security problem – Most software security solutions provide a swiss army knife approach to your security needs. This is unfortunate since the security issues of removable media are only weakly addressed. Worse yet, deployment of these large solutions require separate servers, databases, web servers and consoles. secRMM is a first class solution addressing the true security requirements of removable media. secRMM does not require implementing a separate framework.