Leave a comment

Tech Forecast: Cryptocurrencies Have DLP Implications

Cryptocurrencies such as BitCoin and Ethereum are getting a lot of attention these days. Bitcoin, created in 2009, is arguably the largest and most well known cryptocurrency with a market cap of over $99 billion. With explosive growth and popularity it’s no wonder that organizations are beginning to embrace cryptocurrencies, whether for payment transactions with customers and employee’s or as a more multi-purpose ledger leveraging bleeding edge technology such as smart-contracts.

While there is a lot of opportunity in a shift to digital currency, there is also the typical security pitfalls that come with new technologies. In this forecast we’ll take a closer look at the mechanics of storing cryptocurrencies and the downstream DLP implications that exist.

Primer: What is a Cryptocurrency?

A cryptocurrency is a type of digital asset protected with cryptography and stored in a public decentralized blockchain ledger. Anytime people want to transfer money around there are transactions describing digital asset movement from one account to another account, and these transactions are stored in a digital and publicly viewable ledger. Cryptography is used to secure the transactions and be sure that only valid account holders can actually spend the currency.

Bitcoin and Ether are the two most well known examples of a cryptocurrency based on blockchain technology, though tens of new currencies are being created monthly. The underlying details of how a cryptocurrency works is deeper than we’ll go today, but there are great resources online for more information. Cryptocurrencies, however, do have implications when it comes to Data Leak Prevention – that implication comes in the form of the Wallet.

What is a Wallet?

A ‘cryptocurrency wallet’ is the place where you store your cryptocurrency.  To be accurate; the actual currency is not stored in the wallet, but cryptographic information about the currency you hold is.  The wallet is a software program that stores the account identity information and cryptographic private keys used to “spend” the cryptocurrency.  Wallets can be local software to your phone or computer, or hosted by wallet providers.

Implications on DLP.

Much like a physical wallet, if someone has access to your cryptocurrency wallet they could potentially steal all of your cash.  Wallets can be protected by encrypting the contents with passphrases; however this assumes that users implement a strong password (which we know isn’t always the case).

Unlike a physical wallet, if your crypto-wallet is stolen you may have no idea until you attempt to use your money. This is where the DLP concern comes in. How can you detect if somebody tries to exfiltrate your wallet? There’s obviously a lot of different ways that an attacker could steal your wallet, but we’re specifically concerned with somebody that has physical access to your machine.

For the geeks out there, here’s where you’ll find the Bitcoin wallet on Windows & Mac:

  • Windows: C:\Users\YourUserName\Appdata\Roaming\Bitcoin\wallet.dat
  • Mac: ~/Library/Application Support/Bitcoin/wallet.dat

Given the decentralized nature of cryptocurrencies; there is no company that will protect you from the liability of stolen currency.  If the wallet is lost or stolen that currency is gone forever.

Without proper monitoring and controls, if your crypto-wallet is leaked outside your organization on a USB drive, you may never be aware that the account is at risk and the funds could disappear at any time in the future.

As organizations looking to embrace the use of cryptocurrencies, it is critical to protect crypto-wallets and have appropriate monitoring and data leak prevention controls to ensure your corporate or employee funds are not at risk. Squadra’s secRMM can easily track wallet.dat files, reporting any occurrence of wallet.dat being copied or moved to removable media.

 

What do do next?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Get Ready! NIST 800-171 Is Coming & Has Implications for Mobile DLP

Since December 2015 there has been a DFARS clause (225.204-7012) requiring contractors to institute the standards outlined in NIST Special Publication (SP) 800-171. There was an implementation window of two years, and that window runs out as of December 31st, 2017, making compliance with SP 800-171 a full-stop requirement.

In case you’re just catching this now, SP 800-171 covers the protection of sensitive federal information, dubbed “Controlled Unclassified Information” or CUI, while that information is residing on non-federal systems. NIST specifically states the purpose of 800-171 as the following:

“The protection of sensitive federal information while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations, including those missions and functions related to the critical infrastructure.”

A High-Level Overview of the Key Requirements in NIST SP 800-171

nist_overview

If you’re coming at this new standard from the mobile device perspective there’s a few different areas that we think are particularly relevant and interesting to understand, namely Access Control, Audit & Accountability and Media Protection. We’ll review the key section for mobility below.

3.1.18 Control Connection of Mobile Devices

3-1-18

Mapping 3.1.18 to AC-19 in NIST SP 800-53 we can see that control includes the following for mobile devices:

  1. Establish usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices;
  2. Authorize the connection of mobile devices to organizational systems; and
  3. Protect and control mobile devices when outside of controlled areas.

Our Interpretation

Ensure you understand which devices are approved and which aren’t, and don’t allow unapproved devices to mount their filesystems.

Highlight: secRMM has the ability to unmount non-whitelisted devices from the operating system, allowing users to charge but not transfer. See it LIVE here.

3.1.21 Limit Use of Organizational Portable Storage Devices on External Information Systems

3-1-21

Mapping 3.1.21 to AC-20(2) in NIST SP 800-53 we can see that “use of external information systems” includes the following for devices:

  1. Access the system from external systems; and
  2. Process, store, or transmit organization-controlled information using external systems

Our Interpretation

Ensure you limit or remove the use of portable storage devices, but if they are used ensure you appropriately track Controlled Unclassified Information being transferred to the devices.

Highlight: secRMM can limit the use of portable storage devices using whitelisting policy rules such as AllowedSerialNumbers, AllowedInternalIds, AllowedUsers, AllowedPrograms. See it LIVE here.

3.3.1 Create, Protect and Retain System Audit Records to the Extent Needed to Enable the Monitoring, Analysis, Investigation, and Reporting of Unlawful, Unauthorized or Inappropriate System Activity

3-3-1

This is a fairly broad requirement that maps to many of the NIST 800-53 audit security controls (AU-2,3,6 and 12). We’ll reference the one we think is most important, AU-3, which states that audit records must include “what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.”

Our Interpretation

Ensure you have audit records that track any device connections or transfers of Controlled Unclassified Information, including the full range of audit details to track the 4W’s (who, what, where, when).

Highlight: All required data is collected by secRMM, and audit event data is stored in Windows “event log files”, easily allowing both centralized log storage and historical archival.

3.8.7 Control the use of removable media on information system components

3-8-7

Mapping 3.8.7 to MP-7 in NIST SP 800-53 we can see that “control the use of removable media” includes the following:

  1. Prohibit the use of organization-defined media on organization-defined components using organization-defined safeguards; and
  2. Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner

Our Interpretation

Ensure you define safeguards around which devices can connect to which systems, and that devices with no identifiable owner cannot be used.

Highlight: A large range of removable media devices can be whitelist controlled via secRMM, including USB/thumb drives (encrypted and non-encrypted), mobile devices (Apple, Android, Windows, BlackBerry),  external hard drives, CD/DVD/BluRay and SD-Cards.

3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner

3-8-8.png

To hammer home the point, SP 800-171 also maps a separate 3.8.8 to subsection MP-7(1) in SP 800-53, specifically calling out the restriction on devices which have no identifiable owner. They go on to say:

  • Requiring identifiable owners for portable storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

Our Interpretation

Ensure you block devices where an owner cannot be associated with connection or data transfer events.

Highlight: There are two key mechanism in secRMM which can map identifiable owners to devices, and can force users to authenticate from mobile devices to successfully connect. See AD Integration LIVE here.

3.8.9 Protect the confidentiality of backup CUI at storage locations.

3-8-9.png

Mapping 3.8.9 to CP-9 in NIST SP 800-53 we can see that “protecting the confidentiality” includes the following:

  1. Conduct backups of user-level information contained in the system;
  2. Conduct backups of system-level information contained in the;
  3. Conduct backups of system documentation including security-related documentation; and
  4. Protect the confidentiality, integrity, and availability of backup information at storage locations.

Our Interpretation

Ensure that all security and audit information related to mobile devices or portable storage devices is redundantly backed up, stored securely, and the integrity of the backups is assured.

Highlight: All secRMM event data is contained in standalone Windows Event Log Backup files (evtx) files.  These files are easily compressible using COTS compression software which can be password protected and encrypted when necessary.

Conclusion

By December 31 of this year you must be compliant with NIST 800-171. There are implications for mobility and portable media, and we hope that the outline above simplifies the key requirements that you need to keep in mind.

Our secRMM product is a COTS product specifically designed for governments to meet the kind of stringent criteria that NIST publications require.

WHAT TO DO NEXT?

Contact us to see a demonstration of our solution.

Or watch an overview of the secRMM integration with Microsoft Systems Center.

Or if you’re really impatient, jump right to downloading the trial.

Leave a comment

Mobile apps not in an app store, how can I use it?

July 01,2017 Update: See how System Center Configuration Manager (SCCM) can handle mobile device “side-loading” in this YouTube video.

June 13, 2017 – secRMM has added a new utility called SafeSync. SafeSync lets you install mobile device apps and of course securely copy files to the mobile device.

Sometimes it makes sense to install a mobile app without going through the trouble of getting the mobile app published into the “app stores”. App stores are big databases accessible over the internet that let users select apps to install onto their mobile device. Anyone can access the app stores as long as the mobile device has an internet connection (using the devices WiFi and a hotspot or the cellular service providers network). Apple, Google and Microsoft have the biggest app stores. These software vendors offer apps for their mobile devices hardware and/or operating system. When you want an app to go into one of the app stores, you have to go through a process defined by the vendor before it can be published.

There are scenarios where an organization does not want to put their apps into the app stores. Mainly because they do not want just anyone to be able to use the apps. As an example, suppose the military were to develop some apps that helped them with field combat. Clearly, they would not want just anyone to be able to download their app from an app store. Another example is a company that writes apps for their workers to use. Perhaps the app has company sensitive information that needs to be protected from competitors.

For scenarios where you want to distribute a mobile app but do not want it in the app stores, a common and acceptable practice is install the app from another computer (commonly a Windows computer). The Windows computer and the mobile device cooperatively perform the install using a USB cable connection between them. The computer industry uses a slang term called “side-loading” to describe this process. The app (which is just a binary with a special extension) can reside on the Windows computers local hard drive or even on a network share (so many users can access it).
2
The secRMM SafeSync utility makes it easy to manage the side-loading process by providing a list of available apps which you can choose to install, uninstall or re-install.
3

4

In addition, the mobile app install or uninstall events get recorded so that security administrators can be aware of the activities. Because of secRMMs integration into System Center (and other backend monitoring systems), this event information can be included in the organizations security monitoring process.
5

SafeSync can also generate a script so that the install/uninstall/reinstall pattern can be repeated for many devices. SafeSync also exposes the mobile device properties which are important to understand and control before a device is deployed into the field. Lastly, SafeSync can copy files to the mobile device. These files might be data files that are used by the mobile apps. This allows a device to completely be prepared before it gets deployed into the field.
6
In summary, secRMM continues to help IT organizations and security professionals manage the events around removable storage and especially mobile technology.

Please feel free to contact Squadra Technologies to help with your security needs around removable storage and/or mobile device technology.  There is also a YouTube video about SafeSync at https://www.youtube.com/watch?v=Z2_ODEnr2XM.

Leave a comment

WME. A great partner!

December 15, 2016 – Being in the Microsoft System Centerwme-logo space is very exciting.  You get to work on leading edge software that helps your business operate and be successful.  System Center provides so many functions and features that sometimes getting a handle on all the bells and whistles it provides can be a little intimidating.  This is when you wish there were experts you can lean on to help you understand or even help you accomplish your System Center goals.  If you don’t know of any System Center experts, please check out one of Squadra Technologies technology partners named “Windows Management Experts” or WME for short.  Let me just tell you, these guys know System Center and they are cool guys.  For example, we just released a SCCM/InTune report for secRMM.  I was trying to understand the SCCM database schema to figure out how to pull the data for the report.  I shot an email over to my buddies at WME and within a day, they emailed me back an SQL query (quite complex one I might add) that enabled me to finish the report within a couple of hours!  So awesome!

So, if you are looking for System Center help, please consider WME.
Thanks for reading.

Leave a comment

SCCM ties together MDM and DLP

December 06, 2016ems Microsoft is putting a lot of hard work into securing mobile devices in the enterprise. Recently, they have been promoting their “Enterprise Mobility Suite” (EMS). EMS has many powerful security features. The core product of EMS though is based off Microsoft’s Mobile Device Management (MDM) product named InTune. InTune is a cloud solution. It also has a hybrid mode where InTune can be managed and controlled by Microsoft System Center Configuration Manager (SCCM).

SCCM is Microsofts “enterprise management framework” work horse. It is how enterprises keep their systems running and secure. When SCCM is connected to InTune, you can see your mobile devices in the SCCM console. You can even see the mobile device hardware resources just like you can with a workstation or server.  The two screen shots below are from the SCCM console.

mobiledevicecollection

mobiledevicebyos

Microsoft has written numerous SCCM mobile device reports which give you just about every piece of information about the mobile device that you will want to know …

except for …

when a mobile device is connected to a workstation or server over a USB connection!

This missing information is very valuable because it is the easiest way for users to copy files from your domain. The computer industry calls this “Data Loss” and there are many products out there that focus on “Data Loss Prevention” (DLP).

Squadra Technologies Security Removable Media Manager (secRMM) is one of those DLP products. What makes secRMM unique is that it is 100% integrated into SCCM. This means you do not have to deploy another framework just to get DLP for USB plug-and-play devices.  It integrates precisely into Microsoft’s Endpoint Protection strategy and also with EMS.

secRMM has a new SCCM report called “Mobile Device USB File Write Activity”. This secRMM report works in conjunction with the InTune/SCCM data so you can also see how/where your users are connecting their mobile devices within your domain.

The flow chart below shows you all the components wired together. Notice that in addition to mobile device monitoring, secRMM works with any type of plug-and-play storage device (i.e. flash drives, CD/DVD, SD-Cards, external hard drives).

intunediagram

Also, on the mobile device security side, secRMM comes with an optional mobile app that requires the end-user to first authenticate before the device is allowed to mount to the Windows workstation or server.

Below is a screen shot of the SCCM “Mobile Device USB File Write Activity” report. When you click the plus sign next to the device, it expands to show you all the USB related activity (see the second screen shot).
mobiledevicereport1

mobiledevicereport2

When you see files written to the mobile device, you can even see the complete path of the source file (i.e. the file that was copied)!

mobiledevicereport3

A YouTube video on this information is at:
https://www.youtube.com/watch?v=w0-gjMNqcso

We hope you found this information useful. Thank you for reading and Merry Christmas!!!

Leave a comment

secRMM extends SCCM PowerShell Library

sccmpowershell

October 24, 2016 – secRMM has increased its PowerShell support.  There is a new secRMM PowerShell cmdlet to give you the same property granularity that is available from the secRMM Excel AddIn (as shown in the screen shot bblog22_4elow).

This means you have the most detailed forensic removable storage security data (including mobile devices as well as thumb drives, external hard drives, SD-Cards, etc.) to process any way you can image.

The secRMM Powershell cmdlet can operate standalone and can also be used with SCCM.  Since the secRMM SDK is included with the base secRMM install, just install secRMM and then go to directory: “C:\Program Files\secRMM\AdminUtils\SDK”.

Under the SDK directory is the Powershell directory.  There is a sample PowerShell script named GetSecRMMEvents.ps1 that shows you how to use the secRMM cmdlet.  For SCCM, it couldn’t be any easier.  Here is the PowerShell line of code that gets all the secRMM data from SCCM:

$secRMMEvents = secRMMEventData -SCCM

As you can see, the secRMM cmdlet is named secRMMEventData. This name is logical because the cmdlet can get the secRMM data from multiple sources: SCCM, the secRMM event log and/or the secRMMCentral event log. Once the data comes back to the PowerShell script (or the PowerShell pipeline), you have a secRMM object that contains the various properties (data) with which you can perform more logic or store however you see fit.  The secRMM object has an Output method that will convert the text to HTML, CSV or XML.

For details, please see the secRMM SDK Programmers Guide at http://squadratechnologies.com/StaticContent/ProductDownload/secRMM/9.4.0.0/secRMMSDKProgrammerGuide.pdf.

There are also secRMM PowerShell scripts in the secRMM SDK to get/set a secRMM property and to read/write to a mobile device.

secrmmpowershell

In the near future, we will be looking at ways to link together the secRMM data in SCCM with the Intune data.  We hope you found this information useful.  Thanks for reading!

 

 

Leave a comment

Block Office Macros on removable storage devices (including mobile)

blog22_0September 06, 2016 – secRMM has added another security rule which does not really fall into the Data Loss Prevention (DLP) category but more in the antimalware category.  The new rule is named “BlockOfficeMacrosOnDevice”.  As the name implies, secRMM will block opening any Microsoft Office document residing on a removable storage device that has a macro(s) embedded within it.

You can also view a YouTube video on this subject

Microsoft has been doing a great job of securing the Office suite, especially with Office 2016 (see MS Blog: New feature in Office 2016 can block macros and help prevent infection).  As you can see, they have a “Group Policy” that you can apply to your domain(s).  Microsoft has a Malware Protection Center where you can get more information about Office Macros at:
https://www.microsoft.com/en-us/security/portal/threat/macromalware.aspx.

What has still not been addressed (until now) is the handling of removable/plug-and-play storage devices.  We are talking about thumb drives, USB connected mobile devices, SD-Cards, external hard drives, CD/DVD, etc.  This is what the secRMM “BlockOfficeMacrosOnDevice” addresses.  You can apply this setting in multiple ways:

Active Directory Group Policy and/or
Microsoft System Center Configuration Manager (SCCM) and/or
On the individual computer by using the “Computer Management” MMC and/or
Script (Powershell, VBScript, JScript, CMD, etc.) – Yes, secRMM is 100% scriptable

Another good thing about the secRMM “BlockOfficeMacrosOnDevice” feature is that it supports Office 2016, 2013, 2010, 2007 and 2003.  It probably supports even older versions but we could not find an older version than 2003 to install and test with!

If you are concerned about Macro-based malware, now you can have this additional help by using secRMM.

The screenshots below will show you what we discussed above.

In the first 2 screenshots, we are just turning on the rule (we used the “Computer Management” MMC).  It is just a checkbox, on or off.  You must be an Administrator on the computer to be able to access the secRMM rules.

blog22_1

blog22_1a

The next 3 screen shots show you what the end-user will experience when they go to open an Office document with a macro(s) embedded within it.  The first 2 screen shots are from explorer.  The third screen shot is if they try to use a command window.  Note that this blocking functionality will also apply if they first open the Office program and then do a File->Open operation from within the Office program.
blog22_1bblog22_2blog22_3

Now, as the IT and/or security Administrator, you will also be able to see in the event log that this condition has occurred (i.e. an end-user tried to open an Office document on a removable storage device and the Office document had a macro(s) embedded within it).

The screen shot below has a lot of information contained within it.  First, it tells you that a “BLOCK MACROS ON DEVICE ACTIVE” event occurred (in the secRMM event log, that is event id 514).  It tells you the user who tried to open the Office document (in the screen shot, this is CONTOSO\Angela).  Next, it tells you about the removable storage device.  Next, it tells you the program that tried to open the Office document.  In this case, it is Winword.exe.  The last line is kind of long but it is really the most detailed so we break it down below the screen shot.
blog22_4

Command Line: “C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE” /n “E:\Programs\OfficeMacros\2003\Word1Macro_2003.doc” /o “”,
Current Directory: E:\Programs\OfficeMacros\2003,
Office Macro(s): ThisDocument(Document:3), Module1(Code:14)

The text above logs what the “command line” looked like when Windows tried to open the Office document.  It also logs the “current directory”.  Lastly, it lists the macro information contained inside the Office document.  In the above event, we can see that inside this Word document, the “ThisDocument” VBA object has a macro of type “Document” and there are 3 lines of executable code.  There is also an object named Module1 which has a macro of type “Code” and there are 14 lines of code.

Below is a screen shot of the Word document used in our example with the Visual Basic Editor open so you can see why secRMM listed what it did.

blog22_5

If you get a secRMM event and the Additional Info line contains:
Description=Programmatic access to Visual Basic Project is not trusted.
this means that the Office program does not trust macros so secRMM could not parse the file for macros.  What?!!!  Right, it sounds crazy but secRMM is not doing anything out of the ordinary to obtain the information about the macros.  This message means there ARE macros but secRMM is not allowed to look at them.

We hope you found this information useful.
You can try secRMM for 30 days (fully functional).
Please visit the Squadra Technologies web site to download secRMM.
Thanks for reading!

Leave a comment

Apricorn secRMM freeware

Apricorn

07/25/2016

There is a youtube video showing you the workings of “Apricorn secRMM” at:
https://www.youtube.com/watch?v=duxoDxfsQoI

Apricorn is a removable storage hardware vendor that Squadra Technologies has had the privilege of partnering with over the last several years.  The two companies now have a jointly developed version of secRMM that is called “Apricorn secRMM” (internally named secRMM-lite so we may slip up and call it that too 🙂 ).  “Apricorn secRMM” is free software offered by Apricorn and supported by Squadra Technologies.  “Apricorn secRMM” lets Apricorn customers configure their Windows workstations and servers to allow just Apricorn devices to be used by end-users.  This is a very powerful capability since it narrows down the removable storage devices allowed in your environment to only hardware encrypted, password protected devices!

Apricorn_InstallWelcome

“Apricorn secRMM” is a “limited functionality” version of the Squadra Technologies product secRMM.  “Apricorn secRMM” exposes the secRMM properties:

  1. AllowedInternalIds
  2. AllowedSerialNumbers
  3. SCCMConnection
  4. SNMP

The first two properties (AllowedInternalIds and AllowedSerialNumbers) constrain the Windows computer to only writing files to Apricorn devices that meet both properties.  Trying to write to any other type of removable storage device will fail.  The AllowedSerialNumbers can be left blank which will allow any Apricorn device.

The SCCMConnection property will allow integration into Microsoft System Center Configuration Manager (SCCM).  Note that “Apricorn secRMM” will also work with the secRMM Microsoft System Center Operations Manager (SCOM) Management Pack(s) as well.  For complete details on Microsoft System Center integration, please visit http://squadratechnologies.com/Products/secRMM/SystemCenter/secRMMSystemCenter.aspx.

The SNMP property will throw SNMP “Apricorn secRMM” traps to a SNMP trap receiver computer.

“Apricorn secRMM” generates audit events for all removable storage ONLINE and OFFLINE events.  Please note however that it will not generate file WRITE events (whether successful or unsuccessful).  To get file WRITE events (and the other secRMM events), you will need the secRMM full version.

When you first install “Apricorn secRMM”, you will have 30 days to trial the software.  During the 30 day trial, you will have the ability to toggle the software between the “Apricorn secRMM” version and the full version of secRMM.  This will help you decide if you can do without the additional functionality that the full version of secRMM provides (i.e. advanced auditing, additional authorization properties, user configurations, etc.).

Apricorn secRMM User Interface

If/when you decide that you would like to use the software (either “Apricorn secRMM” or the full version of secRMM) in your environment, please contact Squadra Technologies (sales@squadratechnologies.com) to obtain a license (either for free or to start a purchase).  If you decide that you want to purchase the full version of secRMM, you will need to tell Squadra Technologies how many computers you have in your environment that will run secRMM.  The number of computers dictates the purchase price.  The more computers, the less “per computer” price.

Squadra Technologies is very excited to be working more closely with Apricorn and Apricorn customers!  Please feel free to contact us (sales@squadratechnologies.com) anytime if you have questions about using “Apricorn secRMM” or the full version of secRMM.

Leave a comment

Use Microsoft Operations Management Suite (OMS) for DLP “plug-and-play” “Removable Storage” security assessments

NotableIssues

Click to enlarge

Microsoft Operations Management Suite (OMS) is an online portal product that gives you the ability to monitor security events across your IT environment, from on-premises data centers to the cloud. OMS is Microsoft’s next generation monitoring tool that is built from the power of System Center Operations Manager (SCOM). In fact, OMS can be configured to sit on top of your existing SCOM deployments.

Microsoft started building OMS solutions by first providing a “security and audit” solution. OMS lets you add “solutions” based on your monitoring requirements.

An OMS solution is:
1. a collection of related event queries,
2. alert-able actions
3. and user interface components
that make it very easy to extend your monitoring framework.

It is very easy to add a solution to your OMS portal because Microsoft packages up their OMS solutions and allow you to select them from the “OMS solutions gallery”. The OMS solutions gallery is like an online store where you pick what solutions you want. Examples of some of the solutions that Microsoft offers are: Active Directory Monitoring, Exchange Monitoring. Where Microsoft has really focused though is in the security monitoring space. The security solutions include such topics as: Malware, System Update and Configuration assessments.

SolutionsGallery3

Click to enlarge

Like SCOM and most all of the System Center products, Microsoft allows OMS to be extensible. This allows Independent Software Vendors (ISVs) like Squadra Technologies and corporations with in-house applications to build OMS solutions as well. OMS is a perfect tool to expose plug-and-play removable storage device events. Here, we are talking about USB thumb drives, external USB connected hard drives, SD-Cards and especially USB attached mobile devices. Squadra Technologies “Security Removable Media Manager” (secRMM) is Windows security software that monitors/audits and controls the use of “plug-and-play” removable storage devices. secRMM is tightly integrated into Microsoft System Center via SCCM, SCOM, Orchestrator and now OMS.

secRMMInOMS

Click to enlarge

The OMS secRMM solution is a perfect addition to the existing Microsoft OMS security solutions. Once the OMS solution gallery is open to ISVs, we will list the OMS secRMM solution in the OMS solution gallery.  For now, you can download it from here.

For more details about secRMM, please visit www.squadratechnologies.com.

Leave a comment

Using Microsoft RMS and DLP

AD RMS July 12, 2016 – secRMM is a utility for what the computer industry calls “Data Loss Prevention” (DLP). DLP software prevents people from taking data from organizations they work for. Data can be taken by copying it to the Internet or by copying it over a network connection or by using “removable storage devices”. Removable storage devices can be thumb/flash drives, external hard drives, SD-Cards and mobile devices. secRMM addresses the removable storage devices.

Another security computer term somewhat related to DLP is called “Information Rights Management” (IRM). As the words imply, organizations want to protect who can access information belonging to the organization. Microsoft has a technology called “Rights Management Services” (RMS) that implements IRM. Microsoft has cleverly done this within the actual file containing the information (data) itself.

secRMM has a rule related to Microsoft’s RMS called “EnableRMS”. This rule integrates secRMM with RMS.  There are 3 features that can be enabled.  At a high-level, the 3 features cover: monitoring, authorizing and protection.

EnableRMSDialog

The first (monitoring) logs the RMS template that is used to protect the file that is being copied to the removable storage devices (remember that removable storage here also means mobile devices).  secRMM needs to have the “RMS Server Connection Credentials” to retrieve this information.

RMSExcel402

The second (authorizing) is a simple checkbox (either on or off). When this checkbox is on, only files that are RMS protected can be copied to removable storage devices.

Excel515

The third (protection) will RMS protect a file that is being copied to the removable storage device if it is not already RMS protected.  You tell secRMM through the EnableRMS property which RMS template to use.  The available templates are listed and you select one of them.

By combining DLP and IRM, you have extra assurance that your organizations data is well protected.

Microsoft RMS is available as an on-premise service and also as an Azure (cloud) service.  To get more information on RMS, please see this Microsoft link to get started.

Thanks for reading!