Netsurion Managed Endpoint Security Overview
Netsurion Managed Endpoint Security is a managed endpoint threat prevention, response, and analysis service offered by Netsurion® that provides endpoint protection via an easy-to-deploy solution. Netsurion Managed Endpoint Security offers a multi-layer prediction and prevention-first approach, following by detection and response against known and unknown cyber threats.
Netsurion Endpoint Security Service Components
The service is based on three technical components, one is a lightweight sensor deployed on the endpoint, the second is a console hosted in the Google Cloud Platform and managed by Netsurion, the third is the Netsurion console that may be either hosted at the Netsurion data centers or on Customer premises. It acts as a single-pane-of-glass across all components of the Netsurion service offering. The 24/7 Netsurion Security Operations Center (SOC) analysts review incidents on the Netsurion console. Sensors are available for Microsoft Windows, macOS, Chrome OS, and Android.
Threats Addressed
Malware
Prevents Ransomware, Spyware, Trojans, as well as known and unknown threats.
Static Analysis – Supported File Types
Supports over 100+ file types including executable files, Microsoft Office, PDF, RTF, Flash, JAR, images, fonts, archive files among others.
File-less Script Based Attacks
Protects against file-less attacks that are script based. This includes PowerShell, MASHTA, JavaScript, VBScript, HTML applications and more.
Implementation
For new installations, sensors or links will be sent. The sensors are to be deployed on the endpoints being monitored. For Android and Chrome, an email will be sent with a link to download and install the App from the respective app store. Configuration of the Netsurion console is performed in parallel when the first Customer-assigned sensor reports in. The configuration includes setup of relevant customer groups, alerts, reports, and dashboards.
Service Operating Options, Incident Alerts and Service Level Objectives
Service Operating Options
Netsurion Managed Endpoint Security includes two service operating options:
- Prevent Threat and Notify – Prevent a process or file (threat) and notify Customer of action taken. Upon Customer confirmation, the SOC may reverse the prevention protocol and update the Customer safelist accordingly. This option provides the Netsurion SOC with the authority to make security decisions but allows Customer to retain oversight.
- Detect Threat and Notify – Detect threat, notify Customer, and await guidance. When a potential threat is observed, Netsurion SOC will notify Customer and await confirmation on any actions to be taken. This option provides Customers the opportunity to make ad hoc security/safelist decisions. Netsurion SOC will respond as instructed.
Action will be taken based on the model of operation in effect.
Alerts
This service offering provides alerts which will be in the Netsurion console and are visible to Customers on the Incidents Dashboard. Critical Alerts will be escalated to the Customer.
Service Overview
Netsurion Managed Endpoint Security will trigger an alert for all detection events visible in the Netsurion console monitored 24/7 by the Netsurion SOC. The SOC will notify the Customer as per the incident call tree instructions. Upon completion of forensic analysis, the Netsurion SOC will update the Customer with guided remediation recommendations. Customer may direct the Netsurion SOC to update their safelist or other configurations.
Service Level Objectives
The defined SLO’s are as follows:
| Notification SLO | Preliminary Resolution SLO | |||
|---|---|---|---|---|
| Detect Events | Post investigation, process / script is found to be malicious | 30 mins | 60 mins | |
| Prevent Events | Based on feedback from Customer, action taken and confirmed | 15 mins | 60 mins | |
| Service Requests | See Service Support section below | |||
Netsurion Managed Endpoint Security Onboarding and Startup
The Netsurion SOC, in collaboration with the Customer, ensures the successful startup of the Netsurion Managed Endpoint Security solution.
The onboarding phase includes:
- Explanation of the onboarding process, deployment options and best practices for learning, detection, and prevention.
- Planning, testing and implementation of initial safelist and exclusions for active anti-virus.
- Ensure the Netsurion Managed Endpoint Security sensor is deployed and configured correctly on Customer endpoints.
Steady State Operations
- 24/7 monitoring and escalation
- Troubleshooting and management of detection and prevention events
- Incident response
- Reporting and review
- Change management controls
Netsurion Managed Endpoint Security Service Deliverables
Netsurion Managed Endpoint Security generates incidents, dashboards, and reports based on detection and prevention events that are available for review on the Netsurion console for partners and customers based on user privilege settings.
Add-On Threat and Incident Review Report – Netsurion Managed Endpoint Security + Netsurion Enterprise
When Netsurion Managed Endpoint Security is delivered for an existing Netsurion Enterprise Customer, the Add-On Threat and Incident Review Report (TIRR) can be prepared by Netsurion SOC for the Customer to include the Priority 1 (P-1) alerts observed along with customized guided remediation recommendations. The optional TIRR will be shared as per the Customer subscription service frequency.
Security Summary Report – Netsurion Managed Endpoint Security + Netsurion Essentials
When Netsurion Managed Endpoint Security is added by a Netsurion Essentials Customer, this report is configured to reflect activity observed during a 24-hour period with automated remediation recommendations. Customers are expected to review these reports regularly. The Netsurion SOC may provide additional guidance for specific events.
Security Summary Report – Netsurion Managed Endpoint Security Standalone
When Netsurion Managed Endpoint Security is purchased as a standalone subscription, the Summary report is configured to reflect the activity observed during the previous 24-hour period with automated remediation recommendations. Customers are expected to review these reports regularly.
Log Retention
The summary reports and the underlying raw log data are retained for up to 400 days in accordance with compliance standards. Unlimited raw log data is stored in hot (local SSD, 7/35 days), warm (local spindle disk, 8/36-90 days) and cold (AWS Glacier 91-400 days) location based on age.
Forensic Search
All received log data is indexed to Elasticsearch using an extensible Common Indexing Model and stored on high-speed solid-state drives (SSD) for a period of seven (7) or thirty-five days (choice of Customer). Customers may use the flexible user interface to search for log data and thereafter drill down, pivot, time slice, and include/exclude the results. A combination of log source, time, detected fields, and pattern matching is available as search criteria. Search criteria can also be saved for future use. Data that is 8/36-90 days old is available on spindle-based disk and can be searched. Search results can also be exported to a file.
Analysis of Processes
Potential threats are instantly analyzed to prevent downloads/writing to disk and in-memory execution. Netsurion SOC analysts will confirm, notify, and update status and safelists as per the Incident Response Playbook.
Netsurion Enterprise
Any safe and unsafe list additions will be propagated across all devices in the Customer environment within 60 minutes. Additional analysis would occur as part of threat hunting function for Netsurion Enterprise customers will be reflected in the Threat and Incident Review Report (TIRR)
Netsurion Essentials or Netsurion Managed Endpoint Security
Any safe and unsafe list additions will be propagated across all devices in the Customer environment within 60 minutes. Any additional analysis will need a service request from the Partner/Customer.
Change Management
The Netsurion SOC implements change control aligned with ISO 27001 and Information Technology Infrastructure Library (ITIL) Change Management.
Netsurion Managed Endpoint Security Service Support
Customers shall contact the Netsurion SOC via e-mail. All incoming emails will follow the below service level objectives:
| Customer Category | Severity (decided by SOC on receipt) | Response SLO (from time of receipt of email from Customer) | Resolution SLO (from time of receipt of email from Customer) |
|---|---|---|---|
| Netsurion Endpoint Security stand-alone customer | Urgent | 5 minutes | 4 business days |
| Existing Netsurion Essentials Customer | SLO’s that are committed as part of your base service, will apply. | ||
| Existing Netsurion Enterprise – 24/7 or Daily Customer | |||
| Existing Netsurion Enterprise – Weekly Customer | |||