Questions about Veramine features

Collection

Which operating systems does the Veramine sensor support?

The Veramine sensor currently supports all recent versions of Windows, from Windows 7 and Windows Server 2008 R2 onward. Versions for Linux and Mac OS X are in development.

How can I deploy the Veramine sensor?

Simply run the Veramine self-contained executable on any system you'd like to monitor. You can run this binary manually or you can deploy it via psexec, group policy, SCCM, machine startup scripts, or any deployment technology you use. No client-side configuraiton is necessary.

Is it really that easy to deploy?

Yes. The sensor can be installed within seconds after you receive a download link, as demonstrated in the following video.

How can I manage the Veramine sensor?

The Veramine customer portal allows the sensor to be updated, uninstalled, unloaded, or restarted. Each Veramine sensor is in continuous contact with the Veramine server to enable instant network-wide management via the customer portal.

What sensor components are installed on each host?

The sensor consists of a Windows kernel-mode driver that collects events and a Windows user-mode service that enumerates and communicates with the Veramine server.

How much computational power does the sensor consume?

After an initial, brief enumeration period, the sensor aims to consume less than 1% CPU. Running the sensor on even the least powerful cloud-based virtual machines (Azure A0, AWS t2.nano) has a negligible effect on overall performance of the system.

Which events are collected?

The sensor provides deep visibility into process activity, network connections, user logins, registry writes, remote file operations, SMB protocol operations, changes to Windows service configurations, process privilege changes, password dumping - all the visibility and context you need to detect and understand attacker activity on your network. The sensor also uploads any unique executable images to the server for analysis and storage.

How does the sensor communicate with the server?

The sensor's user-mode component initiates a single outbound TCP/IP connection to the Veramine server on port 443. All events and file uploads are continuously streamed to the server over this TLS-encrypted communication channel.

Detection

How does the Veramine system detect attacks?

The stream of sensor data is continuously analyzed by the Veramine server using a variety of rule-based and machine learning algorithms to identify anomalous behavior. Analysts can supplement the system with their own detection algorithms.

What types of attacks does the Veramine system detect?

The Veramine sensor's host visibility enables a wealth of potential detection opportunities. Our initial set of v1.0 server-side detection algorithms includes the following:

  • Kernel-mode exploitation attempts resulting in local elevation of privilege - No signatures required!
  • Password and credential dumping - Generically detect even obfuscated and in-memory Mimikatz usage
  • Unusual process migration and remote thread creation - Metasploit style 'migrate' techniques
  • Download-and-run trojans - Highlight execution of binaries downloaded from the internet or attached to email

The detection roadmap includes extensive additional machine learning and heuristic based algorithm advances. The next set of detection algorithms currently in testing include the following:

  • Process profiling - Long tail analysis of process creation metadata to discover outliers
  • Unauthorized lateral movement detection via analysis of user login, logoff, and session activity
  • Data exfiltration detection by highlighting differences from historical and seasonal norms

How does the Veramine detection subsystem identify "file-less" attacks?

The Veramine sensor continuously sends a stream of client-side behavior to the server. The detection algorithms are run against that stream of behavior, not against any files. The alerts describing the malicious behavior will include metadata describing the host, user, process, and loaded modules; however, the behavior need not have originated from loading a file on disk.

Does the Veramine system require signature updates?

No, the Veramine detection system requires no signature updates. Detection is performed against a set of known-malicious behavior, not specific attributes of known malicious software files. For this reason, the Veramine sensor happily coexists alongside existing traditional anti-malware products. The anti-malware product may detect known malicious software that does not meet Veramine's detection criteria and the Veramine system will detect malicious behavior exhibited by any software, regardless of whether it is included in the anti-malware product's signature database.

Which third party integration options exist to extract Veramine detection signals?

Veramine alerts can be viewed in the customer portal or sent via email. Custom integration options are available via both outbound syslog and inbound direct API level access to both data and alerts.

Discovery

What is the Veramine "Discovery" feature?

The information collected by the Veramine sensor is sent to the Veramine server where it is augmented and correlated with additional context and then exposed through the Veramine customer portal via a rich search interface to allow flexible, ad-hoc searching.

What are some security-related use cases for this Discovery feature?

The Veramine Discovery feature provides instant answers to any security-related questions an analyst might want answered, such as the following:

  • Processes where the commandline includes a certain string
  • Processes making outbound network connections to a particular IP or domain
  • Processes that have loaded a binary having a certain MD5 hash
  • 32-bit processes launched without having opted-in to DEP and/or ASLR
  • Processes launched with elevated privilege where the process binary was unsigned
  • Processes that have sent more than 10MB of outbound traffic
  • Processes that have written to a certain registry location
  • Processes launched by a certain compromised user during a specific time period
  • Child processes of "powershell.exe" in the last 24 hours where the process binary was not signed by Microsoft

Note that this type of searching is not limited to currently-running processes. The sensor streams all events to the server and this searching is performed over both historical and real-time information. The Veramine Discovery architecture allows for a wide variety of additional search types and we are excited by the enhancements to this feature that we have already made in direct response to early customer feedback.

What are some non-security-related use cases of the Veramine Discovery feature?

The Veramine Discovery feature can easily handle compliance-related requests as well, in addition to the types of security-related questions highlighted above. For example:

  • Hosts where Bitlocker is not enabled for the C:\ drive
  • Hosts where Automatic Updates is disabled, or where the most recent Windows Update search was > 90 days ago
  • Hosts that have downloaded updates but have not yet rebooted, where updates are pending reboot
  • Hosts that have disabled the Windows firewall
  • Hosts that have loaded a specific out-of-date version of a specific DLL in the past week
  • Hosts where the console is not configured to automatically lock after a certain time interval

Can these type of Discovery features be automated and result in security alerts?

Yes. It's easy to use the customer portal to create any of the following "Notification Rules":

  • Alert when a configurable list of binaries is loaded, described by either MD5 or filename
  • Alert on a process creation when commandline matches a certain string
  • Alert on any network connections to a set of specific remote IP addresses or combination of remote IP and port
  • Alert on every login from a certain set of usernames
  • Alert on any user login to a specific set of computers

Response

How are actions sent to the Veramine client?

The Veramine customer portal exposes functionality to instruct the Veramine server to send specific actions to either a specific host, a group of hosts, or all hosts belonging to a certain customer. Each Veramine sensor is in constant communication with the server and immediately acts on the request.

Which actions are currently supported by the Veramine client?

The Veramine "Action Pack" functionality is under active development. The current v1.0 Veramine supports sensor management actions such as update sensor, unload sensor, and uninstall sensor. The current sensor development version includes functionality to kill a specific process or delete a specific registry key. A future version of the Veramine sensor will include Yara process memory search capability.

Data Storage

Where does Veramine store customer data?

All components of the Veramine cloud-hosted offering run in the Microsoft Azure data center. The data stored by the Veramine system would certainly be considered sensitive by most security teams. However, the data collected and stored may not be considered Personally Identifiable Information (PII) from a strict interpretation of that term for compliance purposes, depending on your compliance requirements. Veramine is in the process of pursuing ISO 27001 compliance and we are happy to talk with you about any specific questions you might have related to cloud hosting of security-sensitive data.

Does the Veramine portal support two factor authentication?

Yes. Customer accounts can be configured to require two factor auth for any Veramine portal logins. We currently use Authy as our 2FA provider. We encourage customers to opt-in to this extra step of validation.

Server Hosting

Can the Veramine server be self-hosted?

Yes. Several different options exist for customers interested in self hosting the Veramine server components.

The easiest option is via an Amazon AWS AMI image with all components pre-configured and set to auto-start on boot. This option is most suitable for customers already hosting backend infrastructure in Amazon AWS and is an especially good option for easy initial testing and evaluation. While the single machine installation is fine for testing, most customers will need to eventually run multiple AWS virtual machines to support production workloads. Veramine engineers would work directly with customers in this scenario to scale the server-side infrastructure within AWS for the production workload.

Customers who would prefer to self-host the Veramine server components in their own data center have two options. Veramine can make available VHD or VMI images tailored to run within a customer's own virtualization infrastructure. This option may be less convenient for customers to operate, maintain, and update but exists as an option for customers who prefer the Veramine server to run only within their own data center. Veramine can also provide a hardware appliance for customers to physically colocate in their own data center. Please reach out with any questions about your specific requirements if you would prefer a Veramine self-hosted option.

What are the advantages of using the Veramine cloud-hosted server over self-hosting?

Due to economies of scale, the Veramine cloud-hosted server will be significantly less expensive in both the short and long term. Even without factoring in the operational cost of self-managing the Veramine installation, the Veramine cloud-hosted option will be less expensive. We will also always deploy our most recent server-side detection algorithm updates to the Veramine cloud-hosted servers first, with server-side updates shipped to self-managed customers monthly or quarterly.