The Veramine sensor currently supports all recent versions of Windows, from Windows 7 and Windows Server 2008 R2 onward. Versions for Linux and Mac OS X are in development.
Simply run the Veramine self-contained executable on any system you'd like to monitor. You can run this binary manually or you can deploy it via psexec, group policy, SCCM, machine startup scripts, or any deployment technology you use. No client-side configuraiton is necessary.
Yes. The sensor can be installed within seconds after you receive a download link, as demonstrated in the following video.
The Veramine customer portal allows the sensor to be updated, uninstalled, unloaded, or restarted. Each Veramine sensor is in continuous contact with the Veramine server to enable instant network-wide management via the customer portal.
The sensor consists of a Windows kernel-mode driver that collects events and a Windows user-mode service that enumerates and communicates with the Veramine server.
After an initial, brief enumeration period, the sensor aims to consume less than 1% CPU. Running the sensor on even the least powerful cloud-based virtual machines (Azure A0, AWS t2.nano) has a negligible effect on overall performance of the system.
The sensor provides deep visibility into process activity, network connections, user logins, registry writes, remote file operations, SMB protocol operations, changes to Windows service configurations, process privilege changes, password dumping - all the visibility and context you need to detect and understand attacker activity on your network. The sensor also uploads any unique executable images to the server for analysis and storage.
The sensor's user-mode component initiates a single outbound TCP/IP connection to the Veramine server on port 443. All events and file uploads are continuously streamed to the server over this TLS-encrypted communication channel.
The stream of sensor data is continuously analyzed by the Veramine server using a variety of rule-based and machine learning algorithms to identify anomalous behavior. Analysts can supplement the system with their own detection algorithms.
The Veramine sensor's host visibility enables a wealth of potential detection opportunities. Our initial set of v1.0 server-side detection algorithms includes the following:
The detection roadmap includes extensive additional machine learning and heuristic based algorithm advances. The next set of detection algorithms currently in testing include the following:
The Veramine sensor continuously sends a stream of client-side behavior to the server. The detection algorithms are run against that stream of behavior, not against any files. The alerts describing the malicious behavior will include metadata describing the host, user, process, and loaded modules; however, the behavior need not have originated from loading a file on disk.
No, the Veramine detection system requires no signature updates. Detection is performed against a set of known-malicious behavior, not specific attributes of known malicious software files. For this reason, the Veramine sensor happily coexists alongside existing traditional anti-malware products. The anti-malware product may detect known malicious software that does not meet Veramine's detection criteria and the Veramine system will detect malicious behavior exhibited by any software, regardless of whether it is included in the anti-malware product's signature database.
Veramine alerts can be viewed in the customer portal or sent via email. Custom integration options are available via both outbound syslog and inbound direct API level access to both data and alerts.
The information collected by the Veramine sensor is sent to the Veramine server where it is augmented and correlated with additional context and then exposed through the Veramine customer portal via a rich search interface to allow flexible, ad-hoc searching.
The Veramine Discovery feature provides instant answers to any security-related questions an analyst might want answered, such as the following:
Note that this type of searching is not limited to currently-running processes. The sensor streams all events to the server and this searching is performed over both historical and real-time information. The Veramine Discovery architecture allows for a wide variety of additional search types and we are excited by the enhancements to this feature that we have already made in direct response to early customer feedback.
The Veramine Discovery feature can easily handle compliance-related requests as well, in addition to the types of security-related questions highlighted above. For example:
Yes. It's easy to use the customer portal to create any of the following "Notification Rules":
The Veramine customer portal exposes functionality to instruct the Veramine server to send specific actions to either a specific host, a group of hosts, or all hosts belonging to a certain customer. Each Veramine sensor is in constant communication with the server and immediately acts on the request.
The Veramine "Action Pack" functionality is under active development. The current v1.0 Veramine supports sensor management actions such as update sensor, unload sensor, and uninstall sensor. The current sensor development version includes functionality to kill a specific process or delete a specific registry key. A future version of the Veramine sensor will include Yara process memory search capability.
All components of the Veramine cloud-hosted offering run in the Microsoft Azure data center. The data stored by the Veramine system would certainly be considered sensitive by most security teams. However, the data collected and stored may not be considered Personally Identifiable Information (PII) from a strict interpretation of that term for compliance purposes, depending on your compliance requirements. Veramine is in the process of pursuing ISO 27001 compliance and we are happy to talk with you about any specific questions you might have related to cloud hosting of security-sensitive data.
Yes. Customer accounts can be configured to require two factor auth for any Veramine portal logins. We currently use Authy as our 2FA provider. We encourage customers to opt-in to this extra step of validation.
Yes. Several different options exist for customers interested in self hosting the Veramine server components.
The easiest option is via an Amazon AWS AMI image with all components pre-configured and set to auto-start on boot. This option is most suitable for customers already hosting backend infrastructure in Amazon AWS and is an especially good option for easy initial testing and evaluation. While the single machine installation is fine for testing, most customers will need to eventually run multiple AWS virtual machines to support production workloads. Veramine engineers would work directly with customers in this scenario to scale the server-side infrastructure within AWS for the production workload.
Customers who would prefer to self-host the Veramine server components in their own data center have two options. Veramine can make available VHD or VMI images tailored to run within a customer's own virtualization infrastructure. This option may be less convenient for customers to operate, maintain, and update but exists as an option for customers who prefer the Veramine server to run only within their own data center. Veramine can also provide a hardware appliance for customers to physically colocate in their own data center. Please reach out with any questions about your specific requirements if you would prefer a Veramine self-hosted option.
Due to economies of scale, the Veramine cloud-hosted server will be significantly less expensive in both the short and long term. Even without factoring in the operational cost of self-managing the Veramine installation, the Veramine cloud-hosted option will be less expensive. We will also always deploy our most recent server-side detection algorithm updates to the Veramine cloud-hosted servers first, with server-side updates shipped to self-managed customers monthly or quarterly.