What information is sent and stored in the cloud by EPP and EDR solutions



    Along with frequent innovations in the law on personal data and the strengthening of the role of the state in this matter, questions arise regarding the privacy policies of various vendors . And is it worth trusting software manufacturers with your personal data? Moreover, it is interesting to know what information antivirus vendors collect, transmit and store in the cloud. In this article, we will consider this issue as an example of a cloud-based security solution for corporate clients Panda Adaptive Defense [360] (whose centralized management console is also located in the cloud).


    We have repeatedly written about Panda cloud solutions for centralized endpoint protection, which include Panda Endpoint Protection [Plus] and Panda Adaptive Defense [360] . The peculiarity of these solutions is that their entire infrastructure (management console, databases, repository, etc.) is moved to the cloud, and local agents are installed on the endpoints.


    Because Since local agents and the management console must constantly exchange information, it turns out that local agents send something to the cloud. Let's see what exactly is sent to the cloud and what is stored there.


    What data is transferred to the cloud


    The new security model in Panda Adaptive Defense requires the collection of information on what each application does. Continuous monitoring of the actions performed by applications, as well as further analysis of this data using machine learning techniques in our Big Data environment, is what allows users to offer a high level of protection.


    The data collected by Panda Adaptive Defense complies with the following rules:


    • Only relative information about executable files in Windows (.exe, dll, etc. files) is collected, which are started / loaded on the machine.


    • Attributes of such files are sent as standard links without information specific to each user. For example, file paths are standardized as LOCALAPPDATA \ name.exe instead of c: \ Users \ USERS_NAME \ AppData \ Local \ name.exe.


    • Collected URLs for downloadable executables only. Those URLs that the user himself opens in the browser when browsing sites are not collected.


    • The data collected does not contain personal information.


    • In no case does Panda Adaptive Defense send personal information to the cloud .


    The following information is collected from each machine:


    • The name of the device.
    • Operating system.
    • Service Pack.
    • The group in which the protected PC is located.
    • The default IP address of the machine.
    • MAC address.
    • IP addresses assigned to various web adapters.
    • MAC addresses for various web adapters.
    • RAM memory in MB.


    As important information to support the new protection model in Panda Adaptive Defense, information about the actions performed by applications in the system is sent to the cloud .


    AttributeDataDescriptionExample
    FileHashEvent hash file-
    URLUrlAddress from where the PE file was downloadedhttp://www.malware.com/executable.exe
    WayWayThe standardized path where this event file is locatedAPPDATA \
    RegistryKey / ValueWindows registry key and associated valueHKEY_LOCAL_MACHINE \ SOFT WARE \ Panda Security \ Panda Research \ Minerva \ Version = 3.2.21
    OperationOperation idID of the operation of the completed event (creation / modification / loading / ... of the PE-file, its downloading, communication, etc.)Event Type 0 Indicates PE File Execution
    CommunicationProtocol / Port / AddressCollects a process communication event (not its content) together with its protocol and addressMalware.exe sends UDP data to port 4865
    BYInstalled SoftwareGets a list of software installed on the machine in accordance with the Windows APIOffice 2007, Firefox 25, IBM Client Access 1.0

    In addition, you may need to send executable files to our Cloud Collective Mind platform. To reduce the level of use of the communication channel, only those executable files that are not already present are sent to the Collective Intelligence platform.


    By sending any executable files, we guarantee that in any case they will not contain confidential user / client information.


    All information collected is sent to the cloud in encrypted form . In some cases, we use SSL, sometimes Blowfish encryption.


    Transfer of data to third parties


    All operational information is stored exclusively on our Windows Azure cloud platform.


    Information is not shared with third parties unless users:


    • They want to receive information in their SIEM system about alarms and security data that are collected in Panda Adaptive Defense. The collected security information is sent to the user's SIEM using a secure protocol, with prior agreement with him.


    • Use the Logtrust platform (Advanced Reporting Tool) - SIEM-utility, which is integrated into Panda Adaptive Defense [360] by default. Logtrust is a Big Data cloud platform that stores real-time information about the collected parameters from all machines protected by Panda Adaptive Defense. Information is sent to Logtrust via HTTPS and stored in Logtrust CPD.


    Cloud platform security


    The entire cloud infrastructure of the Panda Adaptive Defense [360] solution, as well as their "minor versions" Panda Endpoint Protection [Plus], is located on the Windows Azure platform. It provides maximum protection and confidentiality of stored data. The security and control policies established in Azure are described in the Windows Azure Security Overview White Paper .


    What security does the platform where logtrust is hosted provide?

    Logtrust uses Amazon Web Services, providing all the benefits of the physical and information security of Amazon data centers.


    See the following AWS Regulatory Compliance cloud document for more information .


    Access to Logtrust systems is always filtered by a firewall and secured by certificate-based authentication. In addition, all the systems, services and applications that make up the cloud infrastructure transmit their logs for audit and security purposes.


    Safety certifications

    As stated above, Windows Azure runs on the Microsoft Global Foundation Services (GFS) infrastructure.


    The following document provides security management information for Global Foundation Services (GFS), the Microsoft cloud infrastructure running Windows Azure.


    Windows Azure Certificates:


    • ISO / IEC 27001: 2005
    • Statement on Auditing Standards No. 70 (SAS 70) Type I and II
    • Sarbanes-Oxley (SOX)
    • Payment Card Industry Data Security Standard (PCI DSS)
    • Federal Information Security Management Act (FISMA)


    More information on certificate 27001 .


    By the way, the page contains a White Paper that describes how Windows Azure meets the security requirements defined by the Cloud Security Alliance, Cloud Control Matrix.


    A paragraph from this book:


    “Our security framework is based on ISO 27001, which allows users to evaluate how Microsoft meets or exceeds security standards and principles of their application. ISO 27001 defines the procedure for implementing, monitoring, maintaining and constantly improving information security management system (ISMS). In addition, the infrastructure GFS annually audits the American Institute of Certified Public Accountants (AICPA) Statement of Auditing Standards (SAS) No. 70, which will be replaced by AICPA Statement on Standards for Attestation Engagements (SSAE) No. 16 and International Standards for Assurance Engagements (ISAE) No. 3402. Also a plan ruetsya audit Windows Azure as part of SSAE 16 audit ".


    Security certificates for the platform hosting Logtrust data

    Those users who intend to use the Logtrust service should be aware that they can count on Amazon CPD's physical security measures .


    As you can see in this document, Amazon has all the main certificates:


    • ISO / IEC 27001
    • SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS70)
    • Payment Card Industry Data Security Standard (PCI DSS)
    • Federal Information Security Management Act (FISMA)


    Where is the Windows Azure platform located?

    Windows Azure has sites around the world. Now the data center Panda Security is located in Dublin (Ireland). Below is a photograph of a data center in Ireland.





    Where is the Amazon Logtrust platform located?

    Logtrust runs high availability on its Amazon platform, located in Ireland’s own data center.


    Conclusion


    Panda cloud solutions are serious solutions that are released by Panda Security, headquartered in Spain. Taking into account the high requirements for the protection of personal data in the European Union and the USA, these solutions have all the necessary international certificates to guarantee the security and confidentiality of the transmitted data and information storage systems.


    As a result, no personal data is transferred to the cloud from local agents .


    Also popular now: