We Have 7 Questions For You.

If you can't answer yes to each of these, we should talk.

Question 1:

In just a few minutes, can you quantify the following across your Linux servers according to the U.S. National Vulnerability Database?
  • The number of software vulnerabilities?
  • The determined severity of each
  • How likely the risk of exploit is?

Question 2:

If a new port opened, closed or was changed on one of your servers:
  • Would you get notified?
  • Could you generate a historical timeline of port events across your enterprise?

Question 3:

In just a few minutes, can you:
  • Generate a report of what software packages are installed on a server
  • Get the version number of each software package
  • And determine when individual packages were installed, changed, or deleted?

Question 4:

Within a few minutes, would you know if:
  • A user is added, modified, or deleted?
  • A group is added, modified, or deleted?
  • A user obtains or loses membership in one or more groups?

Question 5:

Within a few minutes, would you be alerted if the following happened on any of your servers?:
  • A file or directory had its ownership (user or group) modified?
  • A file or directory had its octal permissions changed, granting more or less read/write/execute access?

Question 6:

Can you organize your individual servers into Departments that reflect logical organizational units within your enterprise, and then subsequently see trends and aggregated vulnerability statistics for those Departments?

Question 7:

For any of 1-6, can you quantify to what extent these risks have shifted across two categories:
  • Time (year, month, quarter, or day)
  • Scope (for a single server up to the entire enterprise)

Software Package Vulnerabilities

Anamo is an integrated vulnerability detection and management platform. As software names, versions, and vendor revisions are sent by client servers, Anamo checks each instance against the national vulnerability database and other trusted data sources. That yields rapid visibility into the state of your software vulnerabilities across your entire enterprise.

Screenshot

Department Vulnerabilities

Servers may be grouped by department or by tag. For many (if not most) businesses, looking up all vulnerabilities for a particular unit can take dozens of hours. With Anamo, this knowledge is gleaned in seconds.

Current Risks:

Anamo shows you all vulnerabilities on your server found in the National Vulnerability Database. This includes displaying the associated CVE number, exploitability risk, attack vector, and determined severity of the risk.

Screenshot
Screenshot

Vulnerability Details

Anamo provides technical details for every every vulnerable package found on any of your servered ranked by its severity score so you know what to prioritize for remediation. In addition, Anamo also displays the exploitability likelihood, a measure of how simple or complex a known vulnerability is to actually use against a server manifesting that vulnerability.

Trend Analysis:

You can also look back at your server at various points in time to see how many vulnerabilities existed then to see your progress towards securing your enterprise environment.

Anamo's trend analysis makes quantifying risk over time easy.

Screenshot
Screenshot

Get Specific:

Anamo also lets you drill down into an individual package to see all associated risks, as one version of software can of course have multiple vulnerabilities. Package data (sepecially lower-level dependencies) are described so you know what you're dealing with. This all part of Anamo's mission to bring to the surface and collect useful data in one place so that you can make informed information security decisions.

Vulnerability Timeline:

A particularly unique feature of Anamo is knowing why a vulnerability was fixed. With Anamo's vulnerability timeline, you can see what specific version of software (typically a more up-to-date one) actually ended up remediating a vulnerability. This also helps quantify trends and how effective the response was, because it shows how long a vulnerability existed before it was remediated by another version.

Screenshot

Software Packages: Version History

Overview

Anamo tracks when new software packages are added, when the version of existing software packages change (whether the version is upgraded or downgraded), and (3) when software packages are removed.

Screenshot

Version History:

Anamo is all about getting the right data to the surface quickly. Its software version history capabilities let you pick a package on a server and review its entire version history. This can show if any versions were vulnerable at any point in time.

Currently supported packages include: rpm, pip, deb, and Ruby gem. Windows support, including OS and individual software packages, is coming later in 2018.

Search Back In Time:

Search a date/time range for what software packages were installed on an individual server and when.

Screenshot

Port Events

Overview:

Ports are like openings on a sever that allow data to flow in and out. From an information security perspective, knowing what ports should be open is kind of like knowing who has keys to your house: if that changes, you would certainly want to know.

Anamo’s Port Events functionality tracks when new ports open, existing ports close, and when ports are updated.

Anamo also shows port definitions, even the weird ones. Often, IT administrators have to look up what a port does or what program it is associated with. Anamo saves time by showing you what services or functions are associated with a particular port.

Screenshot
Screenshot

Open, Closed, and Updated Ports

Open ports could be caused by a malicious actor opening a port to exfiltrate data from your system or by a program running locally that opens a port as part of its functionality. Whether or not the intent is malicious, an knowing when ports open is crucial. An open port can cause communication external to your server or network to talk to your server, or can cause your server to communicate with the outside world.

Closed ports may similarly indicate a security risk. The team at US ProTech has seen ports close when a malicious actor seeks to block information from reaching security monitoring tools. Similarly, a closed port can cause services that depend on those ports to cease functioning normally.

Changed port rules can be innocuous or indicative of a malicious move. For example, suppose a firewall rule is configured to only allow port 3306 to talk to an IP address of 127.0.0.1. If that rule is updated such that port 3306 is now allowed to communicate with both 10.20.30.40 and 127.0.0.1, that change event could indicate an overly-permissive set of rules that an attacker could take advantage of.

Permissions



Risk Area What Anamo Collects End Result
  • For all resources found within a particular path and down to a filesystem depth level set by the customer, Anamo collects the following.
  • Name (file, directory (folder), symbolic link, etc.)
  • Last modified time (mtime)
  • User and group ownership
  • Size
  • Extension
  • Get alerted when a file or directory shows a change in octal permissions
  • Get alerted when a file or directory shows a change in user ownership
  • Get alerted when a file or directory shows a change in group ownership
  • Search a resource's entire change history and view on an aggregated timeline
  • Search one server or your entire enterprise for a particular octal permission (can be constrained by date range, extension, name, or resource type)


Screenshot

Automated Record Keeping.

One of the most frustrating challenges when it comes to cybersecurity is keeping track of subtle changes. Server filesystems posses thousands of files, directories, and other resources. Keeping track of when those changes occur is both overwhelming and incredibly important.

What if, though, software that ran 24/7 did it for you, keeping an eye on the entire state of your filesystem at different dates and times. That would allow you to know what users and groups owned what resources and what permissions were set to.

Anamo is an incredible search engine and alerting tool for keeping track of the vast tree of a Linux or Windows (later in 2018) server system.

Global Permissions Search

Octal permissions refer to what users, groups, and others can do in terms of reading, writing, and executing resources on your servers. Figuring out where liberally excessive permissions exist across all of your servers would not unreasonably be a serious undertaking for many companies.

Anamo, however, is wicked fast. It can search and compare what octal permissions currently exist and how they were set in the past. If you'd like to find where permissions of 777 exist across your systems, simply enter it and go. Anamo pulls the latest transaction date and time, searches against that, and presents the file name, type, and path for you to easily find and fix it.

Screenshot
Screenshot

Before and After

Anamo tracks when permissions change in two ways: when ownership changes or when octal permissions change. Both are incredibly important security metrics.

When a new owner, whether a user or group, gets associated with a particular file or directory, that could be evidence of a slip-up by an IT staff member or a malicious attempt to escalate privileges.

Anamo also tracks octal permissions for files and directories. When certain users or groups are given more or less access to files or directories, this can certainly be indicative of anomalous activity.

Searchable Filesystem Tree

One of Anamo's unique features is that it acts like a forensics time machine for your filesystem. Simply pick a transaction date and time and Anamo quickly loads key security information about your filesystem at that point, including file and directory ownership, resource names, and permissions. Coming in March 2018 will be the last modified time of the file or directory and its size.

Screenshot
Screenshot

Users and Groups

In Detail:

Anamo keeps an investigating-eye on your server's permissions per user and group, what users + groups exist, and their relationships to one another.. In terms of securing your data, these categories are intimately connected because users and groups have permissions to perform certain functions. These are among the most overlooked aspects of information security because these types of specific changes are rarely noticed by most IT staff or other security applications.

Anamo keeps track of user and group data in all Linux servers and Windows servers are being added with our next update. In our team’s collective security experience, any modification to a user, group, or group membership is significant. It could be an errant, negligent employee making a mistake, a vengeful employee or contractor looking to cause insider harm, or evidence of an external, malicious attacker seeking to elevate their privileges.

Anamo also acts as a time capsule into the existence of past users, groups, and group memberships providing deep forensic capabilities. Anamo’s ability to track user and group activities provide invaluable data toward investigations. For example, if you could prove that a departing employee went on a vengeance streak this data would be essential.

Anamo can provide strong evidence to rebut negligence or individuals who might pursue monetary damages (this feature of Anamo was inspired by a contract to help a law firm prove that suspicion after an internal investigation). In the event of a breach, Anamo also provides the ability to see that attack vector; example, a privilege escalation that allowed an unauthorized user to join a group that had the permissions that he or she desired.

User + Group tracking:

Anamo automatically records the following change events regarding user and group associations:

Users are added, modified, or deleted

<

Groups are added, modified, or deleted

Users add or lose membership in one or more groups

Screenshot

Organize Your Server Data Around Your IT Practices

Departments

Anamo allows you to categorize servers into a department. This helps limit visibility from members of your organization who do not need to see what's happening in other groups while giving CISO, legal, and risk/compliance/governance professionals the information insights they need to provide proper oversight.

Screenshot
Screenshot

Tags

Apply any number of tags to a server. You can search for certain events like software installations or vulnerability severity based on a common tag. This massively reduces often redundant time to get simple information security data your enterprise needs quickly.

What is Anamo?



Anamo is enterprise information security software with two parts:


(1) An agent that collects minimal data from a customer's server in a privacy-conscious manner using an extremely lightweight Ruby gem.

(2) A secure web application to view, search, and conduct trend analysis for your enterprise information security risk posture.




Anamo takes care of the "heavy lifting," eliminating any need to run intensive software or impose any performance burden on our customers' IT environment. Data is received by Anamo at regular time-based intervals, and upon arrival, vast quantities of data are parsed to extract relevant cybersecurity information, bring it to the surface, and present actionable information. The end result is a much more informed perspective on your organization's cybersecurity, the type that enables more intelligent and more real-time decision-making.



Anamo monitors risks to your servers in five key areas that are notoriously difficult to maintain constant awareness of.

Infographic

Infographic
Top