Risk Intelligence - Windows - Quick Start Guide

The following section provides information on the steps required to get up and running with Risk Intelligence for Windows.

Update the Advanced Monitoring Agent

The first step is to ensure that the devices the Risk Intelligence Automated Tasks are to be deployed on are running the Advanced Monitoring Agent 9.13.8 or later. For supported Windows versions and the associated Monitoring Agent (where applicable), please refer to Supported Operating Systems: Windows

The installed version of the Advanced Monitoring Agent is reported in the Device's Summary tab and in the Device Inventory Report, available from the Reports menu.

To manually update or install the Advanced Monitoring Agent logon to the Dashboard and go to Agent, Download Agent then select the required Agent version from the menu.

Once downloaded, simply run the Agent installer on each of the devices Risk Intelligence is to be deployed on. If the Advanced Monitoring Agent is already present on a device, the program updates the existing files whilst retaining the current settings. When running on a new device the program runs the Agent setup wizard.

For network-wide deployment via Group Policy or to create an end user Remote Worker installation package, go to Agent, Download Agent, Download Site Installation Package. Enter the Agent Key password when prompted, select the Client and Site combination then download the required package.

In addition to the manual process, the Agent may be updated directly from the Dashboard.

Multiple Devices

Automatically update Agents from the overall device type (Server or Workstation) down to individual devices via the Agent Auto Update dialog available from the Agent menu, Agent Auto-update Settings.

Please be aware that this deployment option is not available for RC (Release Candidate) Agents

Individual Devices

An individual device can be upgraded to the latest release from the Edit dialog available when clicking on the target device in the north pane of the Dashboard, or from the Server or Workstation drop-down. Select the Update Agent in the General Settings to automatically begin the update process the next time the Agent checks in.

Create a Risk Intelligence Policy

Each aspect of Risk Intelligence, from the scans enabled for a device to their schedule, is controlled through Risk Intelligence policies.

To get you up and running we have included default policies for Servers, Desktops and Laptops, with the option to manage your own custom policies (as well as edit the defaults).

  1. Go to Settings > Risk Intelligence > Policy
  2. Click New
  3. Enter the Policy Name for identification
  4. Either select an existing policy from the Base Policy On drop-down to act as a template or leave blank for a completely new policy, with all scans set to Do not Run (disabled)
  5. Choose the device type the policy is to apply to from Policy Type
  6. This opens the Policy dialog containing the following configuration sections
  7. Configure the sections (listed below)
  8. Scans are enabled by changing the Select Frequency Method setting from Do not Run (disabled) to the required schedule option: Once per Day (select one day for weekly scans), Once per Month or Manual. To disable a scan, change its setting to Do Not Run.

    As these intensive scans may take some time to complete, we have included a mechanism which prevents the scheduling of a scan within two hours of another scan. If two scans are scheduled to take place within this two-hour period, a notification is displayed when attempting to save the policy and the save option disabled until the schedules changed. In those circumstances where a scan is still running when a new scan is scheduled to start, the currently running scan is stopped.

  9. Save once complete to apply.
  10. Section

    Description

    General

    View the Policy type, edit the Policy name and set the account wide Currency Symbol and Security Liability Amountas well as any Global Policy File Exclusions

    Security Scan

    Retrieve vulnerability information from the device to expose the Operating System and installed application security risks.

    PCI Scan

    Search for risks with internal PCI compliance violations

    Data Breach Risk Scan (Country)

    Run a security scan and looks for Credit Card Numbers, dates of birth, government issued identification, and financial account numbers.

    As there is not a global standard for the format of information considered PII (government issued identification etc.), we have included country specific versions of the Data Breach Risk Scan designed to retrieve localised PII in that country's format. These are designated using the following country codes: AUS, BEL, BRA, CAN, DEU, ESP, FRA, GBR, IRL, ITA, NLD, NOR, NZL, SWE, USA, ZAF, NZL.

    Expanded Data Breach Risk Scan

    Runs a security scan searching for Credit Card Numbers, dates of birth, government issued identification, and financial account numbers. Perform a Technical Safeguards Check, this queries the device's configuration and highlights settings that do not meet common baseline configurations.

    Custom Scans

    This section contains custom scans created using the Scan Configuration wizard available from the Risk Intelligence portal.

    How to create or edit a Custom Scan

    Open the Risk Intelligence portal at the Scan Configuration section by clicking on the Customize Scans button in the Dashboard's Risk Intelligence Policy dialog.

    Select the required scan type from then use the wizard to configure.

    There are four types of scan available:

    Scan Type

    Notes

    Security

    Identifies operating system and application patch and security vulnerabilities by severity.

    File Finder

    Use a File Finder scan to find files on a device matching wildcard strings or MD5, SAH-1 or SHA-256 secure hash formats.

    PCI and PAN

    Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. We scan devices and format a report that helps identify vulnerabilities and demonstrate PCI DSS 3.2 compliance. This is three scans combined: Security, PCI DSS and PAN.

    Data Breach Rick Scan

    The Security vulnerability and a Data Discovery scan together. Highlighting the security vulnerabilities from the Security scan and identifying the most sensitive data on the device. The Data Discovery scan type may be customized to only look for specific data.

    Once created, the scan is available in the Custom Scans section of the Dashboard's Policy section.

    To manually synchronize the Dashboard's custom policy list with Risk Intelligence, click the Reload Customized Scans button.

Pre-Risk Intelligence Policy - Automated Tasks (Legacy)

Introduced in Dashboard 6.31, Risk Intelligence policies replace the previous manual and Monitoring Template deployment methods. From Dashboard 6.31, Risk Intelligence Automated Tasks are only managed at the policy level.

Information on converting existing Risk Intelligence Automated Tasks is covered in the section Non-Policy Risk Intelligence Automated Task Conversion.

Enable Risk Intelligence and select Policy

Risk Intelligence can be enabled for all Servers and Workstations or servers and workstations at the specified Clients and Sites. Risk Intelligence is policy driven and by default servers and workstations will inherit policy from site, which will in turn inherit from client, which will in turn inherit policies set for all servers and workstations.

To enable Risk Intelligence and set the policy for multiple devices:

  1. Go to Settings > Risk Intelligence > Policy
  2. Select the Entity type to enable Risk Intelligence on (all servers and workstations or servers and workstations at specific clients and sites)
  3. We use dots in the Settings dialog to make it easier to spot if the feature is enabled or disabled at the entity level, and whether devices under an entity have the same settings.

    • Green - Feature or functionality enabled for all devices under that entity. This includes device level settings
    • Grey - Feature or functionality disabled on at least one device under that entity. This includes device level settings
    • Orange – One of the child entities has a different configuration to the parent. Where a Client only has one Site, its status indicator reflects that of the Site

    For further information on each of these states, please refer to Feature and Functionality Settings Iconography.

  4. Change Setting to On, Off or Use Parent (only for Client or Site)
  5. When Setting: On choose the policy to apply to the selected entity from the drop-down. This includes the default Server, Desktop and Laptoppolicies (depending on selection), but also any custom policies that are available for the selected device type.
  6. OK to save and apply

For full granularity Risk Intelligence can be enabled (or disabled) for specific Servers or Workstations via the Risk Intelligence tab of the Edit Device dialog. The Edit dialog is available from the north pane of the Dashboard when right-clicking a device or from the Server or Workstation drop-down when highlighting a device.

From here you can alter the Risk Intelligence Setting - On, Off or Use Parent and select or change the selected policy

Manually run a Risk Intelligence Scan

Once the Automated Tasks that run the Risk Intelligence scans have downloaded to the device and synchronized with the Dashboard, you can run them manually from the Dashboard (this allows you to run Tasks outside of the policy schedule).

  1. Select the target device in the north pane
  2. Navigate to the Tasks tab
  3. Highlight the target Risk Intelligence Automated Task
  4. From the Automated Tasks drop-down, or right-click context menu, choose Run Automated Task

Repeat the above processes to manually run additional Risk Intelligence Automated Tasks on the selection.

View Scan Results

On completion a scan's results are posted back to the Dashboard where they are available in the associated Automated Task's Output column, accessed from the Tasks tab.

Click the task summary in the Output column to open the More Information dialog. In addition to the Automated Task run information, this section contains the option to view this scan’s most recent report (Click here to view scan results) as well as navigate to the Risk Intelligence portal and view historic scan Reports (Click here to access your Risk Intelligence dashboard).

Depending on the selected scan the following Report is available.

Automated Task/Scan

Reports

MAX RI Security Scan

Internal Security Scan

MAX RI PCI Scan

Internal PCI Security Scan

MAX RI Data Breach Scan

Data Breach Risk

MAX RI Expanded Data Breach Scan

Expanded Data Breach Scan

Custom Scans

Analytic Trend and Baseline Reports corresponding to the Scan Type

Custom File Finder Scan

File Finder Scan Report

In addition to the reports for these specific scans, there are also Summary and Device Details Reports available from Reports, Risk Intelligence Reports.

Please be aware that all Risk Intelligence Reports are hosted on your Risk Intelligence portal rather than the Remote Management Dashboard. As such they will open in a new window when selected.

Risk Intelligence Portal

In addition to the current scan result, available from the Remote Management Dashboard, the Risk Intelligence portal provides historical information on all scans that have run on the Device's along with their corresponding Reports.

The Risk Intelligence portal is accessed from the Click here to access your Risk Intelligence dashboard link in an Automated Task’s More Information dialog or https://us.ri.logicnow.com/

Enter your Remote Management Dashboard credentials, go to View and Manage, Scan Results to display the scan information at the device level or Reports to view the trend and baseline information per Client. Please note that when logging in for the first time it is necessary to accept the credentials association

As well as the above methods, a Dashboard External Link may be configured to direct the user straight to the Risk Intelligence login page from the External Links drop-down in the Remote Management Dashboard.

Disable Risk Intelligence

Where Risk Intelligence is no longer required you can switch it off for all devices based on type, at the Client or Site level of on specific devices.

By default, servers and workstations will inherit policy from the Site, which will in turn inherit from the Client, which will in turn inherit policies set for all servers and workstations.

Multiple Devices

  1. Log into the Dashboard
  2. Go to Settings > Risk Intelligence > Policy
  3. Select the Entity type (from the all Servers and Workstations level down to individual Clients and Sites)
  4. Choose Off from the Settings drop-down, or Use Parent where the entity's parent setting is Off
  5. OK to exit and save changes

Individual Device

  1. Log into the Dashboard
  2. Right-click on the device in the north pane (or from the Edit drop-down)
  3. Click Edit Server or Edit Workstation
  4. Go to Risk Intelligence
  5. Choose Off from the Settings drop-down, or Use Parent where the device's parent setting is Off
  6. OK to exit and save changes