Frequently Asked Questions

Services and Solutions

managed detection and response

From which devices do you currently accept logs?

Nuspire can collect and correlate any source that can output a log file.

What are your methods for getting information from the devices?

Nuspire's security information and event management (SIEM) system’s cloud virtual log collection appliance (cLCA) enables dedicated virtual log collection delivered in standard Open Virtualization Format (OVF). The cLCA provides a dedicated cloud instance of an LCA hosted by Nuspire. The SIEM’s host software agent (HSA) provides OS support for UNIX/Linux, Microsoft Windows and other platforms. Another SIEM capability, global processing cloud, supports direct connectivity from network-based devices capable of sending log data with unique identifiers, such as serial numbers, within the log stream.

The LCA and HSA sensors provide a real-time authenticated, encrypted and compressed communication link to our SIEM’s global processing cloud for processing, alerting, reporting and storage of the collected logs. The LCA and HSA sensors are connected to Nuspire's secure management cloud, allowing cloud-based configuration of the sensor by Nuspire.

How does retrieving information from devices affect my bandwidth?

Bandwidth for collection is typically nominal due to the relatively small byte size of log communications. In the case of significant throughput requirements, Nuspire has a number of event collection strategies to minimize bandwidth issues on slow links.

What are examples of information you can obtain from the devices?

All logs typically contain the following data elements: Timestamp, message type, source IP, destination IP and message. Depending on the device type, the collected data is combined with Simple Network Management Protocol (SNMP) status information and threat intelligence metadata.

How can I view the information the devices send to you? Can I log into a portal or see reports?

Core to Nuspire’s service is how your data is collected, aggregated, normalized and correlated to identify immediate alerts of suspicious threats. Our multi-sourced reporting platform retains 400 days of log data, enriches events with advanced threat intelligence and correlates multiple events that are part of an attack utilizing artificial intelligence (AI) supported by human insights. You can review detailed data reports and easily access the retained log data at no additional cost.

Do you monitor performance indicators as well as possible security issues?

Yes

Secure Gateway

How do you size the appropriate device for my needs?

We consider factors such as bandwidth availability/consumption, number of users, virtual private network (VPN) needs (site-to-site tunnels and external users), current gateway and future growth plans. Our goal is to make sure the gateway can meet your needs and grow with your organization over its expected lifespan.

Will I have access to the device? If not, how do I contact support?

Nuspire offers a fully managed solution, and only our security operations center (SOC) analysts and network analysts have access to the managed gateways. If you want us to make changes, contact the SOC, which operates 24x7x365, via phone or email.

What are some of the primary features of the device?

Nuspire provides Fortinet FortiGate and can manage your Palo Alto Networks and Cisco next- generation firewalls that include state-of-the-art security and availability features such as:

  • Built-in intrusion detection systems (IDS) and intrusion prevention system (IPS)
    capabilities with Layer 7 deep packet inspection
  • Secure Sockets Layer (SSL) inspection
  • Denial of service (DoS) protection
  • Proactive blocking of newly discovered threats
  • Software-defined wide-area network (SD-WAN) capabilities.

If there is an issue with the internet service provider (ISP), do you take care of that?
Nuspire can utilize any North American ISP and alert on connectivity/availability failures and
provide contextual information, but we may not be authorized to speak to your ISP on your
behalf.

If you manage the gateway device, can I call you about support on my computers or switches?
Nuspire is 100% focused on information security. We provide managed security services on
your gateways, but we do not have access to your switches or endpoints so cannot provide
support services on these devices.

What is the return merchandise authorization (RMA) process on the device if something happens to it?

In the event a Nuspire-owned gateway fails, we will immediately ship a replacement and handle the RMA on the failed device as seamlessly as possible. As equipment approaches end of support (EoS), Nuspire works with our customers to refresh equipment according to their requirements.

Do I have to inform you of changes to my network, such as a phone system change or a new server?

Our analysts can provide the best service when they have the latest information, so it's always a good idea to inform us of changes that could be misinterpreted as malicious activity at the gateway.

Why do I need a firewall?

A firewall is your first line of defense. It sits between your critical business assets, such as business applications, data, employee workstations and programmable devices, and the internet. It inspects network traffic for communication with malicious sites and suspicious activity that could indicate a hacker has gained access to the network, important data is being exfiltrated or ransomware is attempting to encrypt important data. Without a firewall, your network and all critical assets are completely exposed to potential malicious actors.

Endpoint Detection and Response

What devices and operating systems can be protected?

Nuspire’s endpoint protection and response service is supported on the following platforms:

  • Windows: XP, 7, 8, 8.1,10
  • macOS: Mojave, High Sierra, Sierra, El Capitan
  • CentOS
  • Red Hat Enterprise Linux (RHEL)
  • Ubuntu
  • Windows Server: 2003, 2008, 2008 R2, 2012, 2012 R2, 2016
  • Oracle Linux
  • Amazon Linux AMI
  • Fedora
  • Debian
  • SUSE, openSUSE
  • Citrix: XenApp, XenDesktop
  • Microsoft Hyper-V
  • Oracle VM VirtualBox
  • VMware: vSphere, Workstation Pro, Fusion, Horizon

 

What anti-virus (AV) systems can your endpoint detection and response service run alongside?

Properly configured, Nuspire’s service can coexist and enhance any current commercial anti- virus/anti-malware solution.

How do you handle whitelisting?

Our endpoint agent flags applications that exhibit potentially malicious or risky behavior. Our security analysts work with the client team to understand the nature of the application behaviors in question and make recommendations on either blacklisting or whitelisting the application through endpoint protection platform policy.

Will this agent interfere with any of our current applications or services? Will it impact performance?

No. In some instances we modify our platform configuration to ignore certain aspects of authorized applications, but generally, the agent coexists with popular anti-virus and anti- malware applications.

How is deployment handled? What if I don’t have a central management option?

Through a centralized software distribution application like Microsoft System Center Configuration Manager (SCCM) or ManageEngine. Or, the agent can be sent via email or posted to a secure internal web server with instructions for self-installation.

Do you use real artificial intelligence (AI)/machine learning?

A static AI engine provides pre-execution protection. This engine replaces traditional signatures and obviates recurring scans that decrease end-user productivity. Behavioral AI engines track all processes and their interrelationships regardless of how long they are active. When malicious activities are detected, the agent responds automatically at machine speed. Our behavioral AI is vector-agnostic: file-based malware, scripts, weaponized documents, lateral movement, file- less malware and even zero-day vulnerabilities.

How does Nuspire get the behavioral data and what is done with it?

The endpoint agent is trained on millions of behaviors both malicious and benign. Detections of anomalous behaviors are retained in the endpoint system for use in blocking actions and remediation.

How do analysts investigate alerts and determine remediation instructions?

Nuspire analysts have access to the full attack storyline including the progression of file execution, process activity, file modifications and network communications. That data is correlated with threat intelligence data and indicators from other parts of your network to complete the picture. With an understanding of what was attempted, how it was done, what impacts if any occurred and the likely next steps, Nuspire analysts can prescribe effective remediation tactics and recommend overall security posture enhancements to prevent this type of attack in the future.

What does Nuspire do to identify evasive trojans that might be exfiltrating data?

By ingesting logs from a variety of systems and correlating the logs with exceptionally detailed forensic data from the endpoint, Nuspire analysts can detect "slow and low" attacks and those implementing evasion techniques.

Can I use this information to enforce system configurations or handle remote management?

Every file change is logged and can trigger alerts for critical settings. Some remote management capabilities are available even when the system has been isolated from the network. This allows Nuspire analysts to accomplish remediation without exposing additional hosts to compromise.

What is the value of the forensic data/root cause analysis when a threat is found?

Forensic data is useful in identifying the sources and methods of the attacker to be used in further securing the environment. This may include blocking IP ranges or countries at the firewall, implementing stronger email security controls or tuning endpoint controls to lock down or remove unneeded software.

Do I need a separate agent to accomplish detection, prevention and response capabilities?

No. A single agent is used for detection, prevention and response capabilities.

Does the endpoint protection and response solution run alongside existing anti-virus (AV) solutions?

Yes, although our endpoint protection and response replaces existing AV solutions with superior capabilities. During transition periods or proof of concept engagements, the agent can coexist with legacy AV products.

How does the file rollback work?

The rollback feature leverages built-in capabilities in Microsoft Windows and Apple OS X. Both operating systems take snapshots of files on a computer. In Windows, this is done by the Volume Shadow Copy Service and in OS X by journaling. Our agent monitors the files that have been changed on an endpoint, and if a device becomes infected by ransomware, it rolls back the changes.

How do you prevent ransomware that’s programmed to wipe out shadow copies from doing that?

Nuspire's agent protects its services, processes, registry entries and other components by default. It also protects all Volume Shadow Copy Service copies, so users can quickly roll back and recover their files.

How is this deployed to servers? Isolating a server or rolling it back could be more damaging than the malware.

The deployment process is the same for servers, either through central software deployment or manual install. Remediation can be done manually through change control for high-impact servers to prevent automatic responses to false positives. Policies are tuned continuously to increase confidence in every action.

How does endpoint isolation work? Do machines need to be physically brought in to have them restored to normal function?

Protected devices can be "disconnected" from the network via policy or manually by the Nuspire security operations center (SOC). While in a disconnected state, the affected system will not be able to communicate normally on the network, but the SOC retains the ability to access and remediate the device via the installed agent software. There is no need to physically disconnect, move or ship the device in order to restore it to a known good state.

What automated action is taken to stop malicious executables? What if they’re only suspect but not definitely malicious?

The automated actions are configurable based on whether a threat is categorized as malicious or merely suspicious. Nuspire analysts collect and use threat data to validate the categorization.

Can automated remediation policies be assigned based on threat type?

Yes. The agent can be configured to kill/quarantine an executable or process based on type of threat and whether it is categorized as malicious or merely suspicious.

Why do I need experts analyzing threats and providing remediation information if the endpoint agent is protecting my endpoints?

No software is 100% secure all the time. A layered defense is always recommended. 24x7x365 monitoring and analysis increase the odds that an attempted attack can be detected and neutralized before it can cause any damage.

Security Essentials

On which security standards are your assessments based?

It depends on your industry and compliance requirements. Some common standards are National Institute of Standards (NIST) Special Publication 800-series, Internal Organization for Standardization (ISO) 20001/2 and Payment Card Industry Data Security Standard (PCI-DSS).

What deliverables can I expect from a recurring Security Essentials engagement?

Depending on the engagement, typical deliverables include:

  • A security program roadmap document
  • A "security year" or calendar of security program activities both recurring and project-oriented
  • A path from premises-based assets to the cloud, or vulnerability scan reports
  • Other deliverables agreed upon by you and Nuspire
Do unused hours roll over to the next month? Next year?

The Security Essentials team will work with client stakeholders to organize the hours into predictable work packages each month. We try to avoid accrual of hours because the service is intended to provide consistent support each month. No hours will be rolled from one contract year to another.

Can I use my Security Essentials hours for engineering projects?

Yes.

 

Your assessment is going to find problems that need your managed services, isn’t it? We at Nuspire are trusted advisors working in the best interests of our clients. Sometimes our managed services are the fastest and most effective way forward and sometimes not.

 

I don’t have any compliance requirements, so why do I need a security program?

New requirements appear on a regular basis. General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and Department of Defense Cybersecurity Maturity Model Certification (CMMC) have emerged in the last year. Some companies process financial transactions and want to align with Payment Card Industry (PCI) best practices even if they’re not subject to audit. Even if you are very sure you don’t have compliance requirements, you may still have a need to manage the risk to the organization’s information and systems. Additionally, you may have financial and fiduciary responsibilities to stakeholders, employees and clients to protect their data and information systems.

How do you develop policies and standards tailored to my business?

By taking the time to understand your business, objectives, risks (financial, information security and business continuity), industry-specific considerations, and legislative and regulatory requirements.

What happens if Nuspire isn't able to fulfill my requirements through Security Essentials?

Nuspire has agreements with vetted third-party partners that are capable of exceeding customer requirements in areas such as penetration testing, vulnerability assessments, social engineering, onsite forensics, designing a path to the cloud and firewall rule translation. You receive these services plus Nuspire's managed services, altogether in one easy-to-understand statement.

More questions? We're happy to help.