Overview of the modules of VMware TrustPoint Security Server
search cancel

Overview of the modules of VMware TrustPoint Security Server

book

Article ID: 341514

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article explains the modules available in the VMware TrustPoint Security Server Platform.

Environment

VMware TrustPoint 1.0.x
VMware TrustPoint Security Server 7.0.x

Resolution

TrustPoint Security Platform modules are:
 
  • Interact
  • Connect
  • Authoring
  • Imaging Service
  • Discover
  • IOC Detect
  • IR
  • Trace
  • Protect
  • Comply
  • Patch

Interact

 
The VMware TrustPoint Security Server Interact module can be used to:
  • Ask ad hoc Questions and review results - A Question is a message sent to VMware TrustPoint Security Server Clients requesting real-time data from its Sensors. Aggregate counts are reported in the results grid.
  • Examine results and take action - From the results grid, you can drill down to target specific computers and use the Deploy Action workflow to schedule actions to be executed on the Tanium Client host computer.
  • Save ad hoc queries as Saved Questions - A Saved Question is a configuration object that contains Question syntax and Question settings.
    In the VMware TrustPoint Security Server Console, when you click a Saved Question, the Question is issued to VMware TrustPoint Security Server Clients. Saving the Question syntax as a configuration object enables it to be reissued later. The configuration object can also be used throughout the platform, both by VMware TrustPoint Security Server solution modules and by user-developed applications that use the SOAP API. For example, you can use VMware TrustPoint Security Server Connect™ to configure a Saved Question to be run on a schedule with results sent to an external server.
  • Review and manage Dashboards - A Dashboard is an organized group of Saved Questions. You can manage the set of Saved Questions contained in the group and apply Computer Group filters to the group.
  • Review and manage Categories - A Category is an organized group of Dashboards. You can manage the set of Dashboards contained in the group and apply User Group permissions to view the Category object.

An essential set of Saved Questions, Dashboards, and Categories are created when the Initial Content pack is imported during the VMware TrustPoint Security Server installation. Additional Saved Questions, Dashboards, and Categories are created when you import additional VMware TrustPoint Security Server content packs and the solution modules.

When you get started with Interact, review the Initial Content so that you are aware of the configuration objects that are already available to you. Reviewing the Initial Content can also help you to familiarize with the Questions that can be asked, and ways of grouping them to facilitate reporting and administration tasks. After you understand how these configuration objects can be used, you will be ready to create your own when necessary.

Connect

With VMware TrustPoint Security Server Connect™ (Connect), you can integrate VMware TrustPoint Security Server with a SIEM, log analytics tools, threat feeds, or send email notifications.

Connections

A connection is the link between a connection source and one or more connection destinations. The connection source might be data that VMware TrustPoint Security Server is creating, like an Answer or a log message. The connection destination is something outside of VMware TrustPoint Security Server that you are integrating with, like a security information and event management (SIEM) tool.

Connection destinations

Connect includes templates for many common SIEM tools, file, log, and email formats. You can use these templates to integrate with configuration management databases (CMDB), trouble ticketing systems, and proprietary IT systems.

Authoring

Sensors use familiar, industry-standard scripting languages rather than arcane, proprietary coding syntax. Ideally, a Sensor should use the scripting engine available on the largest number of devices under management.

For computers running a Microsoft Windows operating system, VBScript typically provides the most comprehensive "out-of-the-box" coverage as it has been installed by default in every desktop release of Microsoft Windows from Windows 98 and in Windows Server from Windows NT 4.0 Option Pack. Any other scripting language the Microsoft Windows operating system supports, such as PowerShell, can also be used to develop Sensors, as long as the respective scripting engine already exists or can be deployed and configured on the systems that do not have it already installed. For example, PowerShell is part of many newer Microsoft operating systems, but it may require changes to the PowerShell Execution Policies on the target computers before you can successfully execute PowerShell scripts on the target computers.

For computers running Mac OS X or a Linux operating system, shell script generally provides the most comprehensive "out-of-the-box" coverage. Again, Sensors can be developed using any Mac OS X or Linux supported scripting languages as long as the respective scripting engine already exists or can be deployed and configured on the systems that do not have it already installed.

Some Sensor configuration objects cannot be edited. A VMware TrustPoint Security Server "Reserved Sensor" is a core system Sensor, and its code is not meant to be edited by end-users. Reserved Sensors include Computer Name, Action Statuses, Computer ID, and Download Statuses.

Imaging Service

With the Image Service system, you have centralized control of a full desktop instance in a distributed infrastructure.

You can update a single base layer in the data center, and automatically synchronize the full image with all associated endpoints when they connect to the network.

You can enforce all layers without overwriting user-installed applications, data, or preferences.

With Image Service, you can migrate operating systems while preserving user profile and data.

Discover

With Discover, you can identify unknown assets in your network and take action to manage them Discover features network scanning for unmanaged assets, unmanaged asset inventory, and metadata tagging. Discover simplifies asset management by providing actions that you can use to deploy TrustPoint Client, receive notifications about newly managed and unmanaged assets, and block unmanaged assets from accessing the network.

IOC Detect

VMware TrustPoint Security Server IOC DetectTM (IOC Detect) provides indicator of compromise(IOC) detection and YARA rule matching for management and analysis capabilities to enable real-time responses to intrusions. IOC Detect also provides a REST API that allows for integration between IOC Detect and other parts of the security network.

IR

With the core Incident Response(IR) solution, you can deploy a set of IR tools to each endpoint. With these tools on the endpoints, you can:

  • Scope and hunt for incidents across the enterprise by searching for evidence from live system activity and data at rest with simple natural language queries.
  • Examine and parse dozens of forensic artifacts on Windows, Mac, and Linux systems.
  • Identify outliers and anomalies by collecting and comparing data across systems in real time.
  • Build saved queries and dashboards to continuously monitor endpoints for malicious activity aligned to key phases of the intrusion lifecycle.

IRGatherer

You can collect information from compromised Windows, Linux, and Mac OSXendpoints for further forensic analysis. In addition, investigate potentially compromised systems by looking at file system metadata, event logs, and memory.

Trace

With VMware TrustPoint Security Server Trace™ (Trace) ,you can directly investigate key forensic and security events on Windows endpoints, across the network. Trace provides a live and historical view of critical events including process execution, logon history, network connections, and file and registry changes. The Trace solution is comprised of three parts:

  • The recorder in the VMware TrustPoint Security Server Client that records events on the endpoint.
  • The Trace interface where you can explore and manage endpoint Trace data.
  • The Sensors for issuing searches across the entire enterprise for Trace data.

Protect

VMware TrustPoint Security Server Protect™ (Protect) delivers proactive protection to block malicious attacks on endpoints using native operating system and third-party controls at the speed and scale of VMware TrustPoint Security Server across your environment.

Comply

VMware TrustPoint Security Server Comply™ (Comply) allows users to support their enterprise compliance goals at VMware TrustPoint Security Server speed. Comply is primarily used for operating system-level checks and scales using the VMware TrustPoint Security Server architecture.
It features these benefits:
  • Evaluates Benchmarks against operating systems, network configuration, password policy, file permissions, and other components
  • Supports Windows, Linux, and OSX platforms
  • Supports Center for Internet Security (CIS) content
  • Enables Custom check

Patch

VMware TrustPoint Security Server Patch™ (Patch) provides you with a powerful tool to manage Windows operating system patches across your enterprise at the speed and scale of VMware TrustPoint Security Server. Patch provides a straightforward patching workflow for both simple and advanced patch deployment. You can deploy a single patch to a single machine or perform more complex tasks such as using advanced rule sets to deliver groups of patches across your environment.

Patch generates in-depth reports and returns current results from every endpoint. Patch can quickly summarize the deployment status for any given patch, providing several types of information:

  • Immediate feedback on successes and failures that require remediation.
  • Patch details, such as user annotations and links to knowledge base articles.
  • A list of applicable machines and their individual patch histories.

VMware TrustPoint Security Server Patch also allows you to define custom workflows and schedule patches based on advanced rules or exceptions built around allowlists, denylists, dynamic groups and patch lists. For example, VMware TrustPoint Security Server Patch can be configured to always apply critical Microsoft patches to all machines except for datacenter servers, or to always exclude .NET patches.