Introduction

Product

About Remedio

Remedio stands as a comprehensive and versatile cybersecurity solution meticulously engineered to safeguard and optimize your digital assets. Its robust functionality extends across various operating systems, encompassing Windows, Linux, and macOS. Whether your devices are desktops, laptops, servers, virtual or physical, domain or non-joined, Remedio seamlessly integrates to provide protection.

This solution automates a range of critical cybersecurity use cases:

1. Continuous Detection of Misconfigurations: Remedio's automated system consistently identifies security misconfigurations stemming from operating systems, human errors, and third-party applications. It facilitates auto-remediation while ensuring zero adverse effects on your environment.

2. Remediation and Auto-Remediation Actions: Remedio enables users to fix misconfigurations on endpoints and servers through Remediation Actions. These actions are defined based on parameters like OU, Domain, or specified computer groups, and are grouped into topics.

3. Revert Remediation Actions: When necessary, Remedio can reverse previously executed remediation actions.

4. Harden Devices: The product provides recommendations for enhancing device security configurations, helping you to further harden your systems.

5. Policy Validation: Remedio validates that computer and user Group Policies are accurately applied to all endpoints. (Intune policy support is forthcoming.)

6. Configuration Benchmarking: The solution benchmarks your configurations against recognized industry security standards such as CIS and NIST.

7. Enhanced Active Directory and Group Policy Security: Remedio enhances the security of your Active Directory and Group Policy configurations.

8. Optimized Group Policy Definitions: Remedio aids in optimizing Group Policy definitions, flagging issues like duplicated or conflicting GPOs.

9. Startup and Login Time Optimization: Remedio identifies Group Policies that may contribute to sluggish computer startup and user login times.

10. Intune Validation: Remedio assists organizations in ensuring that their Intune settings adhere to security best practices and are appropriately hardened. This includes validating conditional access, compliance, and configuration settings to ensure they meet expected standards.

In summary, Remedio streamlines security and optimization efforts across diverse environments, automating key processes to ensure robust cybersecurity.

Audience

This User Guide is primarily intended for individuals and teams responsible for implementing, managing, and maintaining the cyber security infrastructure within their organizations. It caters to both technical and non-technical users, providing clear instructions and explanations for all levels of expertise.

How to Use This User Guide

To help you navigate through this User Guide effectively, it is divided into various sections corresponding to different aspects of Remedio. Each section provides step-by-step instructions, best practices, and tips to maximize Remedios potential.

Additionally, we have included screenshots and examples throughout the document to assist you in visualizing the interface and functionalities. Where applicable, we have also provided troubleshooting tips and frequently asked questions to address common concerns. The complete troubleshooting document is accessible both on our official knowledge base and through our dedicated support mailbox. If you encounter any challenges or require assistance, please refer to these resources for detailed guidance and solutions.

Contact Information

Should you have any questions, encounter difficulties, or require further assistance while using Remedio, please contact support@remedio.io. Our dedicated support team is available to help you with any queries or concerns you may have.

We hope this User Guide serves as a valuable resource in understanding and leveraging Remedio to enhance your organization's security defenses.

Thank you for choosing Remedio, and we look forward to your success in safeguarding your digital assets.

How Remedio works

The primary data flow process within Remedio unfolds through the following sequential stages:

Tenant and License Activation:

The Remedio team will setup the SaaS infrastructure and the tenant. The relevant license, including device count and modules, will be allocated as per the agreed terms between the parties involved.

Sensor Deployment and Execution:

• Deploy the Remedio Sensor on each endpoint/server device.

• The Remedio Sensor executes once daily, at randomly chosen times, following a predefined sequence of actions.

• The scanning process typically completes within 5-7 minutes.

Data Collection during Scan:

• The Remedio Sensor collects data on misconfigurations and unpatched zero-day vulnerabilities during its scanning routine.

• For Microsoft devices, it also gathers Group Policy data (Resultant Set of Policy - RSOP) and Intune data

Data Compression and Encryption:

• Subsequent to data collection, the Remedio Sensor compresses and encrypts the gathered data.

Data Transmission Attempt:

• The Remedio Sensor creates a connection with the Remedio Server to transmit the encrypted and compressed data.

• The data transmission is conducted using port 443 for communication. This approach ensures that the encrypted and compressed data collected by the Remedio Sensor is securely transferred to the Remedio application, enhancing data privacy and protection during transit.

• Once data is received from a Remedio Sensor, the Remedio application undertakes an analysis using our exclusive Remedio Analyzer. This Analyzer not only examines the data thoroughly but also stores the results in a designated database. To ensure data privacy and security, customers are segregated within the database. This proactive approach ensures that you are promptly informed about any possible security threats, helping to keep you well-informed about potential risks.

• After the Remedio Sensor completes its scan and data is transmitted to the Remedio application, the IT and Security teams access the findings through the Web User Interface (UI). This interface is compatible with Chromium-based web browsers such as Google Chrome or the new Microsoft Edge.

• The Remedio application is equipped with several integrations to enhance its functionality and facilitate seamless operations:

  • It interfaces with various public APIs to support data exchange and integration with external systems.

  • Integration with Ticketing Systems like ServiceNow is established, streamlining the process of generating and managing tickets based on Remedio's findings.

  • Notably, the Remedio Server also integrates with Security Information and Event Management (SIEM) systems. Selected events and data are sent from Remedio to SIEM platforms, such as MS Sentinel, or Splunk. This integration enhances the security ecosystem by aggregating Remedio's insights into the broader context of security events and monitoring.

Sensor Server Communication

The interaction between the Sensor and the server operates in a one-way manner: the Sensor initiates its task either on a daily or hourly basis (the Sensor's tasks are elaborated upon in the Sensor section). Following the task execution, the gathered data is transmitted to the Remedio server, where it undergoes analysis and subsequently appears in the user interface for review.

Should a Remedio operator execute a remediation action or any other task from the console, the Sensor conducts periodic checks for new tasks every hour through its hourly task execution. Upon initiating the task locally, the Sensor provides feedback to the server regarding the outcome, indicating either success or failure.

Sensor

Remedio provides support for Windows, Linux, and macOS operating systems. For a comprehensive overview of the supported platforms, please refer to the Sensor installation guide available at this link: Remedio Sensor Installation Guide

The Remedio Sensor operates on a daily basis for a brief duration. Within this operational window, it accumulates data related to misconfigurations, unattended zero-day vulnerabilities, and outdated third-party software. This information is collected during the run and subsequently processed for further analysis.

Remedio Sensor for Windows

Language-Code: Remedio is developed using a combination of Go programming language (Go-lang) and signed PowerShell.

Post-Install: Following installation, Remedio uses the Task Scheduler functionality for its scheduled tasks.

Permissions: The scheduled tasks within Remedio are configured to run under the SYSTEM account. This account type doesn't require a username and password for execution.

Size: The Remedio installation size is less than 5MB.

Network Traffic: Remedio generates network traffic of up to 30KB per day. The data is transmitted in compressed (gzip format) form.

Scheduled Runs:

• Remedio executes its tasks on a daily basis with a duration of 5-7 minutes.

• The timing of the daily task varies based on the type of device:

  • End-User Devices: Random execution time between 10 am and 6 pm.

  • Servers: Random execution time between 10 pm and 4 am.

• Additionally, Remedio sends a "keep-alive" message every hour to ensure continued connectivity. This message also serves to retrieve new tasks for maintaining security posture, including tasks related to remediation, reversion, updates, and upgrades.

Communication Protocol: Remedio employs the latest Transport Layer Security (TLS) version supported by the device for secure communication. All communication occurs over HTTPS to ensure data privacy and integrity.

Remedio Sensor for Linux/macOS

Language-Code: Remedio is implemented using the Go programming language (Go-lang).

Post-Install:

• On Linux, Remedio utilizes systemd for post-installation task management.

• On macOS, Remedio employs launchd for post-installation tasks.

Permissions: Remedio runs with root user permissions, which provide the necessary access for its functionalities.

Size: The installation size of Remedio is less than 5MB.

Network Traffic: Remedio generates network traffic of up to 30KB per day, with data transmission in compressed (gzip format) form.

Scheduled Runs:

• Remedio executes its tasks with a random start time and a duration of up to 5 minutes.

• Additionally, Remedio sends a "keep-alive" message every hour to ensure continuous connectivity. This message also prompts the retrieval of new tasks to ensure up-to-date security measures, encompassing tasks related to remediation, reversion, updates, and upgrades.

Communication Protocol: Remedio employs the most recent Transport Layer Security (TLS) version supported by the device. All communication occurs over HTTPS, ensuring data confidentiality and integrity.

Product overview

This section provides a quick overview of the Remedio Validator key capabilities and provides references to sections covering these capabilities in detail.

User Interface

From an end user's viewpoint, Remedio is a role-based web application that simplifies cybersecurity management. Here's a walkthrough of how users navigate the UI and some notable visual notations and instructions provided in the corresponding documentation section.

Navigation:

• Users access Remedio through a role-based web interface tailored to their responsibilities.

• The UI seamlessly guides users to different sections, tools, and insights.

Visual Notations:

• Export: Look for options to export data, facilitating data sharing and analysis.

• Refresh: A common icon to refresh or update displayed information in real time.

• Know How: This symbol typically offers contextual help, guiding users on specific actions.

User Roles:

• Remedio's UI adapts to user roles, displaying relevant features and data.

• Different users interact with tools suited to their tasks, ensuring focused functionality.

Comprehensive Views:

The UI presents various dashboards and sections tailored for specific needs like Misconfigurations, AD and GPO maintenance and security, CIS compliance benchmarking and Intune.

Effortless Navigation:

• Remedio's user-friendly design ensures intuitive navigation across functionalities.

• Users can swiftly move between sections for effective management.

Consistent Experience:

Visual elements like buttons, icons, and labels maintain a consistent design, enhancing user familiarity.

Helpful Guidance:

In-app assistance guides users on performing specific tasks, maximizing usability.

By offering a role-based access interface with intuitive navigation and helpful notations, Remedio empowers users to efficiently manage their cybersecurity tasks.

Misconfigurations

Misconfiguration encompasses the mistakes made when setting up IT systems or security measures, which can result in vulnerabilities and potential security breaches. These errors often stem from insecure default settings, human oversights, incorrect application of Group Policy Objects (GPOs), and other factors.

Misconfigurations can manifest across various domains, including network devices, web applications, cloud services, servers and operating systems, encryption and key management, security tools, and access controls. To mitigate misconfigurations, it's essential to adhere to industry best practices. This entails conducting regular audits, implementing secure configuration settings, rigorously managing changes, and offering training and awareness initiatives.

Remedio provides a rapid solution to address misconfigurations, achieving this in a matter of minutes. For a comprehensive understanding of how to effectively manage misconfigurations, refer to the detailed guidance provided in the corresponding documentation section.

CIS/NIST and other Security Compliance Benchmarks

Industry benchmarks serve as comprehensive guidelines for configuring a range of software, operating systems, and devices. These benchmarks provide specific instructions to secure these systems against well-known vulnerabilities.

CIS 8 refers to the latest version of the CIS Controls, a prioritized list of actionable security measures designed by the Center for Internet Security. These controls encompass a diverse range of cybersecurity aspects, offering organizations a clear roadmap to enhance their cybersecurity practices. Additionally, CIS Level 1 and Level 2 benchmarks provide specific configuration guidelines to secure systems against common vulnerabilities, with Level 1 offering basic security measures and Level 2 offering more stringent requirements. The Security Technical Implementation Guide (STIG) provides further detailed guidance for securing systems and applications. The CIS Controls, along with these benchmarks, are updated regularly to address emerging threats and incorporate industry best practices. By adhering to these controls and benchmarks, organizations can establish a robust cybersecurity foundation and mitigate various cyber risks.

NIST 800-53 is a comprehensive collection of security controls and guidelines tailored for U.S. federal information systems. This publication furnishes organizations with a framework to evaluate and enhance the security of their systems, safeguarding sensitive information. Covering multiple security domains, NIST 800-53 holds widespread recognition as a cybersecurity standard. Its adoption extends beyond the U.S. federal government, gaining prominence in various sectors and organizations worldwide. Abiding by NIST 800-53 assists organizations in elevating their security posture and aligning their practices with established industry standards.

Cyber Essentials is a UK government-backed cybersecurity certification scheme that aims to help organizations implement basic cybersecurity practices and protect against common cyber threats. It provides a set of criteria and guidelines for organizations to follow in order to secure their systems and data. The Cyber Essentials certification is awarded to organizations that demonstrate compliance with these standards, indicating that they have implemented measures to safeguard against a range of common cyber-attacks. The scheme is designed to be accessible and affordable for organizations of all sizes, helping them improve their cybersecurity posture and build trust with customers, partners, and stakeholders.

For detailed guidance on utilizing the CIS/NIST Dashboards effectively, refer to the corresponding documentation section.

Active Directory / Group Policy Security

The Active Directory / Group Policy Security module provides visibility into data accessible via a basic domain user's access rights. This information can be queried directly from domain controllers. The module offers insights into various aspects, including administrator groups, vulnerable file paths within GPOs, Security Identifiers (SIDs) with full control over Organizational Units (OUs), Service Principal Names (SPNs), Golden and Silver Tickets, customized group change queries, and more.

The objective of presenting this data is to underscore the information that can be gathered using plain domain user access rights. By highlighting these findings, the module aims to demonstrate what an attacker could potentially access before progressing to lateral movement or elevating their permissions within the network.

For a comprehensive understanding of how to effectively utilize the Active Directory / Group Policy Security module, refer to the corresponding documentation section.

AD / GPO Security and Maintenance

The Maintenance section of Remedio offers valuable recommendations to enhance the administration of Active Directory (AD) and Group Policy Objects (GPOs). This includes suggestions for optimizing the management of these crucial components. Remedio aids in identifying various issues for more effective administration:

• Unlinked GPOs: Remedio helps locate GPOs that are not linked to any organizational unit, enabling you to streamline your GPO structure.

• Duplicated GPO Settings: The platform identifies duplicated settings within GPOs, allowing you to eliminate redundancy and ensure consistency.

• AD Accounts Cleanup: Remedio assists in identifying and managing obsolete or unused Active Directory accounts, enhancing overall security.

• Legacy OS: The system flags legacy operating systems that might pose security risks due to outdated support.

• Multiple Loopbacks: Remedio highlights instances of multiple loopbacks processing settings, aiding in maintaining an organized and predictable GPO environment.

These recommendations empower you to proactively enhance the administration of AD and GPOs. For a comprehensive guide on effectively using the Maintenance features, consult the detailed instructions provided in the corresponding documentation section.

Settings and Administration

The Settings menu within Remedio offers a hub for various administrative tasks that you can perform to manage and customize your Remedio environment. This includes activities like device groups management, integrations, permissions setup and more.

For a comprehensive guide on navigating and effectively utilizing the Settings menu, refer to the detailed instructions provided in the corresponding documentation section. This resource will offer step-by-step guidance on performing administrative tasks and optimizing your Remedio configuration.

UI Navigation

The Remedio Homepage is divided into several sections to streamline navigation and provide comprehensive insights. In addition to the described below "Manage" and "Settings" sections, users can access the "Organizational Device Coverage” per Device Type, which offers an overview of device distribution across different platforms. The homepage also features "Top 5 Alerts” based on Device Type, highlighting critical issues specific to each device category. For a broader perspective, users can view "Trending Global” or “Pinned Items" of their choice.

The homepage also includes an "Achievements" Board, showcasing key metrics such as Full-Time Equivalent (FTE) savings and Return on Investment (ROI) figures. Users can review their license information for clarity on usage and entitlements. The homepage also provides a space for "News and Updates", ensuring users stay informed about the latest developments and enhancements within the Remedio ecosystem. Additionally, users can utilize the Global Search feature to quickly find relevant information across the platform. For any assistance, users can easily ask for support through the dedicated support section. The platform also offers dark and light modes, allowing users to customize their viewing experience according to their preferences.

The homepage's left side menus are designed for intuitive navigation across various sections, including:

• The "Manage" section encompasses essential features such as Misconfiguration and Security Compliance boards, Active Directory (AD) and Group Policy Object (GPO) security and maintenance screens, Microsoft Intune settings, an Action Log, and Executive Summary.

• The "Settings" section provides access to foundational aspects such as System Health monitoring, Device Groups, Permissions management, Integrations, and Licensing management.

Drill downs

Every element within the user interface is interactive, allowing you to navigate to more advanced levels of UI management effortlessly.

Clicking on the device type will direct you to the Misconfiguration section specific to that group. Here, you'll find the total number of identified attack vectors, which can be viewed either as a comprehensive list or filtered by categories displayed on the left side. Additionally, the list can be searched for a specific vector, enabling users to pinpoint and address vulnerabilities efficiently.

After clicking on any of the misconfigurations on that page, it will open a screen displaying detailed attack vector information. This includes a description of the issue, suggestions for remediation, the severity of the finding, and its Common Vulnerability Scoring System (CVSS) score. Additionally, users can easily navigate related issues from this page, facilitating seamless exploration of other findings within the console. This comprehensive view empowers users to understand, prioritize, and address security vulnerabilities effectively.

In the bottom half of the screen, users will find filtering options on the left, including device groups, domain/OU filter, OS type, and device selection. To the right, there are two main sections: the list of alerts and the list of all devices with the identified alert.

Within the alerts list, users can select any alert to filter the device list accordingly, providing a more focused view per finding. Alongside each alert, users will see the device count of affected devices, as well as the number of compliant devices, remediated devices, and the total count per alert. These metrics offer valuable insights into the impact of each alert and the progress of remediation efforts.

For streamlined management, a Remediate button is available. Clicking this button initiates actions that apply across all impacted devices, providing a unified solution for resolving the issue at hand. Additionally, by clicking on the individual device, actions can be executed at the device level, allowing for tailored remediation.

For a comprehensive guide on navigating the Misconfigurations and Alerts section effectively, refer to the detailed instructions provided in the corresponding sections.

Export

You have the capability to export a single metric to a CSV file. For instance, you can export all alerts related to SMB Version 1 alert, by following these steps:

1. Navigate to the relevant screen that displays the metrics.

2. Locate the metric and click it. In our example we will use SMBv1 not Used.

3. Select the desired alert/devices to export.

4. Locate the "Export" button within that screen.

5. Click on the button to initiate the export process.

6. A CSV file containing the SMBv1 not Used devices will be generated and downloaded to your device.

This CSV file will provide you with a structured record of the metrics related to Legacy Protocols, which you can then use for reporting or analysis purposes.

Refresh

Within the Remedio user interface, you have the flexibility to update the information presented on the screen. If necessary, you can refresh the entire screen to ensure that all displayed data is up-to-date. This option is particularly useful when you want to refresh your entire view and ensure you're working with the most current information.

Getting Help - Know How

Remedio's Knowledge Base serves as a valuable resource, covering a wide range of topics, including security risks and manual/alternative methods to address identified findings. The primary goal of our Knowledge Base, often referred to as "Know How," is to offer swift access to information related to specific topics or alerts.

To access the Knowledge Base, simply click on the "academic hat" icon or "Learn More" located within the Attack Vector information. This feature ensures users can readily delve into additional insights and resources to enhance their understanding and response to security challenges.

Information Enrichment:

The Know How section provides comprehensive insights into various topics and alerts, enhancing your understanding of security risks and potential solutions.

Quick Reference:

By providing quick access to information, Know How allows you to swiftly retrieve relevant details, ensuring effective decision-making and problem-solving.

The Knowledge Base empowers users with in-depth information, enabling them to tackle security challenges with informed solutions. Whether you access it through the top bar or directly within specific topics, the Know How feature is designed to enrich your experience within Remedio and enhance your ability to address security concerns.

Global Search - find a computer, misconfiguration or security standard

Search Functionality:

• You can access the Global Search box located in the top right corner of the interface to open a search pane.

• Select your search criteria, such as Device Name, Miscon topic, or Security standard.

• You can filter your search by group or search across all devices.

• Enter the relevant information into the search box located in the lower part of the search pane.

Results Display:

• Once the desired device is located, Remedio will promptly display the pertinent information associated with the search criteria.

• Remedio will showcase the device information, relevant misconfigurations, compliance and remediations that have been identified for the selected device.

• This insight into misconfigurations empowers you to take targeted actions to address and rectify any issues.

Perform a Generic Action

In Remedio, you have the ability to execute a set of actions on selected devices within the Target group. These actions can be accessed from the Generic drop-down menu and offer various functionalities for managing devices and policies. Here are the available actions:

1. Group Policy update Computer + user without restart: This operation triggers a gpupdate for both computer and user configurations without requiring a restart or logoff.

2. Group Policy update Computer + user with restart: This operation performs a gpupdate for both computer and user settings, followed by a computer restart upon successful completion.

3. Rescan Computer / User: This operation initiates a rescan of the computer or user ahead of the regular schedule, ensuring that the alert information is up to date.

4. Remove Local Policy Settings: This operation removes locally defined policy settings on the computer, ensuring that no administrative changes have altered the local configuration.

5. Sync Intune: This operation forces devices to retrieve updates from Intune, ensuring that the information remains current.

Request Agent Logs

By selecting this option, you can request logs from Remedio's Sensor on the device. This can be useful when further analysis of the device is required by Remedio to resolve a problem with Remedio's Agent on the device. The target agent will submit its logs, and when finished, a notification will appear in the System Notifications panel, under System Health. These logs can then be downloaded and submitted to Remedio for analysis.

Achievements

The Achievements screen offers valuable insights into the time and cost saved, as well as the potential time and cost savings achieved by utilizing Remedio for remediation, as opposed to traditional methods involving 3rd party tools, scripts, and Group Policy Objects (GPOs). The Full-Time Equivalent (FTE) can be adjusted to accurately reflect the actual cost of a cybersecurity or IT and Infrastructure employee. Using this FTE cost, the screen will provide estimations of monetary savings.

Key Features of the Achievements Screen:

Estimated Time and Money saved:

• Remedio's automated approach significantly reduces the time needed for remediations.

• You can view the estimated time/money saved, showcasing the efficiency gained by using Remedio's streamlined processes.

Potential Time and Money savings:

• Remedio offers substantial potential time savings when compared to manual methods.

• The Achievements screen highlights the comparative advantage of Remedio in terms of time efficiency and ROI.

Getting started

Logging in

Once your Remedio tenant has been created, you will receive an email from Welcome@remedio.io containing your username and temporary password. This email will also provide the link to access the user interface (UI) and guide you through the password change process. Upon changing your password, you will be redirected to your Remedio console.

Additionally, the primary technical contact will receive an email containing a list of firewall (FW) rules and URLs to be whitelisted, along with several links to guides and manuals.

To manage user access levels, navigate to the Roles and Permissions screen, where you can define and adjust user roles and permissions.

If SAML authentication is required, please follow this link to set it up: https://gytpol.atlassian.net/wiki/spaces/KB/pages/80871425

What you see when you first logged in

Upon successful login, you will be directed to the main homepage of Remedio. Here, you will immediately access a view showcasing devices that are actively reporting to Remedio.

For more comprehensive details and explanations about the user interface and its various features, please refer to the dedicated UI overview section within Remedio's documentation. This section will provide an in-depth understanding of how to navigate and utilize the interface effectively. It's a valuable resource to make the most of Remedio's capabilities and insights.

Verify that Remedio Sensors were successfully deployed

You can confirm a successful Remedio Sensor deployment in two ways:

Local Device Check: Verify on the device where the Sensor is installed to ensure proper functioning. For more details, you can refer to the Sensor Installation Guide here: https://gytpol.atlassian.net/wiki/pages/createpage.action?spaceKey=kb&title=Client%20Installation%20Guide&linkCreation=true&fromPageId=126025729

System Health Screen: Use the System Health screen to get an overview of deployment status and device health. You can access this screen by locating it in the Settings menu on the left.

For more information, refer to the Health Screen overview section in the documentation.

Misconfigurations

What is a Misconfiguration?

Misconfiguration refers to errors in configuring IT systems or security controls, leading to vulnerabilities and potential breaches. Errors can come due to wrong or insecure default settings, human errors, GPO that wasn’t applied correctly and more.

It can occur in network devices, web applications, cloud services, servers/operating systems, encryption/key management, security tools, and access controls. Preventing misconfigurations requires following best practices, conducting audits, implementing secure configurations, enforcing change management, and providing training and awareness. Remedio can help you achieve this in minutes.

Working with Misconfiguration Alerts

The Remedio Homepage offers instant access to Windows, Linux, and macOS perspectives, each highlighting the top 5 alerts relevant to their respective scopes. It also facilitates UI customization through computer groups which can be either built-in or created by Remedio operators based on OS, name patterns, OUs, and more, as detailed in the Device Groups section.

The top section of the Homepage offers direct links to device groups and their respective misconfigurations. Meanwhile, the bottom section displays the Top 5 Attack Vectors, which can be tailored for Trending Global, Pinned Items, Quick-Wins, and more. These insights can be viewed either for all devices or specific device groups.

The Homepage serves as a gateway to various sections within the product, including:

• Reporting on Devices and their misconfigurations

• Security compliance dashboards

• AD (Active Directory), GPO (Group Policy Objects), and Intune screens

• Action Log and Executive Summary

• Settings menu, featuring System Health, Device Groups, Permissions, Integrations, and Licensing

This comprehensive overview on the Homepage ensures swift access to key insights and essential pages for effective management within Remedio.

Types of Misconfigurations

Our Misconfigurations module categorizes findings into topics aligned with the MITRE ATT&CK framework. These categories include:

1. App and Internet Features: Misconfigurations here involve settings that could lead to unauthorized access or vulnerabilities in applications and internet usage.

2. Browsers: Misconfigurations relate to browser settings that may expose users to security risks, such as outdated protocols or insecure extensions.

3. Databases: Misconfigurations involve security settings or access controls within databases, potentially leading to unauthorized access or data breaches.

4. Remote Code Execution: Addressing vulnerabilities that could potentially lead to unauthorized remote code execution.

5. Lateral Movement: Identifying misconfigurations that could be exploited for lateral movement within your network.

6. Legacy Protocols: Highlighting issues related to outdated or risky protocols.

7. Privilege Escalation: Detecting misconfigurations that may enable unauthorized elevation of privileges.

8. SMB and Sharing: Focusing on misconfigurations associated with SMB protocols and sharing settings.

9. Credentials: Addressing issues related to improper handling and storage of credentials.

10. Obsolete Software: Identifying vulnerabilities due to outdated software and unpatched applications.

By organizing misconfigurations into these topics based on the MITRE ATT&CK framework, Remedio offers a structured approach to addressing security risks, making it easier to prioritize and remediate issues effectively.

 

In Remedio, all misconfigurations and metrics are visually represented with specific severity colors to provide quick insights into their urgency:

• Red (High): Represents high-severity misconfigurations that require immediate attention due to their critical impact on security.

• Orange (Medium): Indicates medium-severity misconfigurations that should be addressed promptly to mitigate potential risks.

• Yellow (Low): Denotes low-severity misconfigurations that may not pose an immediate threat but should still be resolved to enhance overall security posture.

• Green (Complied): Signifies items that are in compliance and meet the expected security standards, resulting in no alerts generated.

This color-coded approach offers a visual way to prioritize and address misconfigurations based on their severity levels, aiding efficient decision-making and remediation efforts.

The severity of alerts within Remedio is determined by considering multiple factors to accurately gauge the potential risk:

1. Common Attack Vector: The prevalence of the attack vector in real-world scenarios is considered. More common vectors may receive higher severity ratings.

2. CVSS Score: If available, the Common Vulnerability Scoring System (CVSS) score is factored in. This numerical score assesses the vulnerability's severity and impact.

3. CISA/CIS/NIST Recommendations: Alignment with recommendations from cybersecurity frameworks such as CISA, CIS, and NIST contributes to the overall assessment of severity.

4. Remedio Research Team Expertise: The knowledge and insights of Remedio's research team play a crucial role in understanding how easily a misconfiguration can be exploited and the potential consequences.

 

For each metric within Remedio, the following key information is provided:

• Topic Name: The attack vector name, as displayed in the console screens and available for searching purposes.

• Category: Aligned with the MITRE ATT&CK framework categories as previously explained.

• Description: Offers a detailed explanation of the metric's nature, implications, and potential security risks to ensure clarity.

• Suggestion: Provides practical recommendations and steps for addressing and mitigating the identified issues, guiding users toward effective remediation strategies.

• General Severity and CVSS score: Provides an assessment of the severity of the issue along with the Common Vulnerability Scoring System (CVSS) score for further context.

• Related Issues: Identifies any related security issues or vulnerabilities that may be impacted by the metric and offers a link to the relevant screen for further investigation and action.

• Alert Status: Displays the number of Active and Remediated alerts, along with the time saved through remediation efforts.

• Potential Achievement: Indicates the potential time and cost savings achievable through addressing the identified security concerns.

Navigating through Alerts (drill downs, pinning, etc.)

When you click on any of the scopes displayed on the main dashboard (such as Windows Servers or Debian Linux), it will lead you to the misconfiguration screen, designed as follows:

• Top Bar: The number displayed represents the total count of related metrics, critical metrics, and Quick-Wins available.

• Metric / Attack Vectors list: The list corresponds to a specified scope (e.g., Servers) and comprises a set of metrics relevant to the scope. The content of the list can differ based on the selected device scope.

• Filter/Sorting: Users can filter the list based on Device Groups and sort it using various criteria.

• Category Filter: Each box pertains to a specific scope (e.g., Servers) and presents a compilation of metrics categorized under relevant topics (e.g., Remote Code Execution, Privilege Escalation).

• Severity-Color Indicators: Next to each metric, a color indicator with define the severity level (Red = High, Orange = Medium, Yellow = Low). The number of devices affected by the alert is displayed alongside the metric. Alerts that weren't found at all won't be shown.

• Drill-Down Functionality: Clicking on the metric provides a drill-down view, showing the alerts and the list of devices associated with that alert's severity. This helps you pinpoint affected devices for focused remediation.

• Actions: By clicking a specific metric or alert, you can take actions at various levels. This allows you to address issues and apply remediation strategies based on your requirements.

Related Issues

In Remedio, metrics are interconnected to enhance correlation and provide a more comprehensive understanding of security issues. This is achieved through the implementation of "Related Issues" for many alerts:

• Interlinked Topics: Alerts within different topics are interlinked to establish connections between related security concerns. These connections help users comprehend the broader context of potential vulnerabilities.

• Enhanced Correlation: By exploring related topics, users gain a deeper insight into how various misconfigurations might impact each other and contribute to potential security risks.

Clicking on any related issues takes you to a dedicated section that displays alerts related to that metric.

Export found misconfigurations to CSV

Remedio offers a convenient feature that allows you to export data from the dashboard to a CSV file, facilitating reporting and efficient tracking of information. Here's how it works:

• Topic Level Export: To export data related to an entire topic, click the "download" button located on the topic box. This action will generate a CSV file containing data pertinent to the selected topic.

• Metric Level Export: Within a specific metric or alert, you can also export data by clicking the "download" button associated with that metric. This will export information about all devices affected by the same finding within that metric.

• Single Device Level Export: If needed, you can even export data about an individual device. Simply navigate to the specific device and use the available export option.

By utilizing these export functionalities, Remedio empowers users to generate reports, gather insights, and maintain efficient records of misconfigurations and remediation efforts for better security management and documentation.

Remediation Action types

Remediation Process for Misconfigurations

Within Remedio, users have the capability to rectify misconfigurations found on endpoints and servers by defining Remediation Actions. These actions facilitate the implementation of fixes across various devices, groups, or even individual machines. Here's how the process works:

1. Defining Remediation Actions: Remediation Actions outline the corrective measures to be applied based on parameters like OU, Domain, or specified computer groups. The actions are grouped into topics, such as the SMB and Sharing topic including SMBv1 removal.

2. Pending Status and Acknowledgment: After a Remedio admin initiates an action, it remains in a pending status until the Sensor device checks in (hourly) and confirms the task for local application.

3. Sensor Acknowledgment and Feedback: Once the Sensor applies the task locally, it sends feedback to Remedio regarding the outcome. This feedback includes information on success, failure, and the reason for failure (e.g., timeout or access denial).

4. Revert Capability: Numerous remediation actions can be reverted to the original state directly from the Remedio UI. This streamlines the process and eliminates the need for third-party tools or scripts. All reverts are executed on the device within an hour, maintaining consistency with the hourly check-in schedule.

Remediation Action

A "Single Remediation Action" in Remedio involves applying a corrective action to resolve a specific finding. Here's an overview of the process:

1. Identify the Finding: Start by identifying a particular misconfiguration or security finding that needs to be addressed.

2. Choose the Target Group: Select the group of devices on which you want to apply the remediation action. This can include specific devices, a group based on OU, Domain, or custom computer groups.

3. Initiate the Remediation Action: Define the specific action or fix that needs to be implemented to address the finding. This action can involve changes to configurations, settings, or other relevant parameters.

4. Pending Status and Sensor Check-In: After initiating the action, it enters a pending status. The respective Sensor devices periodically check in (hourly) to receive and acknowledge the action.

5. Sensor Acknowledgment and Feedback: Once the Sensor applies the action locally, it sends feedback to Remedio indicating the success or failure of the task, along with reasons for any failures.