What is ConsoleWorks?
ConsoleWorks® is the leading cybersecurity/operations platform on the market. The ConsoleWorks Server is a high-performance engine that handles information flow processing, business rule execution, pattern matching, role-based security, and signed log-file generation. It handles all input and output across the enterprise on the devices and applications that it manages, serving this data up as needed. ConsoleWorks is capable of managing more than 1000 connections per server invocation.
ConsoleWorks acts in a multi-dimensional fashion by monitoring not only the applications but also the servers, virtual machines, network and storage devices that run them. It provides managers and privileged users a single end-to-end management solution that controls access, that monitors and manages all log files, RDP and VNC sessions, automates password management and configuration monitoring, and watches for specific events that may occur across the organization. It does it in real-time and in all machine states – power on, single user, maintenance, production and failure modes. Its persistent connection also locks down the “back door” entrances that are overlooked by similar, agent-based solutions.
The end-to-end view, provided by ConsoleWorks, helps users quickly understand WHY something went wrong and quickly determine and implement the resolution. During that process, ConsoleWorks captures the exact steps used by an experienced user to remediate an issue and stores it in the knowledge base for future reference.
What are the key features of ConsoleWorks?
Privileged Interactive Access – ConsoleWorks controls access by allocating specific permissions/ privileges to a user based on the ConsoleWorks Role-Based Access Control (RBAC) permission model. The permission model specifies which assets a user may access and at what level of privilege they may access those systems. ConsoleWorks supports command-by-command privilege grants for absolute control over electronic access.
The ConsoleWorks solution supports integration with an IAM solution and supports RBAC from an Active Directory server. The product was designed with the open ability to integrate its authorization/ authentication services with other technologies, as well.
In addition to command line sessions, ConsoleWorks has the ability to capture complete recording and playback capabilities for privileged user sessions, across RDP/VNC and even web applications. Users gain a complete, detailed account of what happened on sensitive systems, and who performed a specific activity.
Asset, Patch & Configuration Monitoring – The overriding purpose of configuration monitoring and management is to maintain asset configurations at a known state that have the highest level of security. ConsoleWorks automates the collection, comparison, alert/notification and auditing of any changes to configurations, eliminating the majority of human errors and minimizing the impact of intentional or unintentional erroneous activity.
Endpoint Password Management – From one central location, ConsoleWorks can be configured to schedule automatic password changes and set reset date warnings to meet compliance standards. Operationally, it can recover or change a password securely. When passwords are changed or recovered (for example, in the event of an emergency), notifications can be configured warning the appropriate personnel that it has occurred. The ability to change passwords on demand are controlled through ConsoleWorks granular Access Control Rules.
Logging & Situational Awareness (Logging and Monitoring) – ConsoleWorks can monitor and manage almost any application or infrastructure interface – including routers, switches, servers, firewalls, virtual machines, PLCs, RTUs, appliances, applications and networks – to provide the most comprehensive record possible.
Event Monitoring – ConsoleWorks watches for messages, or Events, in the data streams of all the devices and applications it manages. When ConsoleWorks detects an Event, it alerts the appropriate personnel in real time, records the circumstances, and automatically performs the default or customer-configured response(s). Users are able to respond to the device or application error condition and immediately view the vendor-supplied explanation along with steps required to resolve the issue.
Logging & Log File Aggregation – ConsoleWorks monitors the asset logs in the context of all other managed applications or hardware. Its ability to aggregate error conditions across all log files enables users to view multiple log files, in context, to help in root cause analysis. In many cases, issues have been resolved before other solutions have been notified that an Event has occurred.
Keystroke Logging and Best Practices – ConsoleWorks captures the steps taken for Event remediation down to the keystroke, enabling any ConsoleWorks user to leverage in-house past experience and acquire proven solutions faster. In this way, ConsoleWorks builds the business’s data warehouse of intellectual property related to the problem resolution.
Proof of Compliance – ConsoleWorks produces, aggregates and summarizes audit logs that record user activities, exceptions, and information security events. Log files are digitally secured (line-by-line) for each asset, operating system, application, etc. as they are written, allowing detection of line deletion, insertion or modification.
What differentiates TDi Technologies from other solution providers?
TDi delivers an enterprise infrastructure management solution which incorporates IT regulatory compliance, log management, real-time monitoring and alerting, remediation, and security for physical (machines, cables, servers, hubs, routers, switches, etc.), logical (remote access, SANS storage device connections), and virtual (virtual server, virtual machines) devices and applications.
We access the components of the extended data centers in a unique way that allows us to apply a new approach with new technology, allowing us to maintain secure, constant, persistent contacts with all components of the data center everywhere from anywhere, independent of the presence of an operating system and without bandwidth constraints.
By delivering agentless management technology which begins managing devices as soon as power and a network cable are installed, we are able to detect that a component is in trouble before it goes down along with an immediate path to remediation to anywhere from everywhere. The result is greater time between failures, quicker remediation of failures, and a more efficient use of personnel, all of which result in a quick return on the investment.
How does the ConsoleWorks platform address IT and OT (ICS) environment differences?
ConsoleWorks is an on-premise Privileged Account Management and Password Management platform for privileged users accessing IT and OT (ICS) devices including Windows and Linux servers and virtual machines, routers, switches, RTUs, PLCs, SCADA devices, etc. It is a single, vendor/protocol agnostic, end-to-end solution that controls access, logs user activity, and monitors SSH, Telnet, RDP, VNC, Serial, and other types of connections that are prevalent in today’s IT and OT (ICS) environments. It does so in real-time and in all machine states – power on, single user, maintenance, configuration, production, and failure modes – without the need of a software Agent installed on the endpoint. It also locks down the “back door” entrances that are overlooked by similar solutions.
Cybersecurity Challenges can be Different Between IT and OT –
Examples of how ConsoleWorks addresses the differences between IT and OT:
- No agents, so no risk associated with installing software on endpoints
- Vendor and protocol agnostic enabling support beyond the standard IP connectivity to include serial and others required in ICS environments where systems have been around for many years and have a specific purpose.
- Patching process that has consideration of testing needs and availability of the ICS environment
- Password vaults that understand the vulnerabilities of the ICS environments
ConsoleWorks is an ICS security and operations platform that provides the security perimeter around the critical ICS devices. ConsoleWorks provides a unified security approach to ensure privileged access is controlled and risk is mitigated. Our approach dramatically simplifies the security practice and addresses the vulnerabilities with privileged access that present an extremely high-security issue today.
What are key product points, or differentiation regarding ConsoleWorks? CEO Comments
Snippets on ConsoleWorks Differentiators: Bill Johnson, CEO
The quotes are from various slide presentations, speaking engagements and conferences.
“TDi ‘s ConsoleWorks platform technology does a lot of protection automation and we are currently doing a program with the DOE for Patch gap Analysis in the substation T&D, Generation space covering both IT and OT technologies. A key differentiator is our ability to do this without putting agents on the endpoints – we go beyond the HMI out to the leaf using NATIVE interfaces that Automation engineers use.”
“This keeps our technology out of the SCADA network but allows it to be used by customers to control, interact, collect baselines and change passwords for endpoint RTAC, RTU, IED, PLC or other endpoint assets. All audited, logged, controlled and verified. One of our customers just completed a SERC Audit where they were told by the Auditor, ‘…you do not need to audit remote access and baseline again – you guys have it nailed.’
“We are doing Insider Threat work along with the NCCoE and their use cases, and now adding Expert Systems – DarkLight with the Human Activity capture from our product ConsoleWorks.”
Mapping to the NCCIC Document – Seven Strategies to Defend ICSs
Secure Remote Access — “We have this in spades – end to end, front to back and inside out. Bar None!”
Implement Application Whitelisting – ” We do not do this, we manage the insider to prevent them from running things, like whitelist, blacklist and gray list commands and command sets.” “It still should be done, ConsoleWorks covers part of this area.”
Configuration & Patch Management — “We do this without agents or installed software on the endpoint…and we don’t stop at the HMI – we go to the leaf..in some case 3 or 4 levels deep.”
Reduce Attack Surface — “If I control the Humans interaction, I believe I reduce the attack surface altogether. At least it would be another layer of attack surface reduction.”
Build Defendable Environment — “That’s a business decision, but I believe ConsoleWorks contributes to this as part of a larger strategy.”
Manage Authentication — “Again a major strong point, we take authentication and add a number of layers on top that really enforces the authentication to a role, capabilities and so on.”
Monitor and Respond — “Why respond when ConsoleWorks can capture activity down to the keystroke level. We can prove, how it’s done, who did it, and when it was done — then it can be integrated with a Ticket management system, and allow oversight at the same time. I think we have a lot to contribute in this role.”
What is the ConsoleWorks approach to Privileged Interactive Access Management & Device Monitoring?
ConsoleWorks maintains a persistent, secure connection to physical and logical infrastructures to monitor user actions, machine state activity, and all defined incidents worth knowing about. ConsoleWorks also implements various levels of physical and logical security to provide necessary – and often required – protective measures. ConsoleWorks can be programmed to trigger pre-defined, real-time, enterprise-wide responses to security incidents. ConsoleWorks enables strong password implementation, access restrictions by task, by role, and by policy, and user authentication internally (through username/password protocols) and externally (from sources including Windows® Active Directory Domain Services, PAM, and RSA® SecurID®).
ConsoleWorks supports a robust task-based/role-based privileges model based on user-defined Access Control Rules. Access Control rules enable administrators more granular and graduated control over what specific users can do inside ConsoleWorks and how they can use ConsoleWorks to access and interact with managed assets.
Virtually all computer, network, and similar devices have a communication port through which these devices send boot and status messages. Usually, this console information is lost because it is impractical to monitor and respond to the geographically scattered computing infrastructures common in modern-day businesses.
ConsoleWorks stops this data loss by bringing all the once-discarded console information, status updates, error messages – basically everything in the data stream – back to a single, web-enabled server, looking it over, and responding intelligently.
How does ConsoleWorks handle Configuration Monitoring?
ConsoleWorks automates the collection, comparison, alert/notification and auditing of any changes to configuration baselines, eliminating the majority of human errors and minimizing the impact of intentional or unintentional erroneous activity.
ConsoleWorks has the ability to speak multiple protocols (including serial), gaining access to and then collecting the inventory is a fundamental capability of the product. ConsoleWorks does this without adding an Agent to the endpoint, which is a requirement in the ICS environment since many of these devices are purpose-built and cannot have other vendor software installed on it.
ConsoleWorks can be configured to monitor many items including:
- Functional settings that determine how the asset operates
- Versions of software currently installed including BIOS, firmware, operating system, applications, etc.
- Patches, including security patches that are installed
- Ports that are active and how they are configured
- Services that are enabled
- Configuration Files
What is ConsoleWork’s Automated Patch Analysis?
THE NEW, AUTOMATED PATCH ANALYSIS PROCESS FROM CONSOLEWORKS WILL BE APPLICABLE TO VARIOUS IT/OT PATCHING PROCESSES INCLUDING, PCI-DSS, NIST 800-53, HIPAA, NERC CIP AND OTHERS.
AUTOMATED PATCH ANALYSIS PROCESS USE CASE: NERC CIP-007-6/R2
NERC CIP-007-6 / R2 requires a patch management process for tracking, evaluating, and installing cybersecurity patches for applicable Cyber Assets, including device drivers. Many utilities see this is a grueling task, requiring many, many man-hours to meet the “every 35-day analysis” required by NERC CIP.
The ConsoleWorks Automated Patch Analysis solution greatly simplifies the process of gathering the information required for patching IT and OT devices – beyond the HMI.
For meeting NERC CIP compliance, ConsoleWorks establishes a secure access to access all devices and then is configured via a schedule to perform the patch analysis every 35 days, keeping a log, for audit purposes, of when the analysis was run. Once the current patch state is gathered by ConsoleWorks, ConsoleWorks can integrate with industry or custom solutions to assist in automating the patch gap analysis. In these cases, ConsoleWorks sanitizes, anonymizes, and encrypts the data before initiating the secure transfer of the collected device information.
After the initial collection is sent, ConsoleWorks can be configured to continually monitor for the patch gap analysis results. When available, ConsoleWorks automatically downloads and processes the results, using ConsoleWorks Events as an indication to the user when patches are available. Event Severities further indicate whether an available patch is a security patch.
Finally, ConsoleWorks produces dashboard report views to organize and communicate the current patch state. ConsoleWorks presents a summary report containing information on patch gaps that may exist for each asset, including links to any available patch for downloading directly from the vendor site.
At this point, a utility will evaluate the available security patch for applicability and make the decision to install the patch or initiate a mitigation plan. ConsoleWorks’ integration with workflow management solutions enables utilities to further automate the patching and mitigation processes as required by NERC.
The patch analysis features will be available in ConsoleWorks in Q2, 2018, and are part of a larger cybersecurity and operations platform solution addressing IT/OT patching processes for PCI-DSS, NIST-800-53, HIPAA, NERC CIP V6 ( CIP-005, CIP-007, CIP-010, and CIP-013) requirements for Secure Remote Access, Asset and Configuration Monitoring, Endpoint Password Management, Logging and Situational Awareness and Supply Chain.
What is the joint project between FoxGuard, TDi and the DOE?
FoxGuard Solutions, Inc. and partner TDi Technologies recently completed a multi-year project to create a safer national power grid by simplifying the process of patching and updating energy delivery control system devices. The solution is the result of a $4.3 million Cooperative Agreement awarded in 2013 from the U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems (CEDS) division.
How can ConsoleWorks improve auditing and compliance reporting?
ConsoleWorks keeps detailed audits of administrative, user, and incident activity. These audits show who did what, when they did it, and what was added, deleted, or modified within the managed asset. ConsoleWorks can be configured to provide reporting to assist in compliance with PCI, HIPAA, SOX, SAS 70, and NERC CIP requirements. ConsoleWorks can apply digital signature technology to log files, for the purpose of detecting record tampering, such as the modifying or deleting of log entries. Coupled with timestamp log entries, ConsoleWorks provides sequenced, tamper-evident logs for compliance and incident forensics.
How is the ConsoleWorks approach to Security different from other Security solutions?
ConsoleWorks maintains a persistent, secure connection to physical and logical infrastructures to monitor user actions, machine activity, and all defined incidents. ConsoleWorks implements various levels of physical and logical security to provide necessary—and often required—protective measures.
ConsoleWorks functionality includes the following features:
- Agentless, persistent monitoring
- Scanning of incoming data streams for pre-defined text patterns
- Complete intelligence gathering (capture of source and account IDs, incident context, and commands outcomes)
- Centralized command and control for enterprise-wide physical and logical connections, Syslog messages, SNMP traps, and other streams of information.
- Connections secured using SSL and SSH encryption
- Automatic, securable logging of all data flows to and from monitored assets
- All asset activity logged and the logs digitally signed to make it easier to detect modifications
- Asset access secured using role-based or task-based user privileges
How can ConsoleWorks be used to manage Virtual Machines (VMs)?
Virtual Serial Ports provide an important technical capability for enhanced management of virtual environments. ConsoleWorks leverages this capability to deliver enterprise-class compliance and security capabilities as well as further optimizing IT operations for virtual environments.
Optimize IT operations for virtual environments -An important part of reducing management costs – while maximizing availability and reliability of systems – is the ability to correctly identify, diagnose and remediate issues and problems. This is a critical differentiator of ConsoleWorks, driving significant productivity enhancements of for many ConsoleWorks customers. ConsoleWorks enables all of the IT operations benefits for virtual environments that are already being realized in traditional IT infrastructure environments by our customers.
Security and compliance issues in virtual environments – ConsoleWorks maintains console connections in all modes of operation, including during VM migrations. In addition to maintaining the IT infrastructure security model over privileged interfaces (consoles, virtual serial ports), ConsoleWorks can capture all log file data generated by hypervisors (which includes VM logs). This provides comprehensive data collection of all events, information and actions (provisioning VMs, moving VMs, configuration, maintenance, repair, etc.) that can support even the most rigorous compliance requirements. It also provides a degree of transparency into virtual environment that directly enables oversight, auditing, and management.
What are the ConsoleWorks Intelligent Event Modules (IEMs)?
Intelligent Event Modules (IEMs) are vendor event reference libraries that contain the proper priority designation as defined by the vendor or manufacturer and descriptive event definitions for detected events that transform cryptic event codes into human-understandable error definitions – simplifying the diagnosis activity and time to solve. IEMs provide ConsoleWorks with a watchlist of text messages, including error codes, system warnings, and status alerts, produced by an information source in the IT environment. ConsoleWorks watches for these messages, called Events, in the data streams of your managed systems, devices, and applications.
ConsoleWorks IEMs improve IT operations – IEMs dramatically improve the ability to streamline and optimize IT Operations by eliminating time-consuming event prioritization and research activities. With IEMs, events captured by ConsoleWorks that are in the vendor IEM “library” are automatically matched, assigned the appropriate priority, and presented with their human-readable definition. This enables administrators, engineers and technicians to use their time for value-add issue or problem resolution rather than priority assessment or event code researching.
ConsoleWorks IEMs enable continuous process improvement – IEM technology can be used as a domain knowledge repository. The user can define custom events so that when these events (or event combinations) occur again they will already be properly prioritized and described. The end user can also update IEMs with recommended remediation actions by event – even to the inclusion of the exact sequence used to correct the problem, previously. So, a less knowledgeable or less experienced administrator is now armed with the exact steps that were used by the expert to successfully remediate the error or incident.