Enhance endpoint security with custom issues and OS patching

Endpoint SecuritySecure DX

ControlUp has not stopped innovating since the launch of Secure DX, and based on customer feedback we are excited to announce new capabilities that will make your Windows endpoints more secure.

  • Custom issues
  • OS patching
  • Scan once
  • Manual remediation improvements

Custom issues

ControlUp Secure DX is known for finding and remediating a wide array of operating system and application security issues. Sometimes there is no published remediation, or the issue is unique to your environment. Secure DX can now detect and remediate custom security issues with a new feature called Custom Issues. Let’s see how to use custom actions to make your environment more secure, reduce risk, and lower security footprint.

Figure 1 – Secure DX provides built-in scans and remediation and the option to add custom issues

Custom overwrite action

Secure DX has many remediations built into its catalog which can be used without any additional set up. However, our customers have indicated that sometimes they want to use their own remediation instead of the built-in one (for example, they have a private application patch from a vendor), or they have built a remediation for to built-in catalog scan for which Secure DX doesn’t have a remediation.

In the image below, Secure DX has an entry in the catalog to scan for CVE-2023-40217 but there is no remediation for it. Your IT department has found a way to mitigate this vulnerability and has created a remediation script called Patch Python CVE-2023-40217. Secure DX can use its built-in scanner to detect a security issue, and all you need to do is select a script to remediate the security issue.

Figure 2 – Configuring a custom issue overwrite action

Custom scan and remediation

A custom security scan can detect any security issue with a simple PowerShell script. Here’s an example: IT retired a Windows application that used the SSH server service with firewall port 22 opened for communication. Now IT needs to find every device with port 22 open to evaluate the exposure to the business. With Secure DX custom actions, the administrator can assign a script to detect the issue, a severity score, and a category to communicate the exposure of the security issue, allowing them to identify the vulnerability in record time.

Figure 3- Configuration of a custom scan and remediation

Creating a custom scan for a security issue is great, but remediating a custom issue is even better. By adding a remediation script to a custom scan, you can easily find and fix any issue making your environment more secure. For instance, the scenario above looked for firewall port 22, a custom remediation would be to create another PowerShell script to de-install the SSH service and remove port 22 on the Windows Firewall.

Secure DX makes finding and remediating security issues scalable, effective, and easy. What you can do with custom issues is up to your imagination. Below are some ways our customers are using Secure DX custom actions today:

  • Scan for and change files, services, and registry settings
  • Install and uninstall software
  • Uninstall and re-install a patch or service
  • Create custom compliance scan and remediations

OS patching

When Secure DX launched, we first focused on fixing Common Vulnerability and Exposures (CVEs) for Windows OS and applications, as well non-CVE application patches. With this release, Secure DX allows you to scan and remediate Windows Knowledge Base (KB) patches as well so you can your Windows machines are always up to date.

To use the OS patching feature in your environment, edit or add a new template, and select OS Patches in Scanning Scope and Remediation areas. Remember by clicking the root branch such as OS Patches, a new OS patch will automatically be added to the template to be scanned and remediated.

Figure 4 – OS Patches configuration for Templates

Scan once option

We have now included the ability to do a one-time scan to give IT the flexibility to scan and remediate many custom issues. Let’s say you need to search for a registry key or a file that may be on 5,000 computers across the world. These computers will be available at various times of the day, or maybe a few devices are off for a week while the users are on vacation. With a scan once switch, all 5,000 computers will only be scanned once, no matter how many times they log-in or reboot, saving CPU, RAM, and user experience.

Figure 5 – Scan once setting in Template configuration

Manual remediation enhancements

Depending on your scanning and remediation processes, you may occasionally have to manually remediate one or many devices. Secure DX now has enhanced capabilities that can be configured as part of a manual scan including the ability to do a reboot as well as to send the user a message on screen to notify them that a remediation is happening or to inform them that the machine will be restarted.

Figure 6 – Manual remediation enhancements

Secure DX makes securing your environment easier with Custom Actions, Scan Once, OS Patching, and Manual Remediation Schedules. Give Secure DX a try to provide a more secure and better digital experience for both IT and employees.

Eldad Viola

Serving as both the product owner and lead architect, Eldad has played a key role in bringing ControlUp’s Secure DX solution to market, from its inception to its release. Driven by a deep understanding of security practices with experience to match, he understands that the cornerstone of an effective DEX strategy and delivering a positive digital experience for employees is not achieved by compromising on endpoint security. Eldad's expertise in cybersecurity allowed him to lead the IT industry through the early stages of its growth, and he later focused on improving the security of critical national infrastructure. Additionally, Eldad has shared his knowledge by consulting with organizations worldwide to help them build and improve their resilient architectural frameworks.