Endpoint security

Scenario overview

This scenario is for ISVs that provide endpoint protection and security using an endpoint agent managed by the cloud service. The purpose of such integration is to allow management and monitoring of ISV endpoint agents from Acronis Cyber Platform.

The general scheme is the following:

../../../_images/endpoint_protection_scenario.png

Typical integration scope

Typical integration scope is built around monitoring the scenario and should include the following functionality:

Establishing connection to ISV cloud - connection parameters and credentials to allow endpoint protection data to be transferred to Acronis Cyber Platform using Integration settings extension point.
Mapping customers - pairing ISV customers to Acronis tenants to be able to report the list of protected workloads to the correct tenant using the Integration settings extension point.
Reporting protected workloads and their statuses to the Devices list in Acronis Cyber Protection Console using the Workloads extension point.
Reporting alerts on detected threats and security issues to the Alerts list in Acronis Cyber Protection Console using the Alerts extension point.

Extended integration scope

To increase the integration value for the MSPs, it is recommended to enhance the integration with additional monitoring and management functionality:

Create integration-specific widgets to monitor endpoint protection status using the Widgets extension point.
Provide the ability to configure tenant-level settings in Acronis Cyber Protection Console using the main menu extension point.
Provide the ability to configure endpoint-level settings in Acronis Cyber Protection Console using the Protection plan extension point.

Recommended Extension points

To be able to extend Acronis Cyber Platform with Extension Points required to manage endpoint protection and display endpoint statuses, the following Extension Points should be used:

Integration settings

Endpoint Security management is a customer-level application. This means that the Partner needs to configure the integration for each End Customer individually. Typically, Endpoint Security integration contains the following settings:

Client ID and client secret - required to authenticate in the ISV cloud and fetch the list of End Customers. These settings enable the integration for the Partner.
Customers mapping - a list of customers fetched from ISV cloud that allows specifying an existing customer mapping or creating a new corresponding customer mapping in Acronis Cyber Platform. Mapping an ISV customer to Acronis customer results in enabling the application for the specific customer.

Application configuration and mapping can be done only by Partner and cannot be done by End Customers.

Roles

For the Endpoint Security application, it is recommended to use the following Acronis roles to define access scope for Protection functionality:

Company Admin or Management Portal Administrator - required to enable the integration and perform customer mapping.
Company Admin, Protection Cyber Administrator or Protection Administrator - grants full access to the application functionality. Allows users to check and modify the configuration, work with alerts, change reports, etc.
Protection Read-only Administrator - grants read-only access to the application. Users with this role can check the endpoint protection configuration, statuses and reports, but cannot change them.

Users who don’t have one of the above roles should not have access to Endpoint Security application functions or reports.

Workloads

The Endpoint Security application should submit the list of workloads with endpoint protection agents installed and registered for the customer to the list of the customer’s workloads in Acronis Cyber Platform. To do so, the application must register a new workload type and define what attributes this type will bring. Possible examples of additional attributes:

Workload name in ISV cloud.
Endpoint protection status.
Endpoint protection agent version and status.
Timestamp of last Malware definitions update.
Timestamp of last system scan.
Workload network parameters (IP address and MAC address).

Alerts

To be able to notify about malware activity or other security issues on a managed workload, the Endpoint Security application must submit alerts to Acronis Cyber Platform. Each alert has a type. Alerts about detected malware must be submitted as an existing alert type and contain the following parameters:

Threat name.
Action executed upon the threat detection.
MD5, SHA1, SHA256 checksums of the detected object.
File path.
File name.
Workload name.

The application can also create new alert types to report other types of security issues or incidents depending on the functionality an endpoint protection agent can provide. For example, if the endpoint protection agent has a function to monitor external devices connected to the protected workload and the agent generates an event “Unauthorized device is connected”, this event should also be submitted to Acronis Cyber Platform as an alert. To be able to report such alerts, the application has to register a new alert type and also define the attributes and their format for the alert content.

Main menu

To configure tenant-level protection settings for endpoint protection, it is recommended to create a dedicated page for the application in the Management section of Acronis Cyber Protection Console (a new menu Item). This page should contain application settings that are applied to the customer tenant. Such settings may include an exclusions list, lists of allowed and forbidden applications, global network protection settings, etc.

Page content must be described in the declarative format in Vendor Portal. Settings specified on this dedicated page are communicated from Acronis Cyber Platform to ISV cloud via API Callback Gateway.

Protection plan

Protection settings that can be configured individually for endpoint protection agents should be displayed as a part of the protection plan. Such settings may include malware and vulnerability scan configuration and schedule, malware definitions update schedule, firewall settings and etc.

The application must declare a new section in the protection plan and describe the content for the section in the declarative format in Vendor Portal. Settings specified in the protection plan are saved in Acronis Cyber Platform and synchronized with the ISV cloud by the Connector.

Widgets and Reports

The Endpoint Security application should create several widgets to report the endpoint protection state:

Pie-chart diagram with endpoint agents protection status.
Pie-chart diagram with malware definitions status.
List of 10 latest alerts generated by endpoint protection.

These widgets should be declared by the application. The widget data must be based only on alerts or workload attributes submitted by the application.

It is recommended to add application-specific widgets to the Overview dashboard in Acronis Cyber Protection Console and in the Detected Threats report. Additionally, the application may register a new custom report on endpoint protection with all the widgets created by the application.