FAQ
Frequenty Asked Questions
  1. Is the ETS compatible with Remedy work flow?
  2. What is the Global Trust Repository?
  3. How is the Global Trust Repository populated? And updated?
  4. What is unique about this approach?
  5. So this is all about increasing the security of IT systems, right?
  6. How many signatures are in the Global Trust Repository (GTR)?
  7. Is this a subscription service?
  8. Who has access to the Global Trust Repository?
  9. Is a SignaCert product required to use the Global Trust Repository?
  10. How will you verify the identities of those uploading ‘new’ file signatures? Can someone ‘spoof’ a trusted partner?
  11. What is the problem SignaCert solves?
  12. What is verification and how does it work?
  13. What do I do with file deviations, such as added, modified or removed files?
  14. How do you verify an application?
  15. Can verification identify buggy code?
  16. Can this provide information about product quality?
  17. Can this be used to identify malware?
  18. Isn't ETS just like a configuration management database (CMDB)?
  19. How does ETS differ from change management systems?
  20. What is the cost benefit?
  21. What are the intangible (hard to measure) benefits?
  22. What types of signatures are captured in the Global Trust Repository?
  23. How do signatures get captured?
  24. How many signatures are in the repository?
  25. How current are the signatures in the repository?
  26. Has the industry been cooperative regarding harvesting?
  27. Can I capture my own proprietary signatures?
  28. Do I need every signature for all software ever published?
  29. Are you only for large IT shops?
  30. Do you provide a hosted solution?
  31. Does it make my current solution obsolete?
  32. Can’t I get these signatures from NIST?
  33. Why wouldn’t I just capture signatures from what I know is in my network today?

  1. Is the ETS compatible with Remedy work flow?
    ETS is completely compatible with Remedy. However, because each organization use Remedy and its workflows uniquely, this will require some customization and integration.

    Back to top

     
  2. What is the Global Trust Repository?
    The Global Trusted Repository (GTR) is a repository of file information (i.e. file name, hash value, etc.), and metadata derived from software packages as they are published by the original software vendor. This technology provides customers with the ability to unequivocally identify and validate the authenticity of the files that make up the software system and/or application.

    The repository contains millions of signatures covering thousands of software applications from multiple vendors and suppliers, a broad collection of file and software components associated with diverse operating systems, applications, drivers, etc.

    Back to top

     
  3. How is the Global Trust Repository populated? And updated?
    Through cooperation from industry players, software signatures (cryptographic hashes) are gathered as early in the software release process as possible, using methods and procedures that ensure the authenticity of the files. This approach provides the best available coverage, and highest quality reference to meet the demands required by IT leaders and regulators alike. The integrity reference database is updated via proprietary methods to ensure the timeliness and security of the signatures. Metadata stored with each signature maintains source and collection information for the signature regarding when, how, and where it was collecting, thus providing an auditable chain of custody for the data elements in the reference.

    Back to top

     
  4. What is unique about this approach?
    IT management and security solutions today largely assume that the software components that make up a system are authentic and originate from the publisher. Verifying the files that makeup your IT systems ensures the integrity of these systems by identifying which files on a system are authentic and which are not based on their source-authentic state. This foundational capability creates a baseline by which IT systems can be managed and secured.

    Verifying IT systems complements and improves existing security and management solutions. Changes from authentic state can be detected and proactively addressed prior to system failure, thereby improving system availability and reliability.

    Below is a quote from John Pescatore of Gartner Research that is included in the press announcement released with this FAQ.

    “System failures are often the result of change, either through corruption, malicious code, or unintended configuration changes" said John Pescatore, VP Gartner Inc. "To secure servers and PCs, enterprises need vulnerability management approaches that assure that only trusted, valid software is running on their systems"

    Back to top

     
  5. So this is all about increasing the security of IT systems, right?
    Security is top-of mind for most IT professionals, and certainly the SignaCert solution delivers significant value in this space, however verification methods have benefits beyond security. Industry data shows that only 3-5% of downtime in major enterprise IT operations is a direct result of malicious tampering. The far greater risk to overall IT systems uptime comes from weak processes, procedures, and compensating controls relating to IT systems management. IT is challenged by managing large numbers of software packages made up of millions of files, along with the inability to tell which files are authorized, not authorized or from unknown, potentially malicious sources. Verification methods provide a means to validate the state of systems, both pre- and post-deployment, enabling real configuration management and control processes.

    Back to top

     
  6. How many signatures are in the Global Trust Repository (GTR)?
    SignaCert has millions of signatures, but the real value is in the verified authenticity of the broad enterprise application coverage SignaCert provides. The GTR is a multi-vendor, multi-platform repository that includes operating systems, business applications, and other software elements that are found in the enterprise. SignacCert works closely with IT vendors to maximize the authenticity and verifiability of the signatures and the software elements they represent.

    Back to top

     
  7. Is this a subscription service?
    Yes. The solution has a subscription component to deliver signatures for commercial and open source software to your Enterprise Trust Server (ETS). These signatures are used by ETS to verify authenticity of software you have deployed across your enterprise.

    Back to top

     
  8. Who has access to the Global Trust Repository?
    SignaCert maintains strict controls over access to the Global Trust Repository. Only verifiable ‘from-the-manufacturer’ signatures are published to the database, and the SignaCert security architecture ensures that the signatures cannot be tampered with or inappropriately altered.

    Back to top

     
  9. Is a SignaCert product required to use the Global Trust Repository?
    No. SignaCert does provide an end-to-end solution, but SignaCert is working with leading industry players to have the SignaCert solution integrated into current and future systems management, security and compliance solutions. SignaCert’s goal is to enhance current vendor solutions by adding a vital and foundational capability that is missing today.

    Back to top

     
  10. How will you verify the identities of those uploading ‘new’ file signatures? Can someone ‘spoof’ a trusted partner?
    Submissions are coded to each individual publisher and encrypted prior to transmission. All submissions are quarantined and verified prior to inclusion in SignaCert’s trusted reference database.

    Back to top

     
  11. What is the problem SignaCert solves?
    SignaCert enables customers to prove that their IT systems are deployed exactly as they specified improving availability and stability. If systems don't match exactly, SignaCert provides a detailed list of deviations, enabling rapid diagnosis and reducing MTTR.

    Back to top

     
  12. What is verification and how does it work?
    Verification is the process of measuring your IT systems and comparing the results with an IT specified reference or standard build. This allows customers to prove that their systems are configured with only specified files and provided the ability to identify deviations from IT specified reference. The authenticity of files can be assessed by comparing their file signatures with those published by the software publisher.

    When deviations are identified, the customer receives a list of files, the products they belong to and the machines they were found on to allow the fastest, most effective remediation process.

    Back to top

     
  13. What do I do with file deviations, such as added, modified or removed files?
    Typically deviated files require additional action from the IT Department. This ranges from examining the files more closely, to remediating the individual deviations, to wiping the entire machine and building from the ground up. Appropriate disposition of devices with deviations is defined by the IT department.

    Back to top

     
  14. How do you verify an application?
    An application can be verified by comparing the files actually found on an IT system with reference file signatures for that application. You can compare files, their path, and metadata to evaluate the match. If all attributes match the application can be considered verified. If deviations are found, the user can remediate them or reinstall the application, whichever is most appropriate.

    Back to top

     
  15. Can verification identify buggy code?
    No. There are no qualitative assertions made about measured files. This technology is used to verify that IT systems are deployed as intended and to verify the authenticity of software found across the enterprise.

    Back to top

     
  16. Can this provide information about product quality?
    No. There are no qualitative assessments. This technology is used to verify that IT systems are deployed as intended and to verify the authenticity of software found across the enterprise.

    Back to top

     
  17. Can this be used to identify malware?
    Yes. SignaCert has captured malware signatures and maintains them in our repository. SignaCert may pursue relationships with malware signature providers, but it is not the company’s core value.

    Back to top

     
  18. Isn't ETS just like a configuration management database (CMDB)?
    CMDB solutions define the configuration of and relationship between significant components of the IT environment, but do not identify the source or authenticity of software, or how individual files are related to each other and to their parent components.

    Without the ability to determine the source authenticity of files and then track them on a system through comparison to a trusted reference, there is no way to truly know what a system contains and whether it is properly configured. For example, a database server, while appearing to be properly configured, may behave unexpectedly or even fail because it contains incorrect configuration files, or development code that was accidentally promoted into production.

    SignaCert's ETS features a flexible grouping system that allows you to easily define groups of software components that reflect the desired configuration of systems and then relate them to the devices in your enterprise.

    Back to top

     
  19. How does ETS differ from change management systems?
    Unlike change management solutions, which measure files and report changes to the files relative to a previous state, SignaCert measures change from a definitive measurement point based on signatures from the authentic commercial and custom software in your enterprise.

    This allows you to identify specific changes to system configurations, and drastically reduces the amount of data generated when compared to pure change notification.

    For instance, when a patch is pushed out to a server, a change management system indicates that multiple files have changed, but the source of the changes is not definitively identified. Although you know a patch was applied to the operating system, you have no way to tell if it has been applied successfully.
    With SignaCert, you are able to tell that the changes are associated with an operating system patch stored in the Enterprise Trust Server and are therefore desired changes. You can also see down to the file level that the patch was successfully applied, leaving no ambiguity that the system is deployed as intended.

    Back to top

     
  20. What is the cost benefit?
    We don’t know yet. We will continue to evaluate the benefits provided by deploying the technology, but do not have a quantifiable metric today. That being said, the benefits include:
    • Fine grain measurement provides more comprehensive view of network
    • Faster diagnoses for tech support
    • Faster identification of unknown elements
      • Eliminate ‘known good’ elements from analysis—quickly identify endpoint configuration, including what is expected to be on a given machine, what is unidentified, and what (if any) is unauthorized. Accurate and automated identification of these elements provides significant time for technical support staff.
      • Quickly find problem elements – A policy configured to detect known bad elements can help IT staff rapidly find and address common problems.

    Back to top

     
  21. What are the intangible (hard to measure) benefits?
    • Ease of use
    • Transparent to end users
    • Improved Compliance reporting
    • Improved security and stability– due to fewer UFOs (unidentified foreign objects  ), and configuration verification.
    • Detect missing files – One of the most challenging aspects of failure diagnosis is resolving a problem which is due not to the inclusion of a malicious file, but to the deletion of a required file. The SignaCert scan utility can be configured based on an enterprise gold standard to report on expected files and determine which are missing, thus quickly enabling IT staff to repair, replace, or reinstall the missing element and restoring the system to operation.
    • Automated endpoint auditing— The SignaCert solution automatically creates reports of precisely what versions of which software is installed on enterprise systems, replacing the painfully manual, expensive, and incomplete processes often mandated and implemented by IT departments attempting to understand their environment. These reports make IT staff much better able to detect and making IT staff much more efficient at detecting pervasive or systemic problems. This helps increase the mean time between failures and does not directly impact to MTTR.
    • Preventative maintenance—Identifying issues before they become “problems” can create significant savings. Providing information about the state of endpoints helps IT staff stay “ahead” of emerging problems. This manifest itself as improved uptime for operations, increased MTBF, and fewer desk-side visits for technical support staff.
    • Compliance reports—Reports showing device and system compliance, both aggregate and device specific, helps IT departments explicitly demonstrate and document compliance and to detect and efficiently remediate noncompliant systems. Automating the reporting process helps IT spend more time solving problems rather than finding them.
    • Automated asset identification—What software is installed where? Accurate accounting of these packages saves money in license management.
    • Automated endpoint auditing— The SignaCert solution automatically creates reports of precisely what versions of which software is installed on enterprise systems, replacing the painfully manual, expensive, and incomplete processes often mandated and implemented by IT departments attempting to understand their environment.
    • Proof of Compliance—Stops the guesswork when stating compliance. Companies can state with confidence that their network and devices are as they have stated in their defined processes.
    • Granular Visibility—Compliance auditing and scanning provides instant visibility into the state of customer networks and devices. Customers deploy a scan and immediately view information whether or not any unauthorized or unidentified elements appear in their network and which specific machines are impacted. This helps the IT department make better decisions faster.

    Back to top

     
  22. What types of signatures are captured in the Global Trust Repository?
    The Global Trust Repository will include signatures for:
    • Operating Systems
    • Desktop applications
    • Enterprise applications
    • ISV niche products
    • Open Source products
    The Enterprise Trust Server will contain signatures from the GTR for commercially available products and signatures for customers' proprietary products and files. Harvesting tools will be provided allowing customers to capture these signature as required.

    Back to top

     
  23. How do signatures get captured?
    Signatures for commercial products can be harvested at their release point ensuring the highest accuracy possible. This is referred to as source harvesting.

    Another method, referred to as self harvesting, can be used by customers to capture signatures for their own proprietary products or files.

    Back to top

     
  24. How many signatures are in the repository?
    It is growing all the time, but we wont disclose the actual quantity. It is SignaCert’s position that actual quantity is irrelevant, and that the contents relevance to the customers is a much better measure of usefulness. SignaCert is actively capturing signatures for a wide variety of commonly deployed commercially available products.

    Back to top

     
  25. How current are the signatures in the repository?
    It depends on how they are captured. If signatures are source harvested, they will actually be capture either just before or in parallel with the release process.

    If self harvested, they will be reasonably current, but may take days, weeks, or in the worst case months to capture signatures for newly released products.

    Back to top

     
  26. Has the industry been cooperative regarding harvesting?
    Very. They understand that customers are demanding improved quality and manageability from their products and view this as an opportunity to help achieve this.

    Back to top

     
  27. Can I capture my own proprietary signatures?
    Yes. Customer proprietary signatures are captured in the Enterprise Trust Server, our appliance product. This product allows customers to capture signatures for standard builds, custom proprietary software and more.

    Back to top

     
  28. Do I need every signature for all software ever published?
    No. You need signatures that are relevant to your environment. That means you need signatures for the commercial products you use (open source too) and you need signatures for the software you develop specifically for use in your environment. This combination provides complete coverage of files that should be in your network.

    If you are intending to use this method to identify things that shouldn’t be on your network, you need a larger set of signatures. Specifically if you are intending to identify unknown or unidentified files, you may need to compare against a repository of currently published software signatures. If you are looking to explicitly identify malware, signatures representing known bad items are necessary.

    Back to top

     
  29. Are you only for large IT shops?
    No. This solution is applicable for companies of all sizes.

    Back to top

     
  30. Do you provide a hosted solution?
    We will be announcing a hosted solution (DMZ) very soon for customers with specific needs. This solution will scale from a complete service for smaller organizations down to organizations that want to pilot the technology without a complete integration effort.

    Back to top

     
  31. Does it make my current solution obsolete?
    No. This is an adjunctive technology. It only makes what you already have work better.

    Back to top

     
  32. Can’t I get these signatures from NIST?
    Yes, but these data sets are incomplete and not up to date. NIST provides NSRL, but there are several others as well.

    Back to top

     
  33. Why wouldn’t I just capture signatures from what I know is in my network today?
    That may work for your proprietary products, but it would be very difficult to know with confidence that you had good signatures for commercially available products.

    Back to top