External monitoring of endpoint configuration compliance

Authors:
Darrell M. Kienzle;Ryan K. Persaud;Matthew C. Elder
Affiliations:
Symantec Corporation, Herndon, VA;Symantec Corporation, Herndon, VA;Symantec Corporation, Herndon, VA
Venue:
Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies
Year:
2009

Citing 4
Cited 0

When Virtual Is Better Than Real

HOTOS '01 Proceedings of the Eighth Workshop on Hot Topics in Operating Systems
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
Hypervisor support for identifying covertly executing binaries

SS'08 Proceedings of the 17th conference on Security symposium
Using every part of the buffalo in Windows memory analysis

Digital Investigation: The International Journal of Digital Forensics & Incident Response

Quantified Score

Hi-index	0.00

Visualization

Abstract

We describe a system for externally monitoring endpoint configuration compliance of an end user system that provides a high assurance monitoring function and data. Typical approaches to monitoring for endpoint configuration compliance rely on the integrity of the endpoint's operating system and do not protect the monitoring function from subversion or spoofing by threats from within the monitored system. Our approach utilizes (1) a virtual machine architecture on the endpoint system to protect the monitoring function and (2) virtual machine introspection of the end user's environment. In this paper we describe our approach to external monitoring of endpoint configuration compliance, present the technical details of our monitoring system, and discuss some of the issues associated with external monitoring.