Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top 5 Tips and Tricks for Retina CS 4.5

Posted August 8, 2013    Morey Haber

I honestly believe we have the best pre-sales, post sales, and technical support departments in the security industry. They are responsive, technical, and can customize BeyondTrust solutions to match individual business requirements, even when they are pretty comprehensive outside-of-the-box. Based on their work, we have an internal process and external knowledge base to document these configurations and make them available to any prospect or client that wants to do even more with the solution.

Recently, we did a review of these installations and found that there are some very simple tips and tricks to using Retina CS (and Retina Insight) that can go along way for any business. I have documented the Top 5 below and want to give a big shout out to my teams for their excellent work and making these available to everyone. So, here it goes, the Top 5 Tips and Tricks for Retina CS:

#1 – Creating a Smart Rule for Assets with No Operating System Identified

This tip helps administrators document which assets are not being properly identified by their operating system during a Retina scan. This could be due to firewalls, anti-virus solutions, and IDS/IPS security solutions preventing (as they should) what the operating system is for a device. First, create a Smart Rule and specify the following regular expression:

To show only assets with OS unidentified use “does not match” –> ^[a-zA-Z0-9]
To show only assets with OS identified use “matches regular expression” –> ^[a-zA-Z0-9]

Asset Selection Criteria-img1

Then, as an action, specify a Smart Group or an email alert. When assets are identified with no matching operating system, the smart group will automatically populate or an email which will be sent to an administrator.

#2 – Dynamically Change PowerBroker for Windows Policy Based on Asset Location (IP Address Range)

With the introduction of Retina CS 4.5 and PBW 6.0, PBW can receive policy from Active Directory Group Policy (GPO Based) or the Retina CS Threat Management Console. Policy from Retina CS is assigned via a Smart Rule / Smart Group. In order to have a PBW agent dynamically change policy based on location (IP Address), simply add the Address Group to the Asset Selection Criteria.

Asset Selection Criteria-img2

When the asset (in this case win8-wm) is located within the Address Group range “Cricklewood” it will receive the policy “Cricklewood Sample”. Next the user needs to create a second duplicate Smart Rule with another IP range excluding “Cricklewood”. This would be any address foreign to your internal network or trusted VLAN. When the PBW agent checks in (assuming routing Retina CS is made available publicly), it will then receive the alternate policy (not shown) that could potentially be more restrictive since the asset is not on a trusted network. This allows policy to change dynamically on a PBW agent based on location and when not connected via Active Directory (I.e. Non domain machines or even eDirectory).

#3 – Assigning Assets to Retina CS Patch Management

Retina CS has an automated engine via Smart Rules to change a client’s WSUS settings to the system managed by Retina CS for Patch Management. Sometimes, this process will fail if the device is not online reliably or remote registry access is not permitted. In that case PowerBroker EPP (as an agent) can be used to assist with the change (if installed) or you can deploy the settings for Active Directory as a remote registry file. Below is a sample of this file:

     Windows Registry Editor Version 5.00



Change the IP Address and Port in the top lines to your WSUS server (IP Address or Hostname) and modify any of the values in the second section based on Microsoft’s Knowledge Base. This will allow you to configure assets for Retina CS integrated WSUS Patch Management even when they are restricted to automate configuration from the console itself. This works great in a lab too when you are testing out the solution for the first time!

#4 – Advanced Vulnerability Reporting on Mobile Devices

Retina CS has advanced Mobile connectors for Microsoft ActiveSync, BlackBerry, and Android Agents. These connectors allow you to inventory and report vulnerabilities on a wide variety of mobile devices and show the results as Assets within Retina CS.

Retina CS-img3

One of the coolest tips for the solution is that these Assets are stored just like every other Asset and can be used against every report in the system just like a Server or Workstation; including common regulatory reports like HIPAA and PCI. All an administrator needs to do is Run a Report on Existing Data against a mobile Smart Group and the results will appear just like any other Asset in the System. Below is a snippet from a HIPAA report against these Android devices:


#5 – Retina Insight Pivot Grid

If you have seen a pre-sales demonstration of our technology, you have probably seen the Retina Insight Pivot Grid. This component of the technology allows users to build customized reports when none of the over 260+ canned reports meet their needs. Administrators can open the Pivot Grid and drag and drop Measures and Metrics for almost all of the data collected by Retina CS to create custom reports. Below is a sample of Assets and Vulnerabilities mapped to the presence of Zero-Day Vulnerabilities.


These report templates can be exported / imported such that they can be transported from a lab to production, and then saved and published just like any other Retina Insight report. It truly gives you the power to create custom reports well outside-of-the-box.

If you have found any other tips and tricks in your travels, please comment below. We would like to hear from you.

, , , , , , ,

Additional articles


Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target. That’s not a pipe dream. It’s the projected outcome…

, , , , ,

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

, , , , , ,

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

, , ,