Drive Out Devices With Missing (Or Stopped) Epp Software

Anyone who talks to operational teams know they can provide insight into what really matters on a day-to-day basis for "keeping the lights on" and increasing the security resilience of their IT estate. 

It's easy to overlook how fundamental many challenges are, despite the massive advancements in technology over the past few decades. If anything, the fundamentals matter more than ever, given the incredible need for security resilience at all points across the IT landscape.

Operations teams need a simple yet holistic solution to a very fundamental problem: ensuring servers and compute endpoints are, in fact, running the corporate endpoint protection application.

Long-term operational SMEs know a few things:. 

  1. They can use the management console of their corporate EPP product to see devices that have the EPP application installed, but not running. 
  2. They can export the list of endpoints from the corporate EPP product and compare that to other exported lists (from other discovery-style applications running in the organisation), to find devices that aren't seen by the corporate EPP product and are therefore unprotected.
  3. They can manually raise tickets or remediation tasks in ServiceNow for teams to close the gaps.

The problem is the manual and cumbersome nature of these steps. Sure, they have automated a few pieces of the puzzle, but making it work requires ongoing attention and human intervention. Solving the problem requires accomplishing the following goals:

  1. Achieve automation with an end-to-end solution to this issue using Lansweeper as the discovery source. 
  2. Make sure the technique used to determine if the EPP application (or more specifically the Windows service that represents the EPP application) is truly in a running state. These folks are smart enough to know there are several ways the running state of an EPP application can be misrepresented, depending on how it is detected.
  3. Make sure that the multiple types of EPP applications (and multiple versions of the same EPP application) used in the organisation are covered by the solution. Most large organizations comprise numerous acquisitions; they don't have the luxury of managing a single EPP application.
  4. Make sure they can visualise and automate remediation tasks for the servers and end-user compute devices that are missing the EPP application, or are showing that the application is in a "stopped" state. 

Through  an integration between Lansweeper, the market's leading IT discovery solution, and Syncfish CI Syncronizer, this is possible. If you already have both solutions installed, a few configuration changes are all that's needed to provide a simple yet highly effective solution to endpoint protection problems.

Good news: this integration is now part of the base configuration of CI Syncronizer and can be used to target other critical Windows services - not just the services that represent your EPP application.

Combining Lansweeper & ServiceNow

How it Works

Lansweeper easily discovers all Windows Services on a device, including the status of the service (running or not). 

In a recent implementation, we modified the CI Synchronizer configuration rules to synchronise just the particular service that represented a customer's corporate endpoint protection application (in this case, SentinelOne). Targeting the particular service meant we didn't have to synchronise the hundreds of other Windows services into the CMDB.

Once this was complete, we configured CI Synchronizer to persist the service into the OOTB Windows Services related list in the ServiceNow CMDB using a related list against the related compute CI. Finally, we set some simple dashboards and business rules to fire off consolidated remediation tasks to the teams responsible for remediating endpoints with missing or stopped instances of the endpoint protection application.

The end result at the CI Synchronizer UI (when creating a sync job) is as simple as the tick box shown below. The rules behind this selection are specific to the particular service or services defined by the customer and baked into the customer-specific CI Synchronizer configuration. 

The equally simple, yet powerful outcome on the ServiceNow end is a related list that's automatically maintained. Once the data was in the CMDB (and related to the associated CIs), it was a snap to create dashboards, reports and automated remediation tasks.

Sound too good to be true? It's not! Let's solve CMDB automation!

CI Cycronizer + Lansweeper = CMDB Automation

Lansweeper is a leading IT discovery and inventory tool that continually scans your network and consolidates all IT asset data into a single source of truth. Its Asset Radar and Credential-free Device Recognition (CDR) technology work together to detect and recognize every IT asset - servers, endpoints, IoT, OT, rogue devices and more -- eliminating blind spots and providing complete visibility across your IT estate.

Through a seamless integration with CI Synchronizer (Enterprise Edition), powered by Syncfish, Lansweeper auto-populates the ServiceNow CMDB, so you always have the most current and complete set of IT asset data in your CMDB. CI Synchronizer maps 30+ Lansweeper asset types to CMDB CI classes out-of-the-box, 15 sets of CI-related lists derived from Lansweeper data, and more than 80 possible CI-to-CI relationships, automatically. Plus, it's up and running in under 90 minutes.

Contact us to see how to finally solve the CMDB automation challenge and optimize the ROI of your ServiceNow investment today.

Combining Lansweeper & ServiceNow

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.‚Äč