FAQ

Home | Support | FAQ

FAQ

Frequenty Asked Questions

Is the ETS compatible with Remedy work flow?

ETS is completely compatible with Remedy. However, because each organization use Remedy and its workflows uniquely, this will require some customization and integration.
Back to top
What is the Global Trust Repository?

The Global Trusted Repository (GTR) is a repository of file information (i.e. file name, hash value, etc.), and metadata derived from software packages as they are published by the original software vendor. This technology provides customers with the ability to unequivocally identify and validate the authenticity of the files that make up the software system and/or application.

The repository contains millions of signatures covering thousands of software applications from multiple vendors and suppliers, a broad collection of file and software components associated with diverse operating systems, applications, drivers, etc.
Back to top
How is the Global Trust Repository populated? And updated?

Through cooperation from industry players, software signatures (cryptographic hashes) are gathered as early in the software release process as possible, using methods and procedures that ensure the authenticity of the files. This approach provides the best available coverage, and highest quality reference to meet the demands required by IT leaders and regulators alike. The integrity reference database is updated via proprietary methods to ensure the timeliness and security of the signatures. Metadata stored with each signature maintains source and collection information for the signature regarding when, how, and where it was collecting, thus providing an auditable chain of custody for the data elements in the reference.
Back to top
What is unique about this approach?

IT management and security solutions today largely assume that the software components that make up a system are authentic and originate from the publisher. Verifying the files that makeup your IT systems ensures the integrity of these systems by identifying which files on a system are authentic and which are not based on their source-authentic state. This foundational capability creates a baseline by which IT systems can be managed and secured.

Verifying IT systems complements and improves existing security and management solutions. Changes from authentic state can be detected and proactively addressed prior to system failure, thereby improving system availability and reliability.

Below is a quote from John Pescatore of Gartner Research that is included in the press announcement released with this FAQ.

“System failures are often the result of change, either through corruption, malicious code, or unintended configuration changes" said John Pescatore, VP Gartner Inc. "To secure servers and PCs, enterprises need vulnerability management approaches that assure that only trusted, valid software is running on their systems"
Back to top
So this is all about increasing the security of IT systems, right?

Security is top-of mind for most IT professionals, and certainly the SignaCert solution delivers significant value in this space, however verification methods have benefits beyond security. Industry data shows that only 3-5% of downtime in major enterprise IT operations is a direct result of malicious tampering. The far greater risk to overall IT systems uptime comes from weak processes, procedures, and compensating controls relating to IT systems management. IT is challenged by managing large numbers of software packages made up of millions of files, along with the inability to tell which files are authorized, not authorized or from unknown, potentially malicious sources. Verification methods provide a means to validate the state of systems, both pre- and post-deployment, enabling real configuration management and control processes.
Back to top
How many signatures are in the Global Trust Repository (GTR)?

SignaCert has millions of signatures, but the real value is in the verified authenticity of the broad enterprise application coverage SignaCert provides. The GTR is a multi-vendor, multi-platform repository that includes operating systems, business applications, and other software elements that are found in the enterprise. SignacCert works closely with IT vendors to maximize the authenticity and verifiability of the signatures and the software elements they represent.
Back to top
Is this a subscription service?

Yes. The solution has a subscription component to deliver signatures for commercial and open source software to your Enterprise Trust Server (ETS). These signatures are used by ETS to verify authenticity of software you have deployed across your enterprise.
Back to top
Who has access to the Global Trust Repository?

SignaCert maintains strict controls over access to the Global Trust Repository. Only verifiable ‘from-the-manufacturer’ signatures are published to the database, and the SignaCert security architecture ensures that the signatures cannot be tampered with or inappropriately altered.
Back to top
Is a SignaCert product required to use the Global Trust Repository?

No. SignaCert does provide an end-to-end solution, but SignaCert is working with leading industry players to have the SignaCert solution integrated into current and future systems management, security and compliance solutions. SignaCert’s goal is to enhance current vendor solutions by adding a vital and foundational capability that is missing today.
Back to top
How will you verify the identities of those uploading ‘new’ file signatures? Can someone ‘spoof’ a trusted partner?

Submissions are coded to each individual publisher and encrypted prior to transmission. All submissions are quarantined and verified prior to inclusion in SignaCert’s trusted reference database.
Back to top
What is the problem SignaCert solves?

SignaCert enables customers to prove that their IT systems are deployed exactly as they specified improving availability and stability. If systems don't match exactly, SignaCert provides a detailed list of deviations, enabling rapid diagnosis and reducing MTTR.
Back to top
What is verification and how does it work?

Verification is the process of measuring your IT systems and comparing the results with an IT specified reference or standard build. This allows customers to prove that their systems are configured with only specified files and provided the ability to identify deviations from IT specified reference. The authenticity of files can be assessed by comparing their file signatures with those published by the software publisher.

When deviations are identified, the customer receives a list of files, the products they belong to and the machines they were found on to allow the fastest, most effective remediation process.
Back to top
What do I do with file deviations, such as added, modified or removed files?

Typically deviated files require additional action from the IT Department. This ranges from examining the files more closely, to remediating the individual deviations, to wiping the entire machine and building from the ground up. Appropriate disposition of devices with deviations is defined by the IT department.
Back to top
How do you verify an application?

An application can be verified by comparing the files actually found on an IT system with reference file signatures for that application. You can compare files, their path, and metadata to evaluate the match. If all attributes match the application can be considered verified. If deviations are found, the user can remediate them or reinstall the application, whichever is most appropriate.
Back to top
Can verification identify buggy code?

No. There are no qualitative assertions made about measured files. This technology is used to verify that IT systems are deployed as intended and to verify the authenticity of software found across the enterprise.

Back to top
Can this provide information about product quality?

No. There are no qualitative assessments. This technology is used to verify that IT systems are deployed as intended and to verify the authenticity of software found across the enterprise.
Back to top
Can this be used to identify malware?

Yes. SignaCert has captured malware signatures and maintains them in our repository. SignaCert may pursue relationships with malware signature providers, but it is not the company’s core value.
Back to top
Isn't ETS just like a configuration management database (CMDB)?

CMDB solutions define the configuration of and relationship between significant components of the IT environment, but do not identify the source or authenticity of software, or how individual files are related to each other and to their parent components.

Without the ability to determine the source authenticity of files and then track them on a system through comparison to a trusted reference, there is no way to truly know what a system contains and whether it is properly configured. For example, a database server, while appearing to be properly configured, may behave unexpectedly or even fail because it contains incorrect configuration files, or development code that was accidentally promoted into production.

SignaCert's ETS features a flexible grouping system that allows you to easily define groups of software components that reflect the desired configuration of systems and then relate them to the devices in your enterprise.
Back to top
How does ETS differ from change management systems?

Unlike change management solutions, which measure files and report changes to the files relative to a previous state, SignaCert measures change from a definitive measurement point based on signatures from the authentic commercial and custom software in your enterprise.

This allows you to identify specific changes to system configurations, and drastically reduces the amount of data generated when compared to pure change notification.

For instance, when a patch is pushed out to a server, a change management system indicates that multiple files have changed, but the source of the changes is not definitively identified. Although you know a patch was applied to the operating system, you have no way to tell if it has been applied successfully.
With SignaCert, you are able to tell that the changes are associated with an operating system patch stored in the Enterprise Trust Server and are therefore desired changes. You can also see down to the file level that the patch was successfully applied, leaving no ambiguity that the system is deployed as intended.
Back to top
What is the cost benefit?
We don’t know yet. We will continue to evaluate the benefits provided by deploying the technology, but do not have a quantifiable metric today. That being said, the benefits include:
- Fine grain measurement provides more comprehensive view of network
- Faster diagnoses for tech support
- Faster identification of unknown elements
Back to top
What are the intangible (hard to measure) benefits?
- Ease of use
- Transparent to end users
- Improved Compliance reporting
- Improved security and stability– due to fewer UFOs (unidentified foreign objects  ), and configuration verification.
- Detect missing files – One of the most challenging aspects of failure diagnosis is resolving a problem which is due not to the inclusion of a malicious file, but to the deletion of a required file. The SignaCert scan utility can be configured based on an enterprise gold standard to report on expected files and determine which are missing, thus quickly enabling IT staff to repair, replace, or reinstall the missing element and restoring the system to operation.
- Automated endpoint auditing— The SignaCert solution automatically creates reports of precisely what versions of which software is installed on enterprise systems, replacing the painfully manual, expensive, and incomplete processes often mandated and implemented by IT departments attempting to understand their environment. These reports make IT staff much better able to detect and making IT staff much more efficient at detecting pervasive or systemic problems. This helps increase the mean time between failures and does not directly impact to MTTR.
- Preventative maintenance—Identifying issues before they become “problems” can create significant savings. Providing information about the state of endpoints helps IT staff stay “ahead” of emerging problems. This manifest itself as improved uptime for operations, increased MTBF, and fewer desk-side visits for technical support staff.
- Compliance reports—Reports showing device and system compliance, both aggregate and device specific, helps IT departments explicitly demonstrate and document compliance and to detect and efficiently remediate noncompliant systems. Automating the reporting process helps IT spend more time solving problems rather than finding them.
- Automated asset identification—What software is installed where? Accurate accounting of these packages saves money in license management.
- Automated endpoint auditing— The SignaCert solution automatically creates reports of precisely what versions of which software is installed on enterprise systems, replacing the painfully manual, expensive, and incomplete processes often mandated and implemented by IT departments attempting to understand their environment.
- Proof of Compliance—Stops the guesswork when stating compliance. Companies can state with confidence that their network and devices are as they have stated in their defined processes.
- Granular Visibility—Compliance auditing and scanning provides instant visibility into the state of customer networks and devices. Customers deploy a scan and immediately view information whether or not any unauthorized or unidentified elements appear in their network and which specific machines are impacted. This helps the IT department make better decisions faster.
Back to top
What types of signatures are captured in the Global Trust Repository?
The Global Trust Repository will include signatures for:
- Operating Systems
- Desktop applications
- Enterprise applications
- ISV niche products
- Open Source products
The Enterprise Trust Server will contain signatures from the GTR for commercially available products and signatures for customers' proprietary products and files. Harvesting tools will be provided allowing customers to capture these signature as required.

Back to top
How do signatures get captured?

Signatures for commercial products can be harvested at their release point ensuring the highest accuracy possible. This is referred to as source harvesting.

Another method, referred to as self harvesting, can be used by customers to capture signatures for their own proprietary products or files.
Back to top
How many signatures are in the repository?

It is growing all the time, but we wont disclose the actual quantity. It is SignaCert’s position that actual quantity is irrelevant, and that the contents relevance to the customers is a much better measure of usefulness. SignaCert is actively capturing signatures for a wide variety of commonly deployed commercially available products.
Back to top
How current are the signatures in the repository?

It depends on how they are captured. If signatures are source harvested, they will actually be capture either just before or in parallel with the release process.

If self harvested, they will be reasonably current, but may take days, weeks, or in the worst case months to capture signatures for newly released products.
Back to top
Has the industry been cooperative regarding harvesting?

Very. They understand that customers are demanding improved quality and manageability from their products and view this as an opportunity to help achieve this.
Back to top
Can I capture my own proprietary signatures?

Yes. Customer proprietary signatures are captured in the Enterprise Trust Server, our appliance product. This product allows customers to capture signatures for standard builds, custom proprietary software and more.
Back to top
Do I need every signature for all software ever published?

No. You need signatures that are relevant to your environment. That means you need signatures for the commercial products you use (open source too) and you need signatures for the software you develop specifically for use in your environment. This combination provides complete coverage of files that should be in your network.

If you are intending to use this method to identify things that shouldn’t be on your network, you need a larger set of signatures. Specifically if you are intending to identify unknown or unidentified files, you may need to compare against a repository of currently published software signatures. If you are looking to explicitly identify malware, signatures representing known bad items are necessary.
Back to top
Are you only for large IT shops?

No. This solution is applicable for companies of all sizes.
Back to top
Do you provide a hosted solution?

We will be announcing a hosted solution (DMZ) very soon for customers with specific needs. This solution will scale from a complete service for smaller organizations down to organizations that want to pilot the technology without a complete integration effort.
Back to top
Does it make my current solution obsolete?

No. This is an adjunctive technology. It only makes what you already have work better.
Back to top
Can’t I get these signatures from NIST?

Yes, but these data sets are incomplete and not up to date. NIST provides NSRL, but there are several others as well.
Back to top
Why wouldn’t I just capture signatures from what I know is in my network today?

That may work for your proprietary products, but it would be very difficult to know with confidence that you had good signatures for commercially available products.
Back to top