This guide provides Coro admin users with recommended settings, configuration tips, and suggestions for how to set up the Coro platform to protect your users, devices, and data.
It covers:
- Cloud Security
- Endpoint Security
- Email Security
- User Data Governance
- Endpoint Data Governance
- Devices
- Other recommendations and notes
- Summary
This guide is intended as a starting point for many common scenarios, covering standard areas of monitoring and protection. Read the Coro documentation or contact your sales representative for advice tailored to your specific needs.
Coro's Cloud Security module provides protection for cloud application users against threats such as identity compromise, access violations, and detection of mass data download or deletion.
Make sure that your cloud application is connected to Coro and, where applicable, audit logging is enabled and able to be shared with Coro.
Read more: Introducing cloud security
Access permissions are an important part of controlling access to cloud-based company data, intellectual property, and other important resources.
Coro enables admin users to limit access to connected cloud applications based on a user's geographic location or region.
For example, if you configure your workspace to allow Microsoft 365 sign-ins only for users within Texas (US), Coro detects (and optionally restricts) any attempts to sign in from outside Texas as this could indicate a compromised account.
Set up access permissions for your users to allow sign-ins only from authorized locations. Make sure to set an automatic remediation action based on your organizations needs.
Read more: Access permissions
Coro provides granular control over the policies you can apply to your users' endpoint devices to ensure compliance with minimum security standards. Coro also allows admin users to enable advanced anti-virus protection against many common and sophisticated attacks.
For macOS and Windows alike, implementing policies to protect endpoint device integrity (and in some cases, compliance) is an important step in protecting your users and systems.
Coro enables admin users to set policies to notify when disks are not encrypted, UAC notifications are missing, firewalls are disabled, and other important aspects of device protection are not present.
Configure posture policies for your endpoint devices (macOS and Windows) to ensure compliance and alerting for any unsafe practices.
Read more: Device posture configuration overview
To use NGAV, make sure to enable Real-Time Malware and Ransomware Protection.
NGAV configuration settings are applied to devices based on labels. Enable a setting to assign device labels to it. For example, “All Devices”, “Windows PC”, and so on.
Read more: Next Generation Anti Virus (NGAV) settings
Coro uses ATC to identify and stop malicious processes from performing suspicious actions, such as executing abnormal commands or scripts.
Enable Advanced Threat Control for all devices in your organization to monitor system behavior and quarantine or stop any suspicious activity.
Windows devices include a Volume Shadow Copy Service (VSS) feature that provides the ability to restore certain files to past versions using a “file history” configuration. Malware and ransomeware often attempts to disable and remove any backups to keep your systems down and offline, pushing you into paying their ransom.
Coro's Secured Shadow Backups improve on standard VSS functionality by creating protected snapshots of files every four hours, and blocking processes that pose any risk to these backups.
If you are using a third-party backup solution that utilizes VSS, there can be a conflict with the VSS backups created and protected by the Coro Agent.
Enable Secured Shadow Backups for all devices to enforce file snapshots with VSS and to protect those backups from malicious processes.
Attackers can often place malware inside compressed archives, such as ZIP files, to hide malicious content from recipients. Admin users can configure Coro to scan compressed archives for threats. If Coro finds a malicious file but cannot delete it alone, it quarantines the entire archive.
Enable Quarantine Infected Containers for all devices to provide maximum protection.
Coro can initiate a scan for malware and ransomware after the Coro Agent is first installed and enabled on endpoint devices. This feature is useful where you are moving to Coro from a different vendor, or if you are installing Coro for the first time on existing devices.
However, initial malware and ransomeware scans are deep and can impose a resource drain on target devices. CPU and RAM usage can increase dramatically for the duration of the scan.
For normal day-to-day operations, disable Enable an initial malware and ransomware scan to avoid impacting end-user productivity.
If you do want to use this feature, Coro recommends scheduling deployment of the Agent to endpoint devices at a time of least impact for your organization, such that the scan can execute with minimal interference.
Coro can detect wireless connections to access points that give indications of man-in-the-middle attacks aimed at hijacking communications and credentials.
Enable WiFi Phishing for all devices for maximum device coverage.
Read more: Wi-fi phishing
Coro provides comprehensive detection and mitigation for email-based threats, together with advanced features for managing email security for your users.
Read more: Introducing Email Security
Coro can scan emails as they are delivered to your users for a range of potential threats, such as malware and phishing attacks. Coro can also detect spam in emails, providing additional protection against unwanted or unsolicited content. Threat actors typically use brand new domains, send malware in attachments, and typically come from unknown sources.
Enable Scan emails for the following threat types in the Email Security settings page for maximum protection.
Read more: Email Security settings
Certain file types can be used to deliver malicious software when attached to emails. For example, files with extension .jar are Java Archives and, when opened, can execute malicious code on a target device. Other common file types used in this way are *.exe, *.sh, and *.bat.
Coro can detect and automatically quarantine emails that contain attachments of selected types.
Quarantine all file types that your organization does not normally use, send, or receive. Many of the types listed are rare to see over email (*.scr, for example, is a Windows Screensaver file) and can be blocked to avoid being exploited by an attacker.
Read more: Quarantining email attachments by file type
Most of the functionality in this module is subject to your organization's specific business needs and typically applies when dealing with regulatory compliance.
For example, if you are in the healthcare industry, you might need to configure Coro to scan your users' emails and shared files for exposure of health data (PHI) or personal data (PII).
Coro recommends configuring data governance settings based on industry and business requirements for compliance.
For more information and guidance regarding data governance by industry, see the following guides:
Similar to User Data Governance, this module is specific to endpoint devices and is used to detect exposure of sensitive data on device drives.
Endpoint data governance scans must be initiated manually, or through a preconfigured schedule, and are not intended for real-time identification of exposure events.
Coro recommends configuring data governance settings based on industry and business requirements for compliance.
For more information and guidance regarding data governance by industry, see Regulatory sensitive data.
Coro provides protection for an organization's devices through the Coro Agent, a lightweight application that admin users deploy to devices to provide real-time threat detection and monitoring. Installed agents regularly communicate with Coro's servers to synchronize settings and report back findings, keeping devices up to date and admin users informed.
Maintaining agent health is key to ensuring maximum protection for all your devices.
The heartbeat interval is the time between check-ins for the Coro Agent on endpoint devices and Coro's servers. When policies or other settings change within Coro, many will not take effect until the device’s next heartbeat.
Set the heartbeat interval to 7 minutes in most cases. Shorter intervals can increase network workload, while a longer interval can mean logs and reports are less current.
Coro can be configured to automatically update the Coro Agent on endpoint devices when a new stable version is launched. Updates are applied via device labels, meaning an admin user can choose the devices to be included in automatic updates.
Coro rolls out agent updates in stages, so not all devices with the applied labels are updated at the same time.
Enable this option for all devices. Due to the delayed staged-update approach, this makes management of agent versions easier for your deployment.
Use of other third-party EDR/anti-virus agents should be avoided as this can conflict with operation of the Coro agent (see Compatibility with existing malware solutions).
Use of the Network module’s VPN functionality can conflict with existing VPN clients if using the same underlying technology, as well as conflicting routes and overlapping networks.
If you are subscribed to Coro Managed Services, Coro strongly recommends also subscribing to the Coro EDR Module for added telemetry and protection.
Connect your cloud application (for example, Microsoft 365 or Google Workspace) to protect from compromised and malicious user logins and data scanning.
Set up access permissions to automatically remediate compromised or malicious user logins.
Configure relevant endpoint security policies, such as disk encryption and firewall settings.
Enabled Advanced Threat Control (ATC) to enable behavioral and heuristic scanning and monitoring of endpoint devices.
Enable Secure Shadow Backups to protect backup file integrity and configuration.
Enable Quarantine Infected Containers to automatically quarantine compressed archive files that contain malicious content.
Scan all incoming email for threats of all categories.
Block or quarantine all emails containing forbidden file types (configured for your business requirements).
Do not use other third-party anti-virus solutions alongside Coro, as this may affect system performance, protection, and cause conflicts.
Do not use conflicting VPN clients with overlapping routes, networks, or underlying technologies.