Pareto Security

Roadmap

Product roadmap for the Pareto Security suite of products

No deadline guarantees

The following list of upcoming features and changes to the Pareto Security Suite is not final and in no way guarantees when or even if we'll actually ship any or all of them.

The purpose of having this roadmap here is to allow our users to help us prioritize what we need to work on next by talking with us about items on this roadmap. Additionally, it allows our larger customers to plan ahead of any potential breaking changes.

This Roadmap is updated quarterly. Last update on 2023-01-22.

Excited about an upcoming feature? Talk to us so we make sure we cover your use case!

Compliance Reports

We already provide a REST API to allow you to export Teams' devices info, but we want to provide a few pre-built reports. We'll start with a simple CSV export of devices.

More checks

We already provide a number of checks from the CIS macOS benchmark, but there a number of them that we can still do:

  • Turn off Bluetooth, if no paired devices exist.
  • Ensure time set is within appropriate limits.
  • Disable sending diagnostic and usage data to Apple.
  • Limit Ad tracking and personalized Ads.
  • Disable Wake for network access.
  • Disable Power Nap.
  • Ensure EFI version is valid and being regularly checked.
  • Enable security auditing
  • Retain install.log for 365 or more days with no maximum size.
  • Ensure security auditing retention.
  • Control access to audit records.
  • Ensure Firewall is configured to log.
  • Disable Bonjour advertising service.
  • Ensure http server is not running.
  • Ensure nfs server is not running
  • Secure Home Folders.
  • Check System Wide Applications for appropriate permissions.
  • Check System folder for world writable files.
  • Check Library folder for world writable files.
  • Configure account lockout threshold.
  • Reduce the sudo timeout period.
  • Use a separate timestamp for each user/tty combo.
  • Ensure login keychain is locked when the computer sleeps.
  • Do not enable the "root" account.
  • Ensure system is set to hibernate
  • Ensure an administrator account cannot login to another user's active and locked session.
  • Do not enter a password-related hint.
  • Disable Fast User Switching.
  • Disable "Allow guests to connect to shared folders".
  • Remove Guest home folder.
  • Turn on filename extensions.
  • Disable the automatic run of safe files in Safari

Different rules for home network

Some things can be more lax when you're on your home WiFi.

But then when traveling, all checks need to be in place.

Emergency update

Currently, we have a 7-day grace period for all macOS and app updates. We propose a two-tiered system:

  • normal updates: increase grace period to 15 days,
  • urgent updates: decrease grace period to 3 days.

All updates are normal by default. In case a browser vendor or Apple pushes out an urgent security update, we can mark it in our backend, and the app on next refresh will see it and mark it as urgent. This will:

  • decrease the grace period to 3 days,
  • show a notification to the user: "Usually we allow 15 days to get your apps and macOS updated to latest stable version. However, there is an urgent security fix available which should be installed immediately or no later than in 3 days."

An example of such release is 12.4, that contains multiple CVE-level security vulnerabilities:: https://support.apple.com/en-us/HT213257

Gamification

Users still postpone fixing basic security problems that Pareto Security tools are reporting. Would gamification help to incentivize them to fix problems?

Here are a few rough ideas:

  • Company leaderboard, showing who got most points in a single month. List of monthly winners. Reset counter to 0 every month. Should be accessible with a unique link, no need for login. Weekly reports to slack.
  • Earn points for each passing check every 24 hours.
  • Minus points for failing important checks (but never deduct points from previous day).
  • 24-hour grace period: i.e. if a check is only failing for last 10 hours, you still get points today.
  • You can only earn points 5 days of the week (later on, can be configurable company-wide to 4 days per week).
  • Badges:
    • Once earned, they stay on your profile.
    • "Lifetime earned points" based badges.
    • "Top x of the month" based badges, i.e. "2nd Place" badge.
    • "Y times top X of the month" based badges "Finished 5 times in top 3" badge.
    • "All green" badge.

Pareto MDM

Current MDMs are very much a binary thing. A device can either be enrolled and fully managed, or not.

IT admins struggle to find time to properly research and learn an MDM, and then take days to implement the central server, defining everything, and then enrolling all their devices, which could be in the hundreds or thousands.

Pareto could slowly move towards a privacy-first incremental-onboarding MDM:

  • Apart from installing one simple app on each machine, there is no enrollment, it can be done on existing machines.
  • There is no central server to deploy and maintain.
  • If an attacker gets access to the admin account, they can't wreak havoc, because admin accounts can't really do much, just update some notification policies, not like with a regular MDM where if a malicious person gets access to the central control panel, they can completely kill their fleet.

If we do it, we do it like so:

  • Auditor for security compliance
  • Updater for installing & updating apps
  • Read-only dashboards for reporting (that's the key, dashboards can't push binaries to machines, can't read files on machines, etc.)

Updater always pulls new versions from official sources, so an attacker can't do much. They can block installing new updates, but that's about it.

Ideally, we'd do something similar with Auditor. Allow Auditor to change some system settings, but the change actions come from some official source that is hard to be tampered with, and again the attacker can't run arbitrary code on devices and neither can access files on them.