Phoenix FirmGuard^® | BIOS Firmware Security

What Is Phoenix FirmGuard?

FirmGuard is a solution for Managed Service Providers (MSPs) to provide BIOS firmware security for their client endpoints and also to seamlessly manage the BIOS firmware in those endpoints from a single pane of glass. FirmGuard is backed by Phoenix Technology’s 45+ years of technology and market leadership in endpoint firmware. Phoenix was founded in 1979 and created the first IBM clone compatible BIOS—well before the term “endpoint” was ever used. With FirmGuard, Phoenix takes their wealth of knowledge, expertise, and intellectual property in BIOS firmware to offer a scalable, best-in-class solution to combat the increasing problem of endpoint vulnerability.

FirmGuard is a secure, cloud-based solution that is hosted in Amazon Web Services (AWS). The FirmGuard Cloud Server handles all administrative and technical functionality with a direct interface to each client endpoint. An MSP can easily and securely manage all of their client endpoints from the MSP Portal.

Why Should MSPs Care About Firmware?

Companies have spent billions of dollars protecting their endpoints from OS and application level attacks with some success. But most have spent almost nothing to protect the BIOS firmware in those same endpoints. In fact, Gartner Group estimates that “70% of organizations that do not have a firmware upgrade plan in place will be breached due to a firmware vulnerability”. This is because hackers are becoming more sophisticated, and they now realize that firmware is an underappreciated attack vector which is relatively easy to exploit if not properly protected.

Only 13%-25% of enterprises view security below the operating system as a priority.

- IDC

Your clients are almost certainly experiencing firmware vulnerabilities and you likely don’t even know it. With FirmGuard you can offer them a differentiated service which will immediately scan their endpoints to find firmware level vulnerabilities. Armed with that data, you can educate them on this new attack surface and offer a solution to help solve the problem. This will differentiate you from other MSPs and solidify your position as the MSP of choice for your current and future clients. This will then naturally lead to more revenue for your company.

Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice

- CISA

SecureCheck: Revalidates an endpoint’s chain of trust, ensuring secure operation by establishing that the correct OS version is running and confirming the root of trust between hardware, firmware, and OS. This feature can be run manually or at automatically scheduled intervals such as weekly or monthly. An MSP administrator can check device firmware status at a glance via an indicator in the portal.

SecureBeat: Maintains a secure heartbeat between the endpoint and the FirmGuard cloud server. A loss of beat is the first indication or alert of possible endpoint related issues. With SecureBuilder workflows can be constructed to automatically take mitigation steps (e.g., lock hard drive) if the beat is missing for an unexpected period.

SecureSense: Remotely monitor endpoint status and health to detect unusual or suspicious behavior. The feature specifically monitors firmware status (i.e., vendor, version, last update, etc.), endpoint inventory (i.e.,system make/model, OS version, etc.) and endpoint metrics (i.e., CPU, disk and memory utilization, etc.).

SecureKey: Firmware enforced multi-factor authentication (MFA) using a physical key such as a FIDO/FIDO2 compliant device or USB storage device. The operating system (OS) will not load without the configured secure key. Configuration can be done remotely by an MSP administrator via the portal

SecureConfig: Remotely configure BIOS settings across an array of endpoints. Greatly streamlines and consolidates administration of BIOS settings across an entire organization. With this feature MSP administrators can easily enable or disable firmware settings to ensure proper security configurations.

SecureUpdate: Identifies the current firmware version and provides an indication when a newer version is available. An administrator can remotely update to the latest (or older) version across an array of endpoints. Adheres to UEFI capsule update guidelines NIST SP 800-147 & NIST SP 800-193. One of the best ways to prevent a firmware level attack is to proactively update to the latest firmware version.

SecureBuilder: An automation and workflow engine that can be used to pre-schedule tasks or trigger certain actions. For example, it could be used to regularly schedule (e.g., monthly) a SecureCheck initiated reboot of select endpoints. Both simple and complex workflows can be constructed and may involve any other feature such as SecureBeat, SecureLock or SecureWipe.

SecureClone: A method to duplicate an endpoint’s hard drive contents to a different location. The duplication can be easily performed from the same single pane of glass (portal) that is utilized by all other features. The duplication can be part of a workflow or done proactively to perform forensic analysis or recover lost work.

SecureLock: Locks hard drive at the firmware level to prevent unauthorized access without the administrator generated password key. Without entering the key and unlocking the hard drive the endpoint cannot boot the operating system. Can potentially prevent ransomware attacks that seek to lock the hard drive contents. Protects data at rest, even if the hard drive is moved to a different system.

SecureWipe: Remotely performs a forensic wipe (at the bit level) of SSD, HDD and other mass storage devices independent of the operating system. Supports hardware erase methods such as ATA and NVMe secure erase, OPAL password/PSID revert, and multiple industry standard software algorithms such as DoD5220.22-M