Hackers are designing malware to be more sophisticated than ever. Through packing, encryption, and polymorphism, cyber criminals are able to disguise their attacks to avoid detection. Zero-day threats and advanced malware easily slip by antivirus solutions that are simply too slow to respond to the constant stream of emerging threats. Organizations of all sizes need a solution that leverages a holistic approach to security from the network to the endpoint.
Threat Detection and Response (TDR) enables users to better detect and respond to advanced threats inside of their network and on their endpoints quickly and efficiently, protecting their organizations from threats by correlating events from the Firebox and Host Sensor to pinpoint malicious activity using heuristics, behavioral analysis, and threat intelligence feeds and assigning it a comprehensive threat score. Best of all, TDR is included within WatchGuards Total Security Suite, providing a comprehensive set of security services on the network and endpoint through one license and one appliance.
This security service includes four components:
Threat Correlation and Prioritization
ThreatSync is WatchGuard’s cloud-based correlation and threat scoring engine, improving security awareness and response across the envi-ronment from the network to the endpoint. ThreatSync collects event data from the WatchGuard Firebox, WatchGuard Host Sensor and threat intelligence feeds to then correlate and analyze this data. Through our proprietary algorithms, ThreatSync assigns a comprehensive threat score, grouping similar threats into incidents that require a response.
ThreatSync not only provides visibility into events taking place on both the network and the endpoint, but by delivering a comprehensive threat score and rank, security teams know which threats are the most critical and require immediate attention. Threat Prioritization enables organizations to decrease time to detection and remediation. Response activities triggered by ThreatSync include quarantine the file, kill the process, and delete registry key persistence.
ThreatSync also enables operators to set up and configure email notifications when an incident or indicator is detected on the network or end-point. You can also set ThreatSync to send an email alert when a threat has been remediated based on the policies you’ve already set. With email notifications from ThreatSync, take a step back from the dashboard and still know what’s happening on your network from wherever you are.
Enterprise-grade threat intelligence capabilities
Threat feeds are lists of known malware signatures that are collected from global sources and updated regularly. These lists can be critical in stopping new threats from infiltrating your environments and gaining access to critical data. There are a lot of vendors that make it their business to build and manage these lists, charging customers high fees for access.
Threat Detection and Response extends these threat intelligence capabilities to SMB organizations. ThreatSync compares the event data collected from the Firebox and Host Sensor with our various threat feeds to quickly determine if the threat has been seen elsewhere. If the threat is known to the threat feeds, it will quickly engage with the Firebox and/or Host Sensor to remediate the threat.
Threat Visibility on the Endpoint
- EXTEND VISIBILITY TO THE ENDPOINT
The lightweight WatchGuard Host Sensor monitors and detects threat activity on devices using heuristics and behavioral analytics. The Host Sensor continuously sends these events to TDR’s ThreatSync to be correlated with events from the Firebox appliance, developing a comprehensive threat score prioritization.
- AUTOMATED THREAT REMEDIATION
The WatchGuard Host Sensor enables users to automate threat remediation through the creation of policies. Based on the comprehensive threat score generated by ThreatSync, these pre-defined policies determine the response tactics triggered – including contain the host, kill the process, quarantine file, or delete the registry value. Automated threat remediation can not only decrease the time it takes to remedy the problem, but also helps to minimize the demand on scarce resources.
- ADVANCED RANSOMWARE PREVENTION
Host Ransomware Prevention* is a ransomware-specific module within the WatchGuard Host Sensor. HRP leverages a behavioral analytics engine and a decoy directory honeypot to monitor a wide array of characteristics that determine if a given action is associated with a ransomware attack or not. If the threat is malicious, HRP can automatically prevent a ransomware attack before file encryption takes place.
- ADVANCED THREAT TRIAGE WITH APT BLOCKER
Want to take a deeper look at a suspicious file? Our integrated approach to threat triage uses an innovative artificial intelligence engine in conjunction with our APT Blocker security service, to detect and automatically send suspicious files for deep analysis in a next-generation Cloud sandbox.
Host Sensor Licensing
With a subscription for Total Security Suite, each appliance includes a set number of Host Sensors. These Host Sensors are managed and distributed within Threat Detection and Response, where they are aggregated for use throughout the account. To meet organizational needs, additional Host Sensors are available through an add-on offering.
WatchGuard Security Services
One Appliance, One Package, Total Security
Customers benefit most when security defenses work in tandem, providing the strongest protection, maximum efficiency and lightning-fast performance. WatchGuard’s Total Security Suite provides customers traditional network security services, as well as advanced security offerings including APT Blocker, Data Loss Prevention and Threat Detection and Response (TDR).
TDR takes this philosophy a step further, by correlating event data from the network, endpoint and threat intelligence feeds to create a comprehensive threat score and rank. Our threat correlation and scoring engine, ThreatSync, collects input from advanced network security services, including WebBlocker, APT Blocker, Gateway AntiVirus and spamBlocker. It then correlates this network data with endpoint event data collected via the WatchGuard Host Sensor to generate a threat score and rank based on severity.
With WatchGuard Total Security Suite, organizations can benefit from advanced network security, robust endpoint visibility and remediation, as well as enterprise-grade threat intelligence through one complete offering.
If you have any questions about AuthPoint or other WatchGuard solutions, please, write us at watchguard@bakotech.com.