In our last post, we talked about the rise of file-less malware that leaves little evidence of a cyberattack. It’s difficult enough to defend against known security threats, and virtually impossible to prevent these sneak attacks. That’s why organizations need an incident response plan for detecting security events and taking steps to minimize the damage.
File-less malware isn’t the only form of attack that is difficult to detect. Advanced persistent threats (APTs) use sophisticated evasion techniques to enable intruders to remain inside a network for long periods. Zero-day attacks exploit vulnerabilities before they’re discovered and patched. Certain kinds of malware continually change characteristics to avoid detection by security systems.
In most cases, there are clues that an attack is taking place — clues that are hidden in the thousands of security events and alerts generated in the IT environment every day. Threat intelligence can uncover those clues, while sandboxing allows suspicious files to be analyzed without endangering the rest of the network.
The SANS Institute defines threat intelligence as “the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.” Information related to security events is aggregated from systems and devices across the IT environment, and correlated against industry data about the latest vulnerabilities and threats. This enables IT teams to more quickly detect, prioritize and take action to stop cyberattacks.
A sandbox is an isolated environment where suspicious files can be opened and executed to determine if they present a threat. If a risk is identified it is immediately added to threat intelligence data feeds and shared with the cybersecurity community.
WatchGuard’s Threat Detection and Response (TDR) service is a cloud-based threat intelligence and sandboxing solution for small to midsize businesses (SMBs) and distributed enterprises. TDR combines several key elements to enable detection and remediation of evasive threats:
- WatchGuard’s cloud-based correlation engine collects event data in real time and analyzes it to generate a comprehensive threat score that guides either single-click or automated threat responses.
- UTM Network Security. WatchGuard security appliances and other security services contribute data from inside the network to ThreatSync for correlation.
- APT Blocker. This next-generation sandbox emulates target environments and safely executes potentially malicious files in order to analyze their behavior. Based on the APT Blocker response, the ThreatSync score is updated, enabling automatic remediation to eliminate the threat.
- Host Sensors. These lightweight software agents extend visibility beyond the network perimeter to individual devices. Host Sensors send data from potentially malicious endpoint security events to ThreatSync and APT Blocker to be analyzed, scored and addressed.
- Host Ransomware Prevention (HRP) Module. A lightweight software agent within the Host Sensors uses behavioral analysis to identify ransomware-specific characteristics and automatically shut down attacks before files are encrypted. New advanced threat behaviors and characteristics are constantly added in order to ensure that HRP can block emerging attacks.
A completely cloud-based solution, TDR’s centrally managed, intuitive interface enables even small security teams to quickly analyze threats and take defensive action to minimize potential damage. It does not require users to replace their existing antivirus solutions — it adds another layer of threat detection to catch threats that antivirus might miss.
Verteks can help you implement WatchGuard’s TDR service, or leverage it to provide managed security services to protect your organization. Let us show you how threat intelligence and sandboxing can enhance your security posture.
