In a recent post, we described many of the techniques that malware authors are using to disguise their attacks. In this post, we’ll take a closer look at how WatchGuard Technologies uses data analytics to identify and expose these stealthy exploits.
As described in the earlier post, cybercriminals today employ code obfuscation, polymorphism and other techniques to create malware that can constantly change its identifiable features. This allows them to evade traditional signature-based defenses that look for known patterns of bytes, functions, hashes or other characteristics that have been previously identified and indexed as malware.
WatchGuard counters with its Threat Detection and Response (TDR) solution, which doesn’t rely upon known malware signatures. Instead, WatchGuard TDR collects, correlates and analyzes data from multiple network devices and sensors to identify behavioral anomalies, unusual code or other suspicious characteristics that might indicate malicious activity.
Key components of the WatchGuard solution include:
ThreatSync. This is a cloud-based correlation engine that collects event data in real time from WatchGuard Firebox network security appliances, host sensors on endpoint devices, and cloud threat intelligence feeds. ThreatSync analyses this data to generate a threat score and initiate automatic malware response tactics.
APT Blocker. When ThreatSync classifies a file as potentially malicious, the suspicious file is uploaded to a controlled cloud sandbox that emulates a physical endpoint. Here, APT Blocker executes the file to observe its behavior and unique characteristics. Once the analysis is complete, the results are relayed to ThreatSync, which then updates the threat score and enables automated remediation.
UTM Security Services. Single-console management of multiple security devices and services adds another layer of intelligence into the correlation and scoring process. Data from Firebox and XTMv security appliances, as well as intrusion prevention, antivirus, spam prevention and URL filtering services, are continually collected and passed through ThreatSync.
Host Sensors. Lightweight software agents loaded onto endpoint devices send data from potentially malicious endpoint security events to ThreatSync and APT Blocker for analysis and scoring.
Host Ransomware Prevention (HRP) Module. This is another type of lightweight endpoint sensor. It uses behavioral analysis to identify ransomware-specific characteristics and automatically block the execution of ransomware before file encryption takes place on the endpoint.
Enhanced Antivirus. Signature-based protection is still a valuable network security tool. With TDR, users don’t need to replace antivirus solutions they’ve already deployed. TDR works in tandem with existing solutions to create an additional layer of threat detection and event correlation to catch anything that existing antivirus solutions might miss.
Cybersecurity has always been a cat-and-mouse game, with malicious actors and security professionals continually refining their tactics to stay one step ahead of the other. With the emergence of shape-shifting threats that can automatically change their features to evade signature-based defenses, the bad guys have gained an edge.
In a recent ESG survey of IT security professionals, nearly three-quarters said threat detection has become more difficult over the past two years. Almost nine out of 10 said they expect to increase spending on threat detection and response technologies, services and personnel over the next 12 to 18 months.
WatchGuard TDR can be a game-changer for most organizations by analyzing vast amounts of data from security appliances and endpoint devices to gain visibility into evasive malware. Even better, it automatically responds to these threats to limit any potential damage. If you are considering network security enhancements in 2020, give us a call to learn more about how WatchGuard TDR can help.