WatchGuard’s new generation of cloud-based sandboxing technology is able to automatically analyse suspicious endpoint files to identify behaviour associated with persistent threats, zero day attacks and evasive malware, to deliver fast and confident endpoint threat remediation. The new service correlates network and endpoint security events – on or off the corporate network – with threat intelligence, to detect, prioritise and enable immediate action to stop malware attacks.
Aimed at small and midsize businesses (SMBs), distributed enterprises and managed security service providers (MSSPs), WatchGuard’s latest version of its Threat Detection and Response (TDR) solution introduces direct integration between endpoint host sensors and APT Blocker, WatchGuard’s cloud sandbox solution. With this new TDR update, APT Blocker is extending its powerful next-gen cloud sandboxing capabilities from inside the network to individual devices outside of the network, consuming threat data directly from the endpoint for analysis.
“Since we launched TDR, it’s been the only solution out there that combines the power of complete Unified Threat Management (UTM) network security services with endpoint detection and response capabilities,” said Andrew Young, SVP of product management at WatchGuard. “We’ve taken that a step further with our latest updates to TDR, extending APT Blocker’s advanced sandboxing capabilities from the network to the endpoint. Now, users can automatically place a potentially dangerous endpoint file under the microscope to observe its behavioral characteristics and objectives, and respond accordingly.”
TDR combines several key elements to enable users to better detect and remediate evasive threats both inside their networks and on their endpoints:
- ThreatSync – WatchGuard’s cloud-based correlation engine, which collects event data in real-time from Firebox appliances, host sensors and enterprise-grade cloud intelligence feeds. ThreatSync analyses this data to generate a threat score that guides either single-click or policy-based automated threat responses.
- UTM Network Security – WatchGuard Firebox M Series, T Series, FireboxV and Firebox Cloud appliances, as well as existing industry-leading security services that contribute security data from inside the network to ThreatSync for correlation.
- Host Sensors – a lightweight software agent loaded onto endpoint devices that extends visibility beyond the network perimeter to individual devices. These sensors send data from potentially malicious endpoint security events to ThreatSync and APT Blocker to be analysed, scored and addressed.
- APT Blocker – leverages a next-generation sandbox to emulate target environments and safely execute potentially malicious files from both the network and endpoint in order to analyse their behaviour. Based on the APT Blocker response, the ThreatSync score is updated, enabling automatic remediation to eliminate the threat.
- Host Ransomware Prevention (HRP) Module – a lightweight software agent within endpoint Host Sensors that leverages behavioural analysis to identify ransomware-specific characteristics and automatically shut down ransomware assaults pre-encryption. New advanced threat behaviours and characteristics are constantly added in order to ensure that HRP can block emerging attacks.
Whenever ThreatSync receives Host Sensor data that classifies an endpoint file as potentially malicious, it analyzes a hash of the malware sample, crossreferencing it with an extensive library of existing threats. If no match is found, TDR uploads the suspicious file where APT Blocker automatically performs deep analysis by detonating it in a controlled cloud sandbox that emulates a physical endpoint in order to analyse its intended behavior and unique characteristics. Once APT Blocker’s analysis is complete, it relays the results to ThreatSync, which then updates the threat score and enables automated remediation.
A completely cloud-based solution, TDR’s centrally managed, intuitive interface enables partners to service countless subscriptions without spending as much time at customer sites for new deployments or troubleshooting exercises. With TDR, included in WatchGuard’s Total Security Suite, MSSPs can further differentiate themselves from the competition, win more business, and build an additional recurring revenue stream by monetising continuous, more advanced detection and response services; all with one SKU and one license.
Threat Detection and Response Service is now available as part of the WatchGuard Total Security Suite. Host sensor licenses vary based on the Firebox model, and additional sensor packages are available as an add-on offer. For more information, visit www.watchguard.com/TDR.