WatchGuard Technologies Inc. has added protection for endpoints to its Threat Detection and Response (TDR) service, extending the solution beyond the network perimeter for the first time.
First launched in January, TDR uses Seattle-based WatchGuard’s ThreatSync correlation engine to check security events against the latest threat intelligence and block malware attacks automatically. Until now, the system only safeguarded devices connected to the corporate network.
Version 5.1 of the system, unveiled today, includes direct integration between endpoint-based software agents and WatchGuard’s cloud-based APT Blocker sandbox solution. If ThreatSync receives data from an endpoint about a suspicious file, it compares a hash of the suspect malware against the security vendor’s threat library. If it doesn’t find a match, the solution uploads the file to APT Blocker, which detonates it in a controlled environment designed to emulate a physical endpoint. APT Blocker then reports the results to ThreatSync, which enables automated remediation.
“Since we launched TDR, it’s been the only solution out there that combines the power of complete Unified Threat Management (UTM) network security services with endpoint detection and response capabilities,” said WatchGuard senior vice president of product management Andrew Young in a press statement. “We’ve taken that a step further with our latest updates to TDR, extending APT Blocker’s advanced sandboxing capabilities from the network to the endpoint. Now, users can automatically place a potentially dangerous endpoint file under the microscope to observe its behavioral characteristics and objectives, and respond accordingly.”
TDR is available as part of WatchGuard’s Total Security Suite. Pricing for the host sensor agents that monitor endpoints varies based on which Firebox firewall a buyer uses. Additional sensor packages are available as an add-on offer.
More from the press release:
TDR combines several key elements to enable users to better detect and remediate evasive threats both inside their networks and on their endpoints:
ThreatSync – WatchGuard’s cloud-based correlation engine, which collects event data in real time from Firebox appliances, Host Sensors and enterprise-grade cloud intelligence feeds. ThreatSync analyzes this data to generate a comprehensive threat score that guides either single-click or policy-based automated threat responses.
UTM Network Security – WatchGuard Firebox M Series, T Series, FireboxV, and Firebox Cloud appliances, as well as existing industry-leading security services that contribute security data from inside the network to ThreatSync for correlation.
Host Sensors – a lightweight software agent loaded onto endpoint devices that extends visibility beyond the network perimeter to individual devices. These sensors send data from potentially malicious endpoint security events to ThreatSync and APT Blocker to be analyzed, scored and addressed.
APT Blocker – leverages a next-generation sandbox to emulate target environments and safely execute potentially malicious files from both the network and endpoint in order to analyze their behavior. Based on the APT Blocker response, the ThreatSync score is updated, enabling automatic remediation to eliminate the threat.
Host Ransomware Prevention (HRP) Module – a lightweight software agent within endpoint Host Sensors that leverages behavioral analysis to identify ransomware-specific characteristics and automatically shuts down ransomware assaults pre-encryption. New advanced threat behaviors and characteristics are constantly added in order to ensure that HRP can block emerging attacks.