Stop malware on endpoints in near real-time
The shift to attacking endpoints with advanced malware has drastically changed the security landscape. Traditional protection is no longer enough and detection needs to shift to mitigation in close to real-time to add value to the customers, for example in the case of ransomware.
BlueSOC EndpointSentry is built on new technology that identifies threats on both servers and clients using very light-weight deployment and implementation.
Identify suspicious activity on clients and servers
The detection is based on heuristic analysis of suspicious behavior by code on the endpoint in real-time. Information on the possible threat activity is reported and correlated by Sentor’s BlueSOC 24/7 to ensure that only actual incidents are detected.
Sentor’s BlueSOC manage incidents according to your IRP
When an incident is confirmed by the BlueSOC, a multitude of actions can be taken directly, for example isolating the endpoint, stop processes on the endpoint or just alerting customers of an ongoing incident, all according to the Incident Response Plan (IRP) defined together with the client.
Want more information? Write your e-mail address and we will get back to you!
How it works
EndpointSentry is not limited to clients, but also supports server endpoints. EndpointSentry collects indicators, analyses them in its multi-stage analysis process, and alerts Sentor SOC, enabling active threat management 24/7. The multi-stage analysis include:
Collect – Threat detection begins with the scanning of corporate assets including endpoints, users, files and the network. Indicators are collected and a baseline is created to track authorized and malicious changes within the ecosystem.
Analyze – Collected indicators are filtered through the correlation engine, security intelligence module and behavior inspection, using both static and dynamic [sandbox] analysis. EndpointSentry identifies anomalies such as;
- suspicious endpoint network configuration changes
- system file modifications
- registry changes
- suspect user activity
and uses its automatic multi-stage analysis to confirm the threat and risk levels
Alert – Once EndpointSentry has determined that a threat exists, Sentor SOC 24/7 will be alerted and have the possibility to verify the threat and take action according to the customers Incident Response Plan.
Remediate – EndpointSentry enables the effective cleanup of infected corporate assets with instantaneous remediation of threats in progress, through quarantine or file deletion, blocking of users or taking systems offline according to the customers Incident Response Plan.
Is the implementation complex?
No, EndpointSentry can be installed within hours, and requires virtually no IT resources for operation and maintenance. In ongoing operation, the agentless solution does not impact data/user privacy, availability or performance. It ensures that your environment remains ‘clean’ and provides effective and comprehensive attack detection and remediation.
How can an active threat be managed by Sentor's SOC?
SOC analysts take direct action according to customer Incident Response Plan to stop threats from executing, spreading or exfiltrating data.
The following are examples of actions that can be taken by the SOC 24/7:
- Isolate the endpoint from the network
- Stop processes from execution
- Extract files for analysis
- Lock user
- Notify customer of incident (always done for all detected incidents)