BlueSOC EndpointSentry

24/7 endpoint detection, active response
and incident reporting
Overview

Endpoint devices and its users are the most common vectors of attacks for external attackers. The most efficient way to prevent this is to use Endpoint Detection & Response (EDR), the best technology available for detecting attacks and take action to protect compromised devices.

Attacks on endpoints can be achieved in multiple ways, for example by spam- or phishing emails, malicious files or links sent to the end user or presented on sites the user visits. It is a cheap and efficient way to get access to organisational resources by infecting and taking control of a device that in turn is used for lateral movement to access central resources and achieve the goal of the attacker, exfiltrate data, etc. Many of the large scale and costly breaches we have seen have started with a single compromised user device or user credentials.

Some specific attacks, for example ransomware, require real-time detection and blocking, having detection only will not help in stopping a ransomware attack, as the execution in itself will realise the attackers goal.

The solution – 24/7 endpoint detection, active response and incident reporting

Endpoint Detection & Response (EDR) is the best technology available to protect endpoints from attacks, analysing what is happening and taking action to prevent or mitigate the attacks.

EDR utilizes multiple approaches to detect and block threats, for example heuristic analysis of code and user behaviour, blacklists and analysis of communication. The technology also offers multiple options for response, such as isolation of endpoint systems, blocking of code and locking accounts.

In EndpointSentry, Sentor combines EDR solutions with our BlueSOC, manned by security analysts who monitor and respond to activities 24/7. The solution enables Sentor BlueSOC to detect everything from malware infections, phishing campaigns and access to malicious web pages, to advanced APT:s and deviating end-user behavior. Once detected, the activities can be acted on in near real-time, thereby minimizing the impact of incidents.

Using BlueSOC EndpointSentry offloads the customer organisation as well as provides access to broad expertise, giving the customer protection, detection capability and triage capability 24/7 even when the customer’s security operations are inactive.

How it works

Endpoints are enrolled in the EDR solution with a light-weight agent installation. The agent will monitor the local system for malicious activity and report alerts to a central console, alternatively taking automated local actions.

Alerts are collected and analysed by Sentor BlueSOC, where they are analysed using EDR tooling, threat intelligence and analyst knowledge and experience.

If found to be correct, the SOC will create an incident report and if possible, take manual remediation actions. Over time, additional automated remediations are implemented to increase the protection of endpoints without manual actions taken.

Step by step

  • Workshop to set the scope of endpoints to protect, clients or servers, different OS, etc.
  • Enrollment of endpoints, deployment of agents, connection to Sentor SOC
  • Set up Incident Response Plan together with customer
  • Service delivery start
  • Continuous update of detection capability, tuning/whitelisting and auto-remediation functions

Technical description

  • Supports Windows, Windows Server, Mac, Linux endpoints (platform dependent)
  • Allow communication with cloud service or on-premise central console (platform dependent)
  • If on-premise, setup of server platform for central console (platform dependent)
  • Based on Microsoft Defender ATP (E5 or separate Defender ATP license) or Cynet360 EDR platforms

Key benefits

  • Built on top of proven EDR solutions from Microsoft (Defender ATP) or Cynet (Cynet360)
  • Better protection for endpoints, including APT:s and new types of threats
  • Fast triage/remediation with active response 24/7
  • Increased protection for endpoints independent if they are in the office or on the road
  • No need for customers to be product experts

Want more information? Write your e-mail address and we will get back to you!

Security Operations Center

Sentor’s managed SOC services are divided into two types; BlueSOC services and RedSOC services. BlueSOC services are defensive by nature and aim to maintain internal defense, by detecting and responding to cyber threats. Sentor’s RedSOC services are offensive and aim to continuously identify and address deficiencies in the customer’s security posture, both technical vulnerabilities and more structural weaknesses.

Read more!

Want to get in touch?