BlueSOC EndpointSentry

24/7 endpoint detection, active response
and incident reporting

Stop malware on endpoints in near real-time

The shift to attacking endpoints with advanced malware has drastically changed the security landscape. Traditional protection is no longer enough and detection needs to shift to mitigation in close to real-time to add value to the customers, for example in the case of ransomware.

BlueSOC EndpointSentry is built on new technology that identifies threats on both servers and clients using very light-weight deployment and implementation.

Identify suspicious activity on clients and servers

The detection is based on heuristic analysis of suspicious behavior by code on the endpoint in real-time. Information on the possible threat activity is reported and correlated by Sentor’s BlueSOC 24/7 to ensure that only actual incidents are detected.

Sentor’s BlueSOC manage incidents according to your IRP

When an incident is confirmed by the BlueSOC, a multitude of actions can be taken directly, for example isolating the endpoint, stop processes on the endpoint or just alerting customers of an ongoing incident, all according to the Incident Response Plan (IRP) defined together with the client.

Want more information? Write your e-mail address and we will get back to you!

More information
How it works

EndpointSentry is not limited to clients, but also supports server endpoints. EndpointSentry collects indicators, analyses them in its multi-stage analysis process, and alerts Sentor SOC, enabling active threat management 24/7. The multi-stage analysis include:

Collect – Threat detection begins with the scanning of corporate assets including endpoints, users, files and the network. Indicators are collected and a baseline is created to track authorized and malicious changes within the ecosystem.

Analyze – Collected indicators are filtered through the correlation engine, security intelligence module and behavior inspection, using both static and dynamic [sandbox] analysis. EndpointSentry identifies anomalies such as;

  • suspicious endpoint network configuration changes
  • system file modifications
  • registry changes
  • suspect user activity

and uses its automatic multi-stage analysis to confirm the threat and risk levels

Alert – Once EndpointSentry has determined that a threat exists, Sentor SOC 24/7 will be alerted and have the possibility to verify the threat and take action according to the customers Incident Response Plan.

Remediate – EndpointSentry enables the effective cleanup of infected corporate assets with instantaneous remediation of threats in progress, through quarantine or file deletion, blocking of users or taking systems offline according to the customers Incident Response Plan.

How it works - An illustration

how endpointsentry

Is the implementation complex?

No, EndpointSentry can be installed within hours, and requires virtually no IT resources for operation and maintenance. In ongoing operation, the agentless solution does not impact data/user privacy, availability or performance. It ensures that your environment remains ‘clean’ and provides effective and comprehensive attack detection and remediation.

What happens when a threat is detected?

As part of the threat identification analysis detection following stages occur:

  • Threats are constantly being checked against existing and new security intelligence sources
  • Sandboxing can be executed either on premise or in a cloud environment
  • Expert cyber analysts provide manual analysis of indicators in cases of inconclusive automatic findings to uncover hard to find threats while significantly reducing the false positive ratio

How can an active threat be managed by Sentor's SOC?

SOC analysts take direct action according to customer Incident Response Plan to stop threats from executing, spreading or exfiltrating data.

The following are examples of actions that can be taken by the SOC 24/7:

  • Isolate the endpoint from the network
  • Stop processes from execution
  • Extract files for analysis
  • Lock user
  • Notify customer of incident (always done for all detected incidents)

What endpoints are supported?

Supported endpoints

  • Windows
  • Unix
  • Linux
  • Mac

Security Operations Center

Sentor’s managed SOC services are divided into two types; BlueSOC services and RedSOC services. BlueSOC services are defensive by nature and aim to maintain internal defense, by detecting and responding to cyber threats. Sentor’s RedSOC services are offensive and aim to continuously identify and address deficiencies in the customer’s security posture, both technical vulnerabilities and more structural weaknesses.

Read more!

Want to get in touch?