WatchGuard’s Host Sensors now integrate with APT Blocker to conduct controlled endpoint threat analysis and stop unknown and evasive attacks

SEATTLE – September 21, 2017 – WatchGuard® Technologies, a leader in advanced network security solutions, today announced feature updates to its cloud-based Threat Detection and Response (TDR) service for small and midsize businesses (SMBs), distributed enterprises, and managed security service providers (MSSPs). The service correlates network and endpoint security events with threat intelligence to detect, prioritize and enable immediate action to stop malware attacks. TDR Version 5.1 introduces a direct integration between endpoint Host Sensors and APT Blocker, WatchGuard’s next-generation cloud sandbox solution. This extends the power of APT Blocker to endpoints, regardless of being on or off the corporate network. This allows IT administrators and MSSPs to automatically analyze suspicious endpoint files within the cloud sandbox to identify behaviors associated with persistent threats, zero day attacks and evasive malware, for fast and confident endpoint threat remediation.

“Since we launched TDR, it’s been the only solution out there that combines the power of complete Unified Threat Management (UTM) network security services with endpoint detection and response capabilities,” said Andrew Young, SVP of product management at WatchGuard. “We’ve taken that a step further with our latest updates to TDR, extending APT Blocker’s advanced sandboxing capabilities from the network to the endpoint. Now, users can automatically place a potentially dangerous endpoint file under the microscope to observe its behavioral characteristics and objectives, and respond accordingly.”

TDR combines several key elements to enable users to better detect and remediate evasive threats both inside their networks and on their endpoints:

• ThreatSync – WatchGuard’s cloud-based correlation engine, which collects event data in real time from Firebox appliances, Host Sensors and enterprise-grade cloud intelligence feeds. ThreatSync analyzes this data to generate a comprehensive threat score that guides either single-click or policy-based automated threat responses.
• UTM Network Security – WatchGuard Firebox M Series, T Series, FireboxV, and Firebox Cloud appliances, as well as existing industry-leading security services that contribute security data from inside the network to ThreatSync for correlation.
• Host Sensors – a lightweight software agent loaded onto endpoint devices that extends visibility beyond the network perimeter to individual devices. These sensors send data from potentially malicious endpoint security events to ThreatSync and APT Blocker to be analyzed, scored and addressed.
• APT Blocker – leverages a next-generation sandbox to emulate target environments and safely execute potentially malicious files from both the network and endpoint in order to analyze their behavior. Based on the APT Blocker response, the ThreatSync score is updated, enabling automatic remediation to eliminate the threat.
• Host Ransomware Prevention (HRP) Module – a lightweight software agent within endpoint Host Sensors that leverages behavioral analysis to identify ransomware-specific characteristics and automatically shuts down ransomware assaults pre-encryption. New advanced threat behaviors and characteristics are constantly added in order to ensure that HRP can block emerging attacks.

Previously, TDR leveraged APT Blocker to analyze threats from inside the network perimeter. With this new TDR update, APT Blocker is extending its powerful next-gen cloud sandboxing capabilities to individual devices outside of the network, consuming threat data directly from the endpoint for analysis. Now, whenever ThreatSync receives Host Sensor data that classifies an endpoint file as potentially malicious, it analyzes a hash of the malware sample, cross-referencing it with an extensive library of existing threats. If no match is found, TDR uploads the suspicious file where APT Blocker automatically performs deep analysis by detonating it in a controlled cloud sandbox that emulates a physical endpoint in order to analyze its intended behavior and unique characteristics. Once APT Blocker’s analysis is complete, it relays the results to ThreatSync, which then updates the threat score and enables automated remediation.

A completely cloud-based solution, TDR’s centrally managed, intuitive interface enables partners to service countless subscriptions without spending as much time at customer sites for new deployments or troubleshooting exercises. With TDR, included in WatchGuard’s Total Security Suite, MSSPs can further differentiate themselves from the competition, win more business, and build an additional recurring revenue stream by monetizing continuous, more advanced detection and response services; all with one SKU and one license.

Threat Detection and Response Service is now available as part of the WatchGuard Total Security Suite. Host sensor licenses vary based on the Firebox model, and additional sensor packages are available as an add-on offer. For more information, visit www.watchguard.com/TDR.