Modern aproach to endpoint protection

Introduction

Different view of endpoint protection

attack surface

Classic antivirus solutions are no longer sufficient for reliable data protection of nowadays targeting hacker attacks on company data, zero-day attacks, or persistent threats like ransomware.

Standard security methods protecting end point workstations must be supplemented by an additional security layer based on computer behavior analysis capable of detecting so far unknown threats.

Exploit Guardian protects applications with vulnerable security holes of critical and very vulnerable applications such as web browsers, system files, PDF editors, etc. It monitors the behavior of processes in memory and evaluates, reports, and blocks threats based on the deciding algorithm associated with system activities.

Exploit Guardian

Monitoring and protection tool to secure end point workstations against typical vectors of attack

Exploit Guardian is a monitoring and protection tool for securing the operating system and risky applications against typical attack vectors. This protection is a complementary security feature to existing antivirus products and is capable of preventing attacks against which these solutions are ineffective, such as exploiting of unknown vulnerabilities in applications or OS vulnerabilities, un-updated OS, and unknown types of attacks.

Exploit Guardian monitors the behavior of running programs on a computer to detect unusual behavior that may indicate a malware or hacker attack. Essentially, it's about creating a service of basic system operations, such as opening files, running processes, writing to registers, and accessing the network. Depending on the mode set, this suspected attack is either reported or the suspicious process is blocked before it can perform its activity.

Event logging is done in such a way that it is easy to trace the vector of the attack and the related information that was recorded during the attack and is used for its analysis by the system administrator.

attack surface

Benefits versus classic anti-virus protection

The Exploit Guardian solution, compared to classic antivirus, allows you to protect end points against a wider range of attacks útoků

Zero-day attacks

Compared to typical antivirus solutions, Exploit Guardian evaluates potentially dangerous real-time malware activities based on behavioral rules. This ensures the system even at a critical time when the vulnerability is exploited there is no patch, and malware is not described as a viral signature for antivirus capture.

Ransomware attacks

Exploit Guardian protects end point workstations and their assets against the effects of ransomware. This type of malware belongs to a group of malicious code that encrypts user data. Today, ransomware is very widespread and dangerous because it combines modern distribution techniques with advanced data encryption methods.

Unwanted application activities

Exploit Guardian continuously monitors the process activity in the operating system and clearly informs users about potentially unwanted operations. Allows the user to define applications for permitted operations and to restrict legitimate programs from access to system resources and user assets.

Management server

Incidents found at an end point workstations are sent to the Management Server that serves
to remedy them and to assess the network's risk by an administrator or the SOC operator.

attack surface

Incidents detected by Exploit Guardian in enterprise environments are managed by Management server that receives information about all incidents and related information from workstations, correlates information according to defined attack vectors, and provides pre-processed information to security administrators to streamline network security and save time on analysis security events. An example might be to automatically find workstations with the same security incident on the network. Provides clear information about network malware spread and security context for quick response. The related stored information will then help the administrator to find out details of the incidents and their causes without having to be physically present on problematic end point devices in the network.

Processing suspicious events

Exploit Guardian takes care of the events that are detected at the end point workstations
from the moment of their occurrence to it's correlation and display on the system administrator's sides.

  • Process activity logging

    Exploit Guardian manages system calls in the operating system, e.g. it monitors file opening, process execution, writing into registers, and network access.

  • Evaluation of detected risks

    Evaluation of an attacks takes place according to a predefined rules, which are made by correlating the provisions given for the source and target object, object access restrictions (create, open, read, write, delete, and rename) and the priority that determines the order of rules.

  • Applying appropriate rule

    In the case that a captured event violates existing rules, Exploit Guardian will evaluate the possible risk based on the policy's priority and, depending on the mode set, the operation will enable, block, or query the user.

  • Data synchronization with server

    End points continuously synchronize with the Exploit Guardian server side and provide all the detected events that have been recorded locally. Based on received data, the server will be able to perform their analysis and correlation.

  • Correlation of related events

    In the next step, the Exploit Guardian system correlates the related events received from an end point workstations to create an event chain to gain deeper knowledge about the detected incident, perform its analysis, and countermeasures.

  • Display of an attack to the administrator

    The system administrator is able to analyze the attacks by using a web application that clearly and comprehensively displays the recorded attacks and helps determine their impact.

Attack analysis

Create a comprehensive overview of the hazardous activities of the processes and activities affected by them.

attack surface

In addition, Exploit Guardian provides a tool that enables the system administrator to perform analysis and countermeasures to prevent the emergence of negative endpoint threats. The advantage of the analysis tool compared to existing solutions is that it combines the use of modern techniques and technologies to make the investigation of incidents more effective.

The web application offers an intelligent, easy-to-use interface that is dynamic and consists of three main components, each with a particular function. The first component represents the time axis at which the incidents are organized according to their severity and time. The second component is a graph depicting the development of end-point attack. The third component is an information panel providing a data about the selected incident and enabling an access to services VirusTotal and IP Geolocation.

Network hierarchy

Detail characteristics

Behavioral ananlysis

Network activity

Dynamic time axis

Detail information

Download

Using the following links, it is possible to explore the functionality of Exploit Guardian

EU projekt

Project Exploit Guardian was developed in a cooperation with the Eutopean Union

Product Exploit Guardian was developed with support of Ministerstvo průmyslu a obchodu ČR, in granting program Operační Program Podnikání a Inovace pro konkurenceschopnost – Pokročilá ochrana před neznámými malwarovými a hackerskými útoky pomocí analýzy chování počítačů, reg. číslo CZ.01.4.04/0.0./0.0./16_066/0007813.

Write us

We will be happy to answer all your questions

About us

We create a new type of an endpoint protection in a network with central
administration for a security administrators and SOC center operators

Adresa

Sec Guardian, s.r.o.
Veveří 2845/102,
616 00 Brno, ČR,
IČ: 01673246
DIČ: CZ01673246

Web: www.sec-guardian.cz
Email: info@sec-guardian.cz
Tel.: +420 733 468021
Bank account: UniCredit Bank Czech Republic and Slovakia,
a.s., account number 2113755783/2700