A number of new features in FireEye Endpoint Security HX 3.0 redefine what protecting endpoints is all about. Historical endpoint protection (EPP) solutions use a stale database of threat signatures to stop known threats. This only works if the system has signatures for every possible threat, and that’s not possible.
First if a threat is blocked, threat actors will find malware that can bypass deployed EPP security software. This means threats will get in undetected by EPP. And once in, it’s more difficult to notice or stop its activities since malware may not even be in use at that point. Also during the process, EPP provides no visibility into the network so security personnel can inspect and analyzing a blocked or even an undetected threat. They have no way of knowing whether a blocked threat was part of a string of related attempts, let alone investigate for a threat that may have successfully bypassed their EPP.
FireEye HX 3.0 delivers what is now essential for modern endpoint protection—visibility and proactive inspection, not just blind blocking. Being able to actively investigate and analyze real-time threat activity means analysts can use real time threat intelligence from FireEye and other sources to dynamically determine appropriate protection based on current threat activity they’re dealing with today, not from days or years ago.
This visibility can provide levels of inspection. A key feature in the progression an analyst would go through in investigation was first available in HX 2.6 - Triage Viewer which focuses on IOC visibility and inspection, and analysis at endpoints, so every endpoint can be checked for an IOC. If one is found, Triage Viewer can expose it and what its activities. The screen shot below shows an IOC summary view of activities and timelines with more details to the left.
Feature 1 Triage Viewer
What if there isn’t an IOC? Analysts need to continuously monitor for threats even if there aren’t any alerts. The ability to explore endpoints effectively requires powerful search and investigative capabilities. Enterprise Security Search (ESS) is a new feature of HX 3.0 that addresses that. Below is a screen shot of the HX 3.0 ESS feature. It enables analysts to quickly create and conduct customized broad searches across every endpoint with rapid results, even over 100k+ endpoints. With easily selected security-specific search parameters, an analyst can gather detailed information on each endpoint. If some endpoints require deeper investigation, they can use Data Acquisition for deep forensic analysis.
With HX, security analysts can use existing threat intelligence IOC and also create their own. This allows them to better adapt security based on real-time threats, because they can inspect every endpoint quickly and deeply for events and any security ramifications.
Feature 2 Enterprise Security Search
When an ESS broad search uncovers information that indicates an endpoint needs further investigation, Data Acquisition, also a new HX feature, can obtain detailed information about any endpoint. The screenshot below shows the information it can gather-- where 236 endpoints had a particular file without an associated IOC, but they looked suspicious. Proactive investigation of any activity means analysts don’t need to wait for an IOC, but can investigate and gather new information that allows them to create a custom IOC to address a previously unknown threat.
Feature 3 Data Acquisition
Today’s attacks are sophisticated, launched by human threat actors who are constantly adjusting their methodologies to bypass defenses. Addressing these attacks requires tools that deliver equally dynamic visibility to find known and unknown threats, quickly and effectively. Security analysts need to be able to see into every corner of every endpoint at any time, to find and then stop threats before they do any damage. HX 3.0 provides the capabilities necessary for complete endpoint visibility, inspection and analysis -- anytime, anywhere. It gives analysts the power they need to adapt their defenses dynamically so they can immediately protect their endpoints.