FireTower Incident Response and Containment Task
Anti-Virus security solutions from Enterprise Protection Platforms (EPPs) employ signature-based malware detection methodology and cannot detect advanced attacks and Zero-day attacks that are previously undiscovered and have no associated signature.
Since there is no signature for the Zero-day malware, Anti-Virus solutions not only cannot identify the attacks, but also cannot provide any actionable response.
Malware is virtually always persistent and FireTower monitors, detects and disrupts malware cyber kill chains and delivers an always-on triage platform for incident response and forensic investigation.
Finding the compromise by focusing on persistence mechanisms is the standard industry practice for incident response because it is the most effective way to discover breaches and malware. Postmortem analyses indicated that the majority of recent zero-day cyber security attacks made use of injected or altered persistence mechanisms.
FireTower uses the Inter-Host Intrusion Prevention System (IHIPS) engine to automate the standard industry practice to collect, authenticate, and stack all persistence mechanisms. All enterprise forensic data are available in real-time as live forensics.
FireTower client software at endpoint system will discover and authenticate in real-time all critical system state change events, and the Guard service if enabled through endpoint protection profile will automatically quarantine malicious and/or suspicious threats.
Any malicious entry, regardless whether it was manually or automatically quarantined will be interdicted automatically by FireTower.
FireTower administrators through an interactive threat exploration interface with built-in analytics can provide early identification of ongoing attacks and to more rapidly respond to detected attacks. They can issue “quarantine ALL” commands to all at-risk endpoints against a malicious events with a single click.
Autorun Setting Repository (ASR) Proxy service allows enterprise security administrators to overwrite and upgrade or download any authentication rating from public cloud-based ASR database. All security events and proprietary persistence mechanisms are kept inside the enterprise threat database and are never exposed to outside world.
All authentication rating changed by FireTower administrators will be automatically processed throughout enterprise network. That is any rating changed from good to malicious will be immediately and automatically quarantined at all at-risk endpoints. Conversely any authentication rating changed from malicious or suspicious to good will be immediately and automatically un-quarantined from all affected endpoints.
- Persistence Mechanism Primer
- FireTower Security Solution Page
- Armchair tour to Cyber Console Incident Response UI
- Hands-on of FireTower Security Operations:
- Get hands-on experience with the unique EDR capabilities of Inter-Host Intrusion Prevention System by experimenting Cyber Console GUI through a Sampan Security, Inc. demonstration network on demand and on your computer.
- Download and execute WinCyCon software (digitally signed by Sampan Security, Inc.) and auto-connect you to the network: WinCyConx64.exe for x64 and WinCyConx86.exe for x86 (Windows Desktop XP/Vista/7/8/10 or Server 2008/2012)