The security community is talking a lot about endpoint visibility. But what does that mean? What do you really need to know about your endpoints and servers in order to detect or remediate a breach? How much information is enough in order to understand what it actually going on?
The answer lies within the problem. Today’s exploits are sophisticated. They hide within innocent host processes. They erase their tracks. They come and go. And they are always changing. So to hunt for attackers or investigate an alert, you must have a very detailed picture of the OS-level events that took place on every endpoint and server on your network, not just now, but over the course of at least a few months. That’s a tremendous amount of data – so you also need technology that can help you construct a meaningful forensic timeline.
SECDO’s OS Mirroring™ technology proactively records all endpoint events necessary to recreate the attack chain, down to thread-level (sub-process) resolution and over time. More than 70% of advanced malware injects code multiple times, so this resolution is essential. For example, if malware injects code into Internet Explorer, OS Mirroring will capture all of the threads and all of the actions they execute, and determine which threads and actions are malicious, and which ones are not.
OS Mirroring is optimized for performance with a very lightweight agent/driver and data harvesting technology that processes, transfers and stores the information efficiently for up to 100 days. The technology is built to scale up to tens of thousands of agents.
Some of the many events that SECDO collects include:
- Host snapshot
- Full directory and file listing and file hashes/signatures
- All registry and directory locations for auto-run configuration
- File system activity - Read/Modify/Create/Move/Delete
- Registry activity
- Network activity including traffic
- DNS/HTTP Proxy hostnames
- Process and Sub-process Activity - Start/Stop/Execute
- Dll Activity
- Thread Activity
- Memory Activity
- Hardware Activity
- Webcam Activity
- Microphone Activity
- Key logging Activity
- USB activity
- Printer Activity
- User Activity - Add/Elevate/Delete
- Physical Presence
- Window Activity