Free community edition

Request a demo

Stop Targeted Attacks and Zero-Day Threats with DFLabs and Symantec Endpoint Cloud

Back to all articles

Zero-Day Threats

Having the ability to quickly detect and contain a zero-day or targeted threat may be the only chance an organization has to keep their business and assets safe from these types of unpredictable attacks. Oftentimes prevention is not an option and organizations must be able to fully utilize their entire security stack to contain an inevitable incident.

DFLabs’ integration with Symantec Endpoint Cloud provides organizations with the rapid detection and response solution necessary to protect today’s multi-faceted network environments. From on-prem to the cloud and securing users on the go, networked environments no longer exist solely within a confined perimeter. In most cases an organization’s endpoints are their last line of defense, and Symantec Endpoint Cloud used in conjunction with DFLabs’ IncMan SOAR solution ensures that these critical assets are protected regardless of where they reside, without needing to ramp up security resources.

The Problem

Zero-day attacks continue to threaten the security of all organizations regardless of their size or maturity level. They lurk underneath the radar and just outside of our security defenses until it is too late. These attacks are nearly impossible to prevent and require rapid detection and response efforts to contain the potential damage they can cause.

Unfortunately, these types of attacks have grown in sophistication and can no longer be adequately detected and contained by past forms of anti-virus protection. Outdated signature and pattern matching strategies of yesterday are no longer effective, and security teams already stretched to their limits continue to fight an uphill battle.

So, how can organizations today over these three common but critical questions and concerns?

  • How can we quickly detect and respond to zero-day attacks?

  • How can we utilize our full security stack to contain a targeted or zero-day attack?

  • How can we minimize the damage caused by a zero-day or targeted attack?

The DFLabs and Symantec Endpoint Cloud Solution

The DFLabs and Symantec Endpoint Protection Cloud solution accelerates endpoint detection and response efforts by enabling security professionals to operationalize the detail-rich data gathered from Symantec Endpoint Cloud, by combining it with the automation and orchestration power of DFLabs IncMan SOAR platform. By automating the gathering of event data, organizations can present their security team with the full picture of an incident within minutes, which will allow them to act quickly to prevent the attack from becoming successful.

Equipped with this information, security teams can build in conditional statements which would allow an incident to either be fully automated from start to finish or have only a few automated features to help assist their network defenders during their investigations. Whether fully or only partially automated, organizations can leverage the advanced features of Symantec Endpoint Cloud to help build out their security processes and procedures to ensure that incidents, such as malicious downloads performed by internal users, are uniformly handled each time they occur, and that their security team is only utilized when necessary to cut down on over utilization.

About Symantec Endpoint Cloud

Symantec Endpoint Protection Cloud (SEP Cloud) is an easy to use security-as-a-service that protects and manages PC, Mac, mobile devices and servers from a single console, making it the ideal solution for organizations with limited IT security resources. SEP Cloud effectively stops today’s ransomware, zero-day threats and other sophisticated attacks using advanced multi-layered technologies including advanced machine learning and behavior analysis. Utilizing SEP Cloud’s, default security settings and user self-enrollment capabilities, this solution quickly protects your endpoints.

Use Case

Now let’s look at a simple use case in action.

An alert is received regarding a potentially malicious file downloaded by a user in the Sales department. IncMan SOAR receives the alert and automatically executes the suspicious file R3 Rapid Response Runbook which begins by checking the file’s reputation score against two separate file reputation services.

Once the file has been evaluated, the R3 Runbook comes to its first conditional action. This action looks to see if either of the file reputation services have reported this file as malicious. If the file is found to not be malicious by both services, the Runbook will immediately terminate without any further action being taken. However, if one or both of the services report its reputation as either “high” or a risk score of higher than 50, a group of nested actions will be executed.

These actions start by banning the hash at the organization’s firewall and then simultaneously querying Symantec Endpoint Protection Cloud for historical data on the affected host, user, and malicious file. The historical data is then fed into another set of conditional statements which look for additional events involving the affected host, user, and if any other hosts had interacted with the malicious file. As these conditions are executed if any are found to be true, the event IDs and additional hosts will be added to the incident as incident artifacts, the priority is automatically elevated to high, and notifications are sent out to both the security and IT teams for further follow up.

6lE-ONcBBjcOoKNFTcXokRVS3K4J-Cofdv6Y6yhoAhByIDFytqp3FtPUa8AqlzEG98HtzCMlT7RBSU3oAwB6gM29rXQg2UPNL7RuXWB5McsYQi7IVKi5GgSPco81bwWePiuDQJHd

Conclusion

Together, DFLabs IncMan SOAR and Symantec Endpoint Protection Cloud tackle a threat at its source by providing zero-day detection capabilities at the endpoint through advanced multi-layered technologies powered by machine learning and behavioral analysis and pure automation and orchestration capabilities. By rapidly detecting and responding to a threat, organizations can be confident that their security teams have the support that they need to keep their business assets safe from malicious adversaries.

If you would like to see this integration and others in action, request a personalized one to one demo today.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo