WatchGuard Technologies has announced a new end point security service called Threat Detection and Response (TDR).
TDR combines agents running on servers and PCs with Threat Sync, a cloud service that correlates and analyzes information from the agents and from WatchGuard network security appliances.
Note that TDR customers must also purchase, or have already purchased, at least one WatchGuard network appliance.
The agents, which WatchGuard called host sensors, use heuristics and behavioral analytics to monitor servers and PCs for potentially malicious behavior. If such behavior is detected, it’s sent to the Threat Sync cloud to be correlated with information from the network appliances and other security intelligence feeds.
Threat Sync then assigns a threat severity score for the activity on the end point. Based on that score, the agent can initiate policy-defined responses such as killing processes, quarantining files, or deleting registry values.
The agent currently runs on Windows OS versions 7 through 10; Windows Server 2003, 2008, and 2012; and RedHat/CentOS 6 and 7. WatchGuard says Mac support should be available in the second half of 2017. WatchGuard is not discussing support for smartphones or tablets at this time.
WatchGuard says the host sensor can run alongside third-party antivirus software, and claims it won’t interfere with AV functions.
However, the company does recommend that administrators “exclude the quarantine directory of their AV solution so that TDR doesn’t clean up something that local AV has already tagged,” said CTO Corey Nachreiner via email.
Nachreiner also noted the host sensor’s memory and disk usage are “minimal,” particularly when the sensor is in detection mode.
Weigh The Risks
Host-based software is both a boon and a bane for organizations. On the one hand, the software places security controls and remediation capabilities directly on a machine, which can help identify and prevent malicious activities.
On the other hand, the software has to be installed, monitored, managed, and updated, which comes with operational costs. Host security software may also intermittently affect the performance of the end point.
Lastly, automated remediation comes with the risks of false positives and false negatives, both of which have negative consequences.
That’s why it’s imperative for organizations to weigh the risks of host-based exploits against the drawbacks outlined above.
The service is included in WatchGuard’s Total Security Suite, which includes network hardware. Pricing starts at $640 per year, which includes the cloud service, a Firebox T10 security appliance, and five host sensors. Customers can also license additional sensors at extra cost.