1) Information Gathering
- Read Process List
- Read Details of each process
- Read "netstat -anb" information
2) Infected Endpoint Control
- Execute commands on endpoints
- Upload/Download files between endpoints and controllers
- Capture packets on endpoints
3) Security Detection Enhancement
- Built-in Malicious Code feeds that can be updated automatically
- Upload suspicious files to an on premise sandbox to analyze
- Import YARA rules
- Import Snort rules
4) Incident Response
- Block processes from sending packets
- Stop processes
- Clean / Delete infected files
- Isolate machines
5) Threat Intelligence Integration
- Asset Information Management
- Built-in Threat Intelligece feeds that can be updated automatically
- Sending alerts to SIEM through Syslog
6) Constraint
- Being able to coexist with such Antivirus as Symantec SEP
No comments:
Post a Comment