BI.Zone EDR (Endpoint Detection and Response) ранее BI.Zone Sensors

Main article: Security Information and Event Management (SIEM)

2024

Add Two-Factor Authentication

Two-factor authentication and a number of functions have appeared in the BI. ZONE EDR to improve the effectiveness of threat monitoring Among them are support for monitoring the reading of values ​ ​ from the registry and flexible configuration of aggregation and trottling in the agent for Windows. The Linux agent has expanded the list of collected file events in container environments based on the eBPF provider. In addition, BI. ZONE EDR has become easier to integrate with SIEM systems thanks to the ability to send data in parallel to several assignments. The developer announced this on October 28, 2024.

To provide an additional level of security on server the controls, a function has been added in the boxed version of BI. ZONE EDR. two-factor authentications If you enable this feature, when accessing the server interface, not only password the account will be requested, but also one-time code generated by to algorithm TOTP (time-based one-time password) and valid only for a short period of time. Thus, even if an attacker receives a user password, the account will be protected from unauthorized access.

Another key change affecting the EDR management server is the added ability to send telemetry and detect in parallel to multiple assignments using syslog or. Kafka This allows you to implement different integration scenarios with event management systems cyber security (). SIEM

To effectively monitor and respond to current threats, BI. ZONE EDR is constantly expanding the volume of collected telemetry. So, in the BI. ZONE EDR of agent for Windows, it became possible to track attempts to read critical values ​ ​ from the registry.

Шаблон:Quote 'author=noted Teymur Heirhabarov, Director of Cyber Threat Monitoring, Response and Research, BI.ZONE.

Other telemetry changes in the Windows Agent concern the addition of new inventory data sources, and for a number of existing sources, new settings that improve the accuracy of attack detection. In particular, the ability to inventory domain accounts with the ability to detect weak passwords from users was added. This allows you to increase the security of the domain infrastructure to brute-force attacks, that is, attacks implemented by brute-force passwords.

In addition to expanding telemetry, the agent is also developing capabilities to more effectively control the flow of collected telemetry. In the updated version of the BI. ZONE EDR agent for Windows, it became possible to flexibly configure aggregation and trottling of events. This reduces the load on the endpoint, network, and EDR telemetry store by filtering for recurring events. In addition, it became possible to create aggregation events based on data that was accumulated from repeated events.

The BI. ZONE EDR agent for Linux added the ability to collect file deletion events, rename a file, and modify file access rights events in containers based on the eBPF provider. This increases the ability to detect threats in container environments.

In addition, based on the results of the UX study, the user interface of the solution was improved.

BI.ZONE previously introduced a boxed version of the BI. ZONE EDR. It is intended for companies that prefer not to work with the service provider, but to independently solve monitoring and response tasks using advanced tools. Prior to this, solutions were available exclusively as part of the BI. ZONE TDR cybersecurity monitoring service.

Security Recommendations Module

The updated version of BI. ZONE EDR has added a module "Safety Recommendations." It is available on all operating systems and allows you to evaluate the OS and software configuration on endpoints, as well as identify their vulnerabilities and accounts with weak passwords. Representatives of BI.ZONE reported this on August 13, 2024. Among the key changes, the expansion of data collection and autonomous response capabilities in the BI. ZONE EDR agent for Windows has also been worked out, and autonomous detection of attack indicators has become available on macOS.

The BI. ZONE EDR agent for macOS has expanded the ability to offline detect indicators of attack (IoA). Unlike indicators of compromise (IoC), which indicate that the system is already compromised, IoA focuses on detecting signs of an active attack before it causes damage. Correlation rules for IoA search in BI. ZONE EDR for macOS include analyzing attempts to exploit vulnerabilities, identifying unusual network requests, recording suspicious changes in the system, etc.

The next major change was the addition of the Security Recommendations module. The module is available in BI. ZONE EDR versions for all operating systems and allows you to evaluate the security configuration on endpoints and identify their weaknesses, which the user can further eliminate to reduce the attack surface.

Evaluating the security configuration involves checking whether the systems comply with predefined configuration rules. In addition, the Security Guidelines module also identifies accounts with weak passwords.

According to our data, the share of endpoints in any IT infrastructure is up to 85%, and they are most often the targets of attackers. Identifying weaknesses on endpoints and further eliminating them helps reduce the surface of the attack and thereby reduces the risk of cybersecurity incidents, "said Teymur Heirhabarov, Director of Cyber ​ ​ Threat Monitoring, Response and Research, BI.ZONE.

In the updated BI. ZONE EDR agent for Windows, it became possible to receive the output of launching an arbitrary command in the form of telemetry events. The user of the product can set up a schedule for launching the required command or commands and parsing parameters for displaying their work. As a result, EDR will send command output as telemetry events that can be used in IoA rules. This makes it possible to implement threat detection scenarios in conditions when the rule logic lacks EDR telemetry events, but at the same time the operating system has the required tools that can solve the problem. Similar features have previously been implemented in agents for Linux and macOS, the developers explained.

In addition to collecting telemetry, the Windows Agent has expanded its offline response capabilities. Now, as part of an autonomous response, when an IoA rule is triggered, you can run any command or process (for example, your own script), which allows you to implement a large number of automatic response scenarios.

In addition, the updated version of BI. ZONE EDR for macOS added a number of new telemetry events - modifying extended file system attributes and changing the owner or group of the file object. And Windows has the ability to read data from arbitrary Windows Events Log logs. Work is also ongoing on the management server user interface, as a result of which the time spent on routine troubleshooting operations was reduced by 30%.

BI.ZONE previously introduced a boxed version of the BI. ZONE EDR. It is intended for companies that prefer not to work with the service provider, but to independently solve monitoring and response tasks using advanced tools. Prior to this, solutions were available exclusively as part of the BI. ZONE TDR cybersecurity monitoring service.

Red OS Compatibility 8

BI. ZONE EDR and BI.ZONE Compliance Platform are compatible with Red OS 8. Red Soft announced this on August 2, 2024. Read more here.

Compatible version 1.32 with Astra Linux Special Edition 1.7.0 and 1.7.5

Strategic partners BI.ZONE and Astra Group have confirmed the compatibility of the BI. ZONE EDR endpoint protection solution (version 1.32) and the Astra Linux Special Edition 1.7.0 and 1.7.5 operating system. The tests performed demonstrated that the solutions work correctly in conjunction and can be used without restrictions. Upon completion of testing, the BI. ZONE EDR solution was certified as part of the Ready for Astra technology partnership program. Astra Group announced this on June 13, 2024.

In any To IT infrastructure proportion of endpoints - that is servers , workstations - up to 85%. It is they who most often become the targets of the attackers. The BI. ZONE EDR solution allows you to detect complex threats on workstations and, servers as well as respond quickly to incidents automatically and manually. By using BI. ZONE EDR in conjunction OS with Astra Linux, it is possible to provide effective endpoint protection in accordance with current standards cyber security and at the same time independence from foreign solutions. said Teymur Heirhabarov, Director of Cyber Threat Monitoring, Response and Research, BI.ZONE.

The BI. ZONE EDR functionality for Linux include, among other things, advanced autonomous threat detection capabilities, increased visibility inside containers, and improved autonomous detection of attack indicators. It is also possible to limit the resources consumed by BI. ZONE EDR for Linux to better ensure the stable operation of critical applications in high-load and sensitive infrastructures.

{{quote 'author=noted Kirill Sinkov, Director of the Department for Work with Technological Partners of Astra Group. | EDR solutions are incredibly critical for any organization, as they analyze any activity on endpoints and find abnormal, which allows you to identify the actions of attackers and quickly respond to incidents. Now this important protection tool works on OS Astra Linux, increasing the effectiveness of preventive protection against any actions of attackers. I sincerely hope that a large number of our favorite customers will appreciate our joint solution,}}

Boxed version of BI.Zone EDR endpoint security solution

On May 20, 2024, BI.ZONE introduced a boxed version of the BI. ZONE EDR endpoint protection solution.

𝓲

BI.Zone

According to the company, in the boxed version of BI. ZONE EDR, all functions are available that have shown effectiveness in the SOC composition -/MDR-service BI. ZONE TDR. Also, agents have been updated in the product, and Linux Windows. macOS Linux has expanded the ability to offline threat detection and optimize visibility inside containers.

The Windows agent now monitors actions with named pipes and events from WSL subsystem processes to detect attacks that use a combination of Windows and Linux tools. And the agent for macOS has acquired functions for monitoring and inventory of autorun points, as well as YARA scanning.

Previously, BI. ZONE EDR capabilities were available as part of the BI. ZONE TDR cybersecurity monitoring service. The boxed version of the solution is intended for companies that prefer not to work with the service provider, but to independently solve monitoring and response tasks using modern tools. The key goal of BI. ZONE EDR is to effectively protect endpoints, that is, servers and workstations. In any IT infrastructure, the share of such devices is up to 85%, and it is they who overwhelmingly become the targets of attackers. narrated by Teymur Heirhabarov, Director of Cyber Threat Monitoring, Response and Research, BI.ZONE

Key changes affected the BI. ZONE EDR agent for Linux, which optimizes the ability to detect events inside containers. This applies primarily to creating and changing files, as well as starting processes. The updated version of the solution actively uses eBPF (extended Berkeley Packet Filter) technology, which allows deeper integration with container environments such as Docker or Kubernetes. This optimizes visibility activities inside containers. Thus, BI. ZONE EDR allows analytics to immediately see not only the host, but also the specific container in which the suspicious event occurred, thereby reducing the response time. In addition, to better ensure the stable operation of critical applications in high-load and sensitive infrastructures, it became possible to limit the resources consumed by BI. ZONE EDR for Linux.

Back in the BI. ZONE EDR for Linux optimized autonomous detection of attack indicators (indicators of attack, IoA). Unlike indicators of compromise (IoC), which indicate that the system is already compromised, IoA focuses on detecting signs of an active attack before it causes damage: attempts to exploit vulnerabilities, unusual network requests, suspicious changes in the system, etc.

Event monitoring capabilities in the Windows version of BI. ZONE EDR have also been expanded with support for monitoring actions with named pipes and events from WSL subsystem processes (Windows Subsystem for Linux). Named pipes technology is designed to allow processes to communicate over a specially named resource in the file system. Attackers often use it to inject malware, control an infected system, and bypass security mechanisms. Named pipe monitoring can detect suspicious or unauthorized interactions between processes - this can indicate malicious activity. In turn, WSL support allows you to identify threats that use a combination of Windows and Linux tools to perform attacker tasks. Attackers resort to such tactics in order to more effectively bypass the means of protection.

In addition, the Windows version of BI. ZONE EDR has additional automatic response features, including suspending a process or thread, and ending an active user session. These changes allow you to quickly respond to threats and minimize potential damage.

The agent for macOS implemented the functions of monitoring and inventory of autorun points specific to this operating system, such as Launch Agents, Launch Daemons and Login Items. Malware is often used these spaces for anchoring in the system, and monitoring these points allows you to detect such attempts in a timely manner. The ability to check files and processes using YARA has also been added, which provides additional opportunities for detecting malware ON based on signatures. Previously, the functionality of BI. ZONE EDR was expanded by adding a module Deception, which allows you to create fake bait objects that are indistinguishable from real objects of the company's infrastructure. Thanks to this, even an advanced attacker capable of bypassing detection mechanisms can be found at the reconnaissance stage.

2023

Deception Module Release for BI.Zone EDR

On September 12, 2023, BI.ZONE announced the release of the Deception module for BI. ZONE EDR (Endpoint Detection and Response, formerly BI.ZONE Sensors). The Deception module allows, already at the reconnaissance stage, to detect even an advanced attacker who can bypass the detection mechanisms. Key EDR features are now available not only on Linux and Windows, but also on macOS. 

Deception allows you to create fake bait objects that are indistinguishable from real infrastructures customer objects, both at the endpoints and in. domain Active Directory Bait attracts attention, malefactor as it is potentially useful for development. attacks information Cybercriminal interacts with it at the stage of reconnaissance and development of the attack inside the compromised infrastructure and falls into a trap. The latter can be any workstation server and corporate network with the installed EDR agent BI. ZONE EDR.

BI. ZONE EDR record both bait attempts and attempts to use bait accounts to access corporate network resources or authentications in an Active Directory domain. This provides high-precision attack alerts. Data the incident appears in the product interface and can also be forwarded to external IRP//systems for further response.SOARSIEM Thus, Deception allows you to detect attacks that cannot be detected in another way, or ensures their detection early - before the intranet moves begin. 

The Deception module adapts the decoys to the peculiarities of the customer's infrastructure so that the attacker does not suspect that he is a fake object in front of him. In particular, the bait uses the company's accounting format, and activity is emulated on behalf of the fake accounts.

BI. ZONE EDR are a product on the Russian market in which EDR and Deception are presented on a single technological platform. The customer does not need to install two different solutions - this saves time and resources for the purchase, implementation and maintenance of the product. Any host with an installed agent becomes a trap automatically, without requiring the deployment of individual servers for this task, and EDR receives additional threat detection technology. noted Teymur Heirhabarov, Director of the Department of Monitoring, Response and Research of Cyber ​ ​ Threats.

Domain traps include fake accounts in Active Directory: placed in a privileged group, with Kerberos pre-authentication disabled or with reversible encryption enabled, as well as fake service accounts in Active Directory with the service principal name (SPN) attribute set.

Local traps include stored fake credentials in a browser or in a standard OS account manager, embedding fake credentials in RAM, creating OS configuration files and utilities with fake credentials, and creating Windows registry keys with fake credentials. Another major update - support for EDR on macOS - expands monitoring, detection and response features on Apple devices. The agent allows you to collect a wide range of telemetry from devices running macOS, as well as inventory historical data and configuration of the device and OS on a schedule. Combining monitoring of current activity with an inventory of historical data and device configuration makes it possible to identify not only active attacks, but also past compromises, configuration flaws and vulnerabilities that can be exploited by an attacker to develop an attack. At the same time, BI. ZONE EDR provides an effective response to macOS. The capabilities of the macOS agent and Deception module are available to SOC/MDR clients of the BI. ZONE TDR service.

Implementation in Angara SOC

Angara Security has implemented an EDR class solution from BI.Zone in its SOC, which announced this on June 5, 2023.

BI.Zone Sensors will help Angara Security strengthen its expertise in protecting endpoints from complex threats, increase detection capabilities, speed up decision-making when analyzing suspected incidents, and ultimately provide customers with a better service for monitoring and responding to cyber incidents. Read more here.