BI.Zone EDR (Endpoint Detection and Response) ранее BI.Zone Sensors

Main article: Security Information and Event Management (SIEM)

2024

Compatible version 1.32 with Astra Linux Special Edition 1.7.0 and 1.7.5

Strategic partners BI.ZONE and Astra Group have confirmed the compatibility of the BI. ZONE EDR endpoint protection solution (version 1.32) and the Astra Linux Special Edition 1.7.0 and 1.7.5 operating system. The tests performed demonstrated that the solutions work correctly in conjunction and can be used without restrictions. Upon completion of testing, the BI. ZONE EDR solution was certified as part of the Ready for Astra technology partnership program. Astra Group announced this on June 13, 2024.

Шаблон:Quote 'author = said Teymur Heirhabarov, Director of Cyber Threat Monitoring, Response and Research, BI.ZONE.

The BI. ZONE EDR functionality for Linux include, among other things, advanced autonomous threat detection capabilities, increased visibility inside containers, and improved autonomous detection of attack indicators. It is also possible to limit the resources consumed by BI. ZONE EDR for Linux to better ensure the stable operation of critical applications in high-load and sensitive infrastructures.

{{quote 'author = noted Kirill Sinkov, Director of the Department for Work with Technological Partners of Astra Group. | EDR solutions are incredibly critical for any organization, as they analyze any activity on endpoints and find abnormal, which allows you to identify the actions of attackers and quickly respond to incidents. Now this important protection tool works on OS Astra Linux, increasing the effectiveness of preventive protection against any actions of attackers. I sincerely hope that a large number of our favorite customers will appreciate our joint solution,}}

Boxed version of BI.Zone EDR endpoint security solution

On May 20, 2024, BI.ZONE introduced a boxed version of the BI. ZONE EDR endpoint protection solution.

BI.Zone

According to the company, in the boxed version of BI. ZONE EDR, all functions are available that have shown effectiveness in the SOC composition -/MDR-service BI. ZONE TDR. Also, agents have been updated in the product, and Linux Windows. macOS Linux has expanded the ability to offline threat detection and optimize visibility inside containers.

The Windows agent now monitors actions with named pipes and events from WSL subsystem processes to detect attacks that use a combination of Windows and Linux tools. And the agent for macOS has acquired functions for monitoring and inventory of autorun points, as well as YARA scanning.

Previously, BI. ZONE EDR capabilities were available as part of the BI. ZONE TDR cybersecurity monitoring service. The boxed version of the solution is intended for companies that prefer not to work with the service provider, but to independently solve monitoring and response tasks using modern tools. The key goal of BI. ZONE EDR is to effectively protect endpoints, that is, servers and workstations. In any IT infrastructure, the share of such devices is up to 85%, and it is they who overwhelmingly become the targets of attackers. narrated by Teymur Heirhabarov, Director of Cyber Threat Monitoring, Response and Research, BI.ZONE

Key changes affected the BI. ZONE EDR agent for Linux, which optimizes the ability to detect events inside containers. This applies primarily to creating and changing files, as well as starting processes. The updated version of the solution actively uses eBPF (extended Berkeley Packet Filter) technology, which allows deeper integration with container environments such as Docker or Kubernetes. This optimizes visibility activities inside containers. Thus, BI. ZONE EDR allows analytics to immediately see not only the host, but also the specific container in which the suspicious event occurred, thereby reducing the response time. In addition, to better ensure the stable operation of critical applications in high-load and sensitive infrastructures, it became possible to limit the resources consumed by BI. ZONE EDR for Linux.

Back in the BI. ZONE EDR for Linux optimized autonomous detection of attack indicators (indicators of attack, IoA). Unlike indicators of compromise (IoC), which indicate that the system is already compromised, IoA focuses on detecting signs of an active attack before it causes damage: attempts to exploit vulnerabilities, unusual network requests, suspicious changes in the system, etc.

Event monitoring capabilities in the Windows version of BI. ZONE EDR have also been expanded with support for monitoring actions with named pipes and events from WSL subsystem processes (Windows Subsystem for Linux). Named pipes technology is designed to allow processes to communicate over a specially named resource in the file system. Attackers often use it to inject malware, control an infected system, and bypass security mechanisms. Named pipe monitoring can detect suspicious or unauthorized interactions between processes - this can indicate malicious activity. In turn, WSL support allows you to identify threats that use a combination of Windows and Linux tools to perform attacker tasks. Attackers resort to such tactics in order to more effectively bypass the means of protection.

In addition, the Windows version of BI. ZONE EDR has additional automatic response features, including suspending a process or thread, and ending an active user session. These changes allow you to quickly respond to threats and minimize potential damage.

The agent for macOS implemented the functions of monitoring and inventory of autorun points specific to this operating system, such as Launch Agents, Launch Daemons and Login Items. Malware is often used these spaces for anchoring in the system, and monitoring these points allows you to detect such attempts in a timely manner. The ability to check files and processes using YARA has also been added, which provides additional opportunities for detecting malware ON based on signatures. Previously, the functionality of BI. ZONE EDR was expanded by adding a module Deception, which allows you to create fake bait objects that are indistinguishable from real objects of the company's infrastructure. Thanks to this, even an advanced attacker capable of bypassing detection mechanisms can be found at the reconnaissance stage.

2023

Deception Module Release for BI.Zone EDR

On September 12, 2023, BI.ZONE announced the release of the Deception module for BI. ZONE EDR (Endpoint Detection and Response, formerly BI.ZONE Sensors). The Deception module allows, already at the reconnaissance stage, to detect even an advanced attacker who can bypass the detection mechanisms. Key EDR features are now available not only on Linux and Windows, but also on macOS. 

Deception allows you to create fake bait objects that are indistinguishable from real infrastructures customer objects, both at the endpoints and in. domain Active Directory Bait attracts attention, malefactor as it is potentially useful for development. attacks information Cybercriminal interacts with it at the stage of reconnaissance and development of the attack inside the compromised infrastructure and falls into a trap. The latter can be any workstation server and corporate network with the installed EDR agent BI. ZONE EDR.

BI. ZONE EDR record both bait attempts and attempts to use bait accounts to access corporate network resources or authentications in an Active Directory domain. This provides high-precision attack alerts. Data the incident appears in the product interface and can also be forwarded to external IRP//systems for further response.SOARSIEM Thus, Deception allows you to detect attacks that cannot be detected in another way, or ensures their detection early - before the intranet moves begin. 

The Deception module adapts the decoys to the peculiarities of the customer's infrastructure so that the attacker does not suspect that he is a fake object in front of him. In particular, the bait uses the company's accounting format, and activity is emulated on behalf of the fake accounts.

BI. ZONE EDR are a product on the Russian market in which EDR and Deception are presented on a single technological platform. The customer does not need to install two different solutions - this saves time and resources for the purchase, implementation and maintenance of the product. Any host with an installed agent becomes a trap automatically, without requiring the deployment of individual servers for this task, and EDR receives additional threat detection technology. noted Teymur Heirhabarov, Director of the Department of Monitoring, Response and Research of Cyber ​ ​ Threats.

Domain traps include fake accounts in Active Directory: placed in a privileged group, with Kerberos pre-authentication disabled or with reversible encryption enabled, as well as fake service accounts in Active Directory with the service principal name (SPN) attribute set.

Local traps include stored fake credentials in a browser or in a standard OS account manager, embedding fake credentials in RAM, creating OS configuration files and utilities with fake credentials, and creating Windows registry keys with fake credentials. Another major update - support for EDR on macOS - expands monitoring, detection and response features on Apple devices. The agent allows you to collect a wide range of telemetry from devices running macOS, as well as inventory historical data and configuration of the device and OS on a schedule. Combining monitoring of current activity with an inventory of historical data and device configuration makes it possible to identify not only active attacks, but also past compromises, configuration flaws and vulnerabilities that can be exploited by an attacker to develop an attack. At the same time, BI. ZONE EDR provides an effective response to macOS. The capabilities of the macOS agent and Deception module are available to SOC/MDR clients of the BI. ZONE TDR service.

Implementation in Angara SOC

Angara Security has implemented an EDR class solution from BI.Zone in its SOC, which announced this on June 5, 2023.

BI.Zone Sensors will help Angara Security strengthen its expertise in protecting endpoints from complex threats, increase detection capabilities, speed up decision-making when analyzing suspected incidents, and ultimately provide customers with a better service for monitoring and responding to cyber incidents. Read more here.