Endpoint Agents: Overview

Introduction

As part of a holistic cyber security solution, the Field Effect Endpoint Agent integrates natively with our network appliances to protect organizations from end to end.

The endpoint agent, when installed across an organization’s endpoint devices, keeps businesses safe by:

Preventing ransomware, advanced persistent threats, and malware in real-time.
Determining what is normal behavior for individual endpoints and adapting accordingly. Unlike universal policies that are easily exploited, this versatile approach offers more accurate threat detection and better security.
Automatically updating to the latest agent and security policies - no action needed.

Supported Operating Systems
Active Response and the Endpoint Agent
Detection & Analysis
Endpoint Analytic Categories
Endpoint Risks
Threat Detection
Endpoint Analytic Techniques

Supported Operating Systems

You can see which Operating systems are supported in the guide:

Supported Operating Systems

Active Response and the Endpoint Agent

After the endpoint detects potentially malicious activity, it will respond according to the organization’s Active Response profile, confidence in analytics, and the threat’s severity. Depending on these factors, the endpoint agent can block and terminate the activity, only block the activity, or notify the organization of the potential threat via ARO and provide mitigation steps.

Detection & Analysis

The endpoint agent has a user-mode and a kernel-mode component, providing a global view of the operating system. Using real-world data, our team of intelligence experts build and update analytics that identify threats as they happen. We combine heuristics, anomaly detection, and known signatures to define normal (and therefore abnormal) operating system behavior.

Here are examples of suspicious activities mapped to the MITRE ATT&CK framework that Field Effect detects and blocks:

Tactic	Intention	Events detected and blocked by Field Effect
Exploitation	Gain initial code execution of a system.	Process injection Office macros Suspicious use of remote management tools
Privilege Escalation	Gain administrative or high-level privileges to access a system’s restricted functions and directories.	Exploitation tools bundled with malware toolkits Suspicious commands used to test account permissions or access Common elevation techniques used by known malware
Lateral Movement	Spread to other systems in the victim’s network after initial compromise.	Suspicious use of PowerShell, PsExec, WMI, and more Creation of scheduled tasks on a remote system Domain account creation
System Tampering	Inhibit system features to avoid discovery or allow activity that standard security policies would block.	Disable crash and error reporting Lower security and authentication restrictions Disable security software and features (e.g., Windows Defender) Modify certificates and certificate chain
Persistence	Install persistent malware that is hard to stop or remove.	Registry keys used to designate software for automatic start Modification of boot record Addition of scheduled tasks

Endpoint Analytic Categories

The telemetry data collected on a network appliance is analyzed to report on threat surface risks and respond to threat detections. The following section enumerates some of the relevant threat surface and threat detection categories that are associated with endpoint telemetry.

Endpoint Risks

Exposed Services - Systems that are hosting a service or application that is internet accessible.
Exposed Devices - Devices that may have a publicly routable IP address.
System Applications - Operating system and third-party software running on endpoints that have known severe vulnerabilities.
Potentially Unwanted Applications -- third-party applications and tools that can introduce security risks to an endpoint.

Threat Detection

Suspicious Processes - program execution that share characteristics with known threat behavior.
Data Loss - abnormal patterns of data transfers (endpoint, network and cloud-based), unauthorized use of removable media.
Alterations to Security Logging and Anti-Virus/Security Solution state changes - configuration changes that could be indicative of a threat actor attempting to hide activity.
Account Compromise - anomalous patterns of authentication, unexpected logins, account abuse.
Lateral Movement - anomalous remote access tools and file sharing.
Privilege Escalation - activity corresponding to a threat actor attempting to increase access to the environment.
Credential Access - attempts to access account names and credentials.
Collection - anomalous use of tools leveraged by threat actors for data exfiltration.
Persistence - malicious modules, auto-runs, registry access and suspicious creation of scheduled tasks.
Defense Evasion - tampering with audit logs, suspicious authentication events, disabling of security products.

Endpoint Analytic Techniques

The telemetry data for all endpoints is collected for analysis on an organization's appliance. In addition to the analytics that run automatically on the appliance, Field Effect's security team run federated queries to compare data across a broad range of organizations to spot patterns and anomalies.

This threat hunting combines powerful automated analysis with the experience from a team of some of the best security professionals in the business. Findings are continuously being feed back into the system to adapt and refine future detections. The endpoint analytics are based on collecting all the fundamental telemetry points from an endpoint, including process execution, user sessions, installed software, module and driver loading, network activity, removable media activity, system event logs and more.

A security event or concern can also initiate the collection of suspicious files which can then be evaluated through an automated content analysis pipeline.