CounterTack Sentinel Use Cases

Continuous Response to APT's, Malicious Insiders and Vulnerable Endpoints

Customers across numerous industries leverage the power of CounterTack Sentinel’s tamper-resistant data collection, advanced threat detection and automated analysis capabilities for different purposes.  

Incident Response. Most organizations lack the ability to quickly respond to attacks with enough context around what that attack is, what the overall impact might be if executed properly, and the means to automatically implement an effective countermeasure. CounterTack Sentinel equips incident responders with an entirely new level of response capabilities to ensure a rapid, accurate response before threats fully impact the organization.

Cyber Intelligence and Response Teams receive alerts from multiple sources that are often unmanageable based on volume and severity. In the absence of a clearly defined hierarchy of what constitutes a security incident, and how that incident might be prioritized, organizations often unknowingly let attacks infiltrate and play out on production endpoints.

CounterTack Sentinel can take third-party alerts to find the “callback” endpoints to help identify those workstations and servers that are infected. Next, using the initial intelligence Sentinel gathers through the Detect phase, it can automatically isolate the threat on the host, giving responders the visibility they need to mitigate and counter threats precisely and continuously.

Through Sentinel’s RESTful API, Sentinel operators can integrate other detection and alerting sources to build a repeatable response model. Sentinel also helps teams uncover attack artifacts through visibility into behaviors, events, processes and objects that correlate with threat detection and the real-time analysis of that attack.

Insider Threat. Malicious insiders account for over 80% of targeted attacks across the enterprise. CounterTack Sentinel monitors insiders based on behavior, and not on just binaries or snapshots alone. Sentinel automatically detects privilege abuse and malicious file activity with stealth introspection of the OS. 

If malicious insiders are truly malicious, and have yet to be exposed, they’ve likely exfiltrated data, launched viruses and compromised existing infrastructure without leaving a trace.

Inadvertently careless users also contribute to a large majority of data breaches and system exploits. Device misuse, although common, becomes a problem when employers are not monitoring activity that can leave the door open to prowling attackers, or generic malware infections.

Sentinel equips security teams with the capability to monitor malicious insiders to understand first and foremost, what information, and which systems are at risk. Second, because the tamper-resistant sensor is transparent to endpoints and users, operators receive a clear, undetected view into their behavior:

  • Where they are moving laterally
  • Whether they are infecting systems
  • If they are exfiltrating data to external servers/locations
  • How they have been historically covering their tracks
  • Understand in real-time what they are doing and what the impact is

With most organizations in a perpetual state of compromise, the difference between countering insiders with Sentinel is rapid detection and comprehensive analysis, rather than prevention. Sentinel continuously detects the behaviors that lead to breaches involving insiders so that CIRT teams and SOC operators can apply a model built on intelligent, continuous response.

High-risk Endpoints. Organizations lack the protection and controls on mobile endpoints, mainly laptops and mobile devices. As a result, it’s difficult for security teams to effectively defend against unknown threats, particularly when there is a lack of visibility on endpoints outside of the corporate firewall. For example, when executives travel with laptops and connect to unknown or untrusted networks, the propensity for malware infiltration or data theft substantially increases, as does overall organizational risk.

CounterTack Sentinel allows teams to optimize the unprecedented detection and collection capabilities to quickly visualize threats on endpoints outside the corporate network. Entering ‘hostile territory’ can render laptops vulnerable to attack and malware.

Internal security controls for endpoints aren’t effective at detecting and countering attacks outside the purview of IT or security departments. Sentinel’s value lies in its ability to help teams detect threats quickly and work alongside other data sources for a comprehensive response. Regardless of where that laptop is located physically, Sentinel can monitor the behavior, at scale, and will provide added analysis beyond attribution and IP addresses.

Sentinel is built around capability to quickly detect unknown or previously unseen threats, to help teams determine the best remediation method, and manage the response all way through the attack lifecycle so the threat impact is mitigated.