Defending an organization’s infrastructure and data from damage, unauthorized access, and misuse requires complex security strategies and technology. That includes securing applications and data in the cloud, which calls for a defense against multi-stage attacks coming from a variety of threat vectors. Threat Detection and Response (TDR) capabilities help organizations protect themselves between these lines of code, from the earliest stages of a cyber intrusion.
Security strategies that rely primarily on preventative endpoint protection, or limiting access to endpoint devices, are simply not implemented early enough to protect an organization from sophisticated attacks. Many intrusions occur at the host level, the application layer, or in interconnected security vulnerabilities where organizations may not be as focused.
Traditional security approaches have included layered visibility into attacks, such as network traffic analysis (NTA) which includes perimeter devices such as IPS/IDS and FW/WAF. They also include endpoint detection and response (EDR). And security information and event management systems (SIEM) are used to bring information together and make sense of it. Unfortunately, the SIEM often becomes a defacto log and data management tool. Just as layered visibility provides important information, it can also be complex, create an abundance of security alerts, and require a growing patchwork of security tools.
While much emphasis is placed on endpoint protection (servers, laptops and desktops), EDR detects only 26 percent of initial vectors of attack. (1) Many other vulnerable processes occur long before they interact with endpoint machines. For example, functions running on instances such as nodes, virtual machines, or containers are frequently attacked, misconfigured, or left open to allow unauthorized access. (2)
IDS/IPS for Any Workload
Workloads such as applications, databases, and storage are vulnerable to their own kinds of threats. Critical applications hosted on the internet, data transmitted between SaaS providers and users, or AWS-hosted virtual machines are all susceptible—any cloud-based workload should, therefore, be monitored for anomalies or changes. Armor’s host-based Intrusion Detection System/Intrusion Prevention System (IDS/IPS) monitors traffic in and out of the host server or instance. All event data collected by the host-based IDS/IPS is integrated with data collected by other security appliances monitored by Armor and correlated to identify and block suspicious patterns and behavior.
Armor Anywhere Agent
With the latest release of the Armor Anywhere Agent, Armor has enhanced its proven threat detection and response solutions with new capabilities that allow us to see more, ingest more, analyze and correlate more, and block more to deliver stronger security outcomes for customers.
For example, the latest Armor Anywhere agent offers enhanced TDR through Intrusion Prevention with two modes—Detection and Prevention—allowing operators such as DevOps practitioners and security analysts to select their preferred setting. When in Detection Mode, operators gain visibility across workloads, detecting threats wherever they may reside. While in Intrusion Prevention mode, operators can take proactive control and block threats as they occur. While blocking potential threats may always seem like the best course or action, there may be reasons for operators to manage the process themselves.
Another TDR enhancement is Recommendation Scans. This feature identifies known vulnerabilities by scanning the operating system, applications, open ports, file systems, directory listings, and any running process or service for changes or anomalies. Once a baseline is established, the scans can help organizations check for the latest rulesets or establish new rules for intrusion protection and file integrity monitoring. Scans can be automated or conducted manually to adjust to changing requirements.
Threat Detection and Response capabilities make it possible for organizations to catch threats that may otherwise go undetected by firewalls or antivirus software. With host-level intrusion detection and prevention tools, Armor’s enhanced TDR solution now makes it easier for security teams to secure any workload on any cloud, on-premise, or hosted platform.
- “Endpoint Protection and Response: A SANS Survey,” SANS Institute, 2018
- “2019 Cost of a Data Breach Study,” Ponemon Institute, 2019