ECAT is a solution that provides enterprise compromise assessment through host-based deep scanning, network traffic analysis, live memory analysis, and machine suspect level analysis. It fills detection gaps left by traditional antivirus and firewall solutions by using signature-less techniques like application whitelisting, certificate validation, and multi-engine antivirus scans. The ECAT solution enables rapid breach detection, recovery, and forensics through direct physical disk inspection and live memory analysis to identify compromises across an enterprise.
The Age of Network Operations Management in Software Defined Data Centers
Intro To ECAT
1. ECAT – Enterprise Compromise Assessment
Chad Loeven, VP Sales and Marketing
Pascal Longpre, Founder and CTO
2. Enterprise security today
AV on desktop and server
Firewall
• Bluetooth and WiFi can
bypass in-line devices
• Inline devices can’t
identify what
happened on the host
in a compromise
IPS SIEM
3. Kaspersky – Rated #1 AV overall
>42% of all new
malware passed
through undetected
4. ECAT fills the detection gap
Incident -> Rapid breach detection Recovery Forensics
5. The ECAT solution: no signatures
• Host-based Deep Scan
• Network traffic
• Live Memory
Analysis
• Machine
Suspect Level
6. ECAT Overview – server and agent
Server-side analysis
of the endpoint
7. ECAT – Baselines and whitelists
Whitelisting:
• Bit9 Global Software Registry (GSR)
• NIST database of known-good hashes
• ECAT whitelist including Microsoft MSDN
• Server-side Cert validation
• Opswat Metascan scans against 6 or more AV engines
8. ECAT – Enterprise Compromise Assessment
Network Traffic analysis
Multi-engine AV scan
Application Whitelisting
Certificate Validation • Rapid Breach Detection
Direct physical disk inspection • Signature-less
Live Memory Analysis • Fills the gap in desktop defense
Full System Inventory • Actionable information -fast
• Remediation
9. ECAT – Enterprise Compromise Assessment
Finding an evil
in a
haystack
www.siliciumsecurity.com
Editor's Notes
Welcome to Silicium Security, the makers of ECAT, an Enterprise Compromise Assessment Tool for signature-less malware detection.We’ve been delivering security solutions to large enterprises, government and military for over a decade and work with a global network of partners to deploy and support ECAT worldwide.In this brief video we’ll explain why current signature-based security solutions come up short and how ECAT can bridge the detection gap.
Virtually every enterprise today has in-line and host based security solutions blocking, monitoring and remediating threats at multiple levels. However, most of these solutions share one common trait in that they overwhelmingly rely on signatures. In other words, they can only block or detect what they already know about. In line and network-based solutions also have major blind spots. Laptops and remote workstations are often invisible. Bluetooth and WiFi can be hijacked to bypass network controls.
So what’s the problem with signatures?An advertised 99% detection rate sounds great, but that stat is measured over an entire body of mostly old threats. The 1% not detected is overwhelmingly new, and targeted, attacks. Even minor variants of existing threats can bypass AV, IPS.As an example, let’s take a closer look at the best AV on the market and see how it fares…..Kaspersky was recently ranked as the Product of the Year by a respected independent testing agency – but what does that mean? Unfortunately, when we drill down into the details of the report, ‘winning’ meant only failing 42% of the time on new threats. Which was still better than virtually all other AV products on the market!
ECAT fills the gap between traditional signature-based security tools and forensics, delivering rapid breach detection and compromise assessment.
The solution is not to depend on signatures, but rather do a deep analysis of the endpoint combining multiple technologies and approaches. Host-based analysis is key, signature-less network-based solutions will not identify what process is infected or how. No assumptions can be made about the integrity of the endpoint prior to a scan, and analysis must be independent of the end user and done on the server, not the target machine. By assigning a suspect level to each component of the machine, we can build an overall Machine Suspect Level to determine if there has been a compromise and take action.
ECAT can be deployed as an incident response tool, as part of a security audit or for ongoing monitoring of the enterprise machines.Each ECAT server can handle up to 20K agents. Each agent scans silently in the background with no user interaction. The load is minimal as all information is gathered and sent back to the server, where the analysis is done. The ECAT server verifies the system integrity, and builds a holistic view of the endpoint.
An important feature of ECAT is the ability to set an enterprise-wide baseline from a clean machine. This process eliminates background noise and false positives, and means truly suspect behaviour will be highlighted.As a 1st step, ECAT conducts server-side Certificate validation to avoid any possible compromise of the cert validation process on the endpoint. Next, ECAT compares every file against 3 powerful whitelists from NIST, Microsoft and Bit9. Combined, every file found is scanned against a database of billions of files. Custom homegrown applications can also be whitelisted system-wide.Finally, each file can be run against OpswatMetascan’smuti-AV scanner to quickly identify known bad files that the desktop AV may have missed. By quickly sorting found files into known good, and known bad, ECAT brings to the fore in the console machines that need immediate attention.
To summarise, ECAT fills the gap between existing solutions. It delivers accurate, actionable information quickly to the people that need it. ECAT does this by layering on multiple approaches and technologies, starting with aFull system inventory,Live memory analysisPhysical disk analysisCertificate validationWhitelistingMulti-AV scansNetwork Traffic monitoring and statistical Analysis.No other approach delivers detection results like ECAT can.
Thank you for watching. Consult our website or youtube channel to view ECAT in action, or contact us for more information.