This article explains how to configure Cato's Endpoint Protection (EPP) solution to secure your endpoints.
Note
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.
Cato's EPP solution includes two types of EPP engines: File Protection which scans files on the endpoint and Behavioral Analysis with scans processes running on the endpoint. Your EPP settings are configured in the Cato Management Application, provide a centralized way to manage security across your attack surface. In the Endpoint Protection Profile, you can configure the protection level of each engine to define how they respond to potential threats. Use the Endpoint Protection Policy to apply the Endpoint Protection Profiles to an enduser or endpoint.
You can add a file or process to the Allowlist to prevent legitimate files or processes being identified as malicious and for additional protection, you can run an on-demand scan on a specific endpoint.
To protect your endpoint from known and unknown malware, Cato's EPP solution provides two layers of protection to provide a full security solution. Each layer utilizes different detection techniques to identify and prevent different types of attacks.
The File Protection engine supports scanning of more than 300 file types including archived files, ZIP files, and RAR. A file is scanned once it is downloaded or copied onto an endpoint as well as when an enduser attempts to access it. You can also scan all files on an endpoint at any time with an on-demand scan.
The Behavioral Analysis engine uses heuristics methods to provide protection from unknown and zero-day threats. Applications and processes are continuously monitored for indications of malicious activity based on their behavior. Examples of malicious behavior include:
-
Executing or injecting code in another process’s space to run with higher privileges
-
Accessing or executing illegal operations in registry locations that require elevated privileges
-
Copying or moving files in System or Windows folders
After an EPP engine identifies potentially malicious activity, the Protection settings define the action that EPP takes. In addition, for the Behavioral Analysis engine, you can define how sensitive it is for identifying unknown threats.
The following table describes each Protection level, and an example use case for it.
|
Protection |
Description |
Sample Use Case |
|---|---|---|
|
Off |
EPP scans do not run, no events are created. |
You do not want to use this EPP engine. |
|
Monitor |
If malicious activity is identified, an event is created, but no further action is taken. |
You want to collect data on malicious files or processes, without preventing their execution. |
|
Block |
A malicious file or process is cannot be executed. The file is not modified or moved from its location. |
You want to identify and block malicious files or processes. |
|
Block and Remediate |
The malicious file or process is cannot be executed. The file is encrypted and quarantined or if this is not possible, the file deleted. This is the default setting. |
You want to identify, block, and quarantine malicious files or processes. |
The Behavioral Analysis engine detects potential threats based on a predictive model and learning heuristics. The Sensitivity Level for the engine determines the confidence level that identify the potential threats. For example, the Aggressive setting will identify processes with a low level of certainty that the process is actually malicious. This setting can result in more false-positive matches.
The following options table describes the Sensitivity Level, and an example use case for it.
|
Sensitivity Level |
Description |
Sample Use Case |
|---|---|---|
|
Permissive |
Only detect processes that are determined to be malicious with a very high level of certainty. This is the setting with the lowest sensitivity. |
You only want to detect process that are certainly malicious. |
|
Balanced |
Detect processes that are determined to be malicious with a high level of certainty. |
You want to detect process that are likely malicious. |
|
Aggressive |
Detect processes that are determined to be malicious with a low level of certainty. This is the setting with the highest sensitivity. |
You want to detect processes that are likely but not certainly malicious. |
To define how EPP protects endpoints in your account, use the EPP Profile to define the level of Protection for each engine. Then use the rules in the EPP Policy to define the scope of endpoints that the Profile applies to. A Profile can be applied to specific endusers, specific endpoints or both.
EPP policies are an ordered rulebase. The rules in your policy are applied to files and processes sequentially to check if a rule is matched. Rules that are at the top of the rulebase have a higher priority because they are applied before the rules lower down. For example, if rule #1 has a File Protection Block response and applies to an endpoint were a malicious file is identified, the file is blocked. No further rules are applied to the file.
The EPP Profile defines the File Protection and Behavioral Analysis engine Protection settings. You can define different profiles based on the requirements for your EPP Policy.
Define the rules in the EPP Policy with the Source and the Profile. The Source can be an end-user identity, or an endpoint device based on the Endpoint ID. You can also set the level of protection (Profile) that is applied to each enduser or endpoint (Source) . This lets you customize how each EPP engine is used on each endpoint across your environment.
To create an Endpoint Protection Policy:
-
From the navigation menu, click Security > Endpoint Protection.
-
Click New.
The Create new Endpoint Protection Policy Rule panel opens.
-
Define the Name, Description, Source, and Profile for this rule.
-
Click Apply.
-
Repeat steps 2-4 for each rule in the EPP Policy.
-
Enable the EPP Policy and click Save.
The slider (
) is green when the EPP is enabled, and gray when the EPP is disabled.
Sometimes an EPP engine may consider a legitimate business process to be malicious. To prevent endpoint protection interrupting legitimate business processes, you can allow an Object for an enduser or on an endpoint (Source). This means it is not scanned, blocked or moved and it does not trigger an alert.
The following objects can be allowed to execute for an enduser, on an endpoint, or both:
-
File Path
-
Folder Path
-
File Type
-
SHA256 File Hash
To define an Object for the Allow List:
-
From the navigation menu, click Security > Endpoint Protection.
-
Click the Allow List tab.
-
Click New.
The New Allow List panel opens.
-
Define the Name, Description, Object, and Source to be allowed.
-
Click Apply.
-
Repeat steps 3-5 for each Object that you are allowing.
-
Click Save.
File Protection scans run when a file downloaded or copied onto an endpoint as well as when an enduser attempts to access it. In addition, you can run a File Protection scan on an endpoint on-demand at any time. By running an on-demand File Protection scan, you can identify existing malware on an endpoint before the enduser tries to access it.
On-demand scans compare the SHA256 file hash of all files saved on the endpoint with a list of known malware signatures. If a malicious file is detected, EPP follows the action defined by the Policy.
You can identify malicious files on an endpoint at any time by running an On-demand scan.
Comments
0 comments
Please sign in to leave a comment.