Our sensor product uses Jigsaw Security Threat Intelligence, heuristic detection, anomaly detection and plugins to allow the sensor to be expanded for the particular use case. In short yes and no, while we have IOC data in the sensor to monitor commodity malware, our heuristic detection and analytics also run on the sensor to find single use malware, APT malware that has never been used before or new emerging threats.

While we have a signature based element, the most valuable feature of our sensor will find never before seen malware using several state of the art detection methods.

As you can see from the image above, our Threat Intelligence is provided using MISP which is fed into the FirstWatch sensors to allow network security personnel to add and remove indicators or you can allow the Jigsaw Security SOC to manage the signatures for you.

Each customers has the ability to customize the information we provide to them on their local Threat Intelligence server (if they have our Jigsaw Threat Analytic Platform) giving our customers full control over what the sensors monitor.

Our sensor monitors the network by looking at DNS traffic. In addition we also provide a monitoring port that can be used to connect a span port. In this configuration the sensor will monitor traffic going past the sensors physical location on your network.

So in short there are 2 methods which are DNS and span port monitoring.

See the image above to see how the DNS RPZ sensor feature keeps your users safe by denying your workstations access to known malicious domains and websites, server and other Internet based resources.

The Jigsaw FirstWatch sensor detects scanning activity, mass scans, anonymous attackers which are using proxy servers or TOR as an example, service attackers, malware detection through signatures and heuristic detection, suspicious domain lookup, suspicious IP lookup site access, suspicious file downloads (if using span port), suspicious HTTP request (if using span port), port scanning activity, DNS resource exaustion, data leakage and more. Modules are added frequently.

Our sensor is based on the open source sensor product Maltrail which has been greatly expanded with new modules and features not available in the open source project. Our development team has integrated the following Jigsaw Security products to work with the sensor product and has bundled the solution as our commercial sensor product: Jigsaw Analytic Platform provides data analysis on sensor activity, our Jigsaw Threat Intelligence provides threat intelligence information and tells the sensor what to look for and with the Jigsaw Security My Alerts dashboard in the Jigsaw Analytic Platform that allows your SOC to monitor all of your customers sensors to see what activity needs to be addressed at each of your customer sites.