The Jigsaw Security development team has been hard at work to release our latest security offering known as FirstWatch. The sensor product provides not only the ability to detect security events in your network but to actively disrupt the chain of infection making our solution much more effective at preventing infections instead of just detecting intrusions after the fact. While building out the latest version of the FirstWatch platform, we decided to enable the DNS, Netflow and Heuristics detection plugin's in active mode allowing sensors to send resets during infection attempts, sinkhole or replace bad payloads with safe binaries indicating that an infection was prevented.
The Jigsaw FirstWatch sensor is one of only a handful of devices that actively will sinkhole traffic based on known threats and also newly identified activity from the heuristics models active on the devices. If it's a known bad domain, payload or pattern on the wire, the device will take whatever action an administrator has enabled on the sensor. Inline sensors will send resets while DNS enabled sensors will simply sinkhole the traffic based on what malicious activity is occurring on the network.
A view of our sinkhole response on a client workstation
One of the latest features on the sensor platform is the ability to detect conditions on the network and respond appropriately. A new location aware function looks for conditions such as a certain amount of data going to a non-friendly location (China, Russia, etc.) that can be defined in the platform itself. If a company does not do business in Russia, then there is no logical reason whey a protected system would be sending data to Russia. As soon as the connection starts to respond with payload data the sensor will reset or through other methods redirect the traffic to a server to capture what data was being sent out of the network for analysis by security engineers. By redirecting the communications to a local server, data never leaves the network and you can determine what information was being targeted during exfiltration.
Reset and Forget
The last and most impressive feature is the reset feature when devices are deployed inline. Often intrusions go unnoticed for weeks or months by security personnel because it is nearly impossible with existing technology to look at all communications on your network in real time. This lag is a problem for understaffed security personnel. When inline, sensors better protect your network by sending resets to offending parties. For instance if an end user logs into an FTP server in a non-friendly defined country and tries to send data, the sensor can close the connection to prevent data from leaving the network. When a reset occurs security administrators are notified so they can investigate the incident instead of responding to a breach or privacy issue. While this method doesn't stop all attacks it does minimize exposure. In addition to bad locations the systems can also drop all traffic to TOR nodes, P2P applications as well as VPN and proxy services such as the infamous HideMyAss VPN service.
Signature are Old School
While we still support threat intelligence and signature, Jigsaw is moving away from the use of signatures in products. The reason is because when an attacker learns that they have been found out they simply change their tactics and we end up looking for indicators that are no longer being used while the attacker continues to ex filtrate data to another location they may be allowed by the technology. Our products are now relying more on patterns of activity, analytic models and time series to detect events such as request for resources that don't exist, sinkhole activity, user agent strings and similar items such as network traffic patterns created by malware during the movement of information. By using patterns the IOC can change while the sensor is still effective at stopping the movement of the data which is the real problem we are trying to solve.
The Jigsaw FirstWatch sensor can be deployed in a VM or Docker deployment, hardware appliance or can be hosted by Jigsaw Security. MSSP's are beginning to see the value of this technology and are using the sensor to keep their customers safe. The sensor retails for $6995.95 and multiple sensors can be used to handle large amounts of traffic and monitor services such as Microsoft Exchange in a load balanced configuration. Instead of detecting the breach after the fact, stop the breach from occurring in the first place with FirstWatch technology from Jigsaw Security.
Let's talk integration - Department of Homeland Security AIS Integration
The FirstWatch sensor connects natively to MISP and also has modules to utilize AIS (Automated Indicator Sharing) from the DHS service. Customers that participate in AIS (and other DHS programs) can receive that data directly in their Jigsaw appliances without having to understand or operate TAXII servers. In addition to AIS, Jigsaw Security provides connectors for many other services to include Anomali, ThreatConnect, Dell Secureworks and many other commercial providers. By partnering with services that can make our products better and report statistics back to Jigsaw, everybody is better protected. By using technology to actively disrupt the infection chain, the likelihood of encountering a breach is lessened and your security workload can shift to make your team more effective at stopping cyber related threats.