Review: Digital Guardian offers ready-to-deploy endpoint security

Advanced threats are increasingly assaulting endpoints. Here's how the Digital Guardian Threat Aware Data Protection Platform tackles the problem.

endpoint protection
Thinkstock

In recent years, advanced threats have been increasingly targeting endpoints. This makes sense because endpoint security has traditionally been the realm of signature-based antivirus, technology that has proven to be inadequate protection against targeted and highly advanced malware campaigns.

The cybersecurity industry has stepped up with centrally-managed endpoint protection programs, either as standalone platforms or as part of a larger security deployment. These work well, and CSO has reviewed several solutions in this category, including Minerva and Promisec, but they continue to evolve, with the newest idea being endpoint security as a service. That is where the Digital Guardian Threat Aware Data Protection Platform comes in.

Right now, the platform exists as an on-premises solution with a central appliance, either physical or virtual, deploying agents out to server and client endpoints and devices running Windows, Mac OS or Linux. However, it is currently undergoing a transformation into the Digital Guardian Analytics and Reporting Cloud, which provides endpoint security as a service, bundled into a threat-aware protection platform that includes data discovery and classification, data loss prevention, cloud data protection and threat detection and response. We tested the service-based Digital Guardian program to see how it stacked up against traditional on-premises solutions.

With most endpoint security programs, protection is delivered through the creation of rules. Behavior that breaks the rules of the network is considered suspect, and is blocked, flagged or otherwise becomes the subject of a security alert. One of the biggest problems with this method is that security is only as good as the ruleset. Administrators either must carefully craft rules based on their own expertise or set a protection program into a learning mode for several weeks or months while it discovers good network behavior and crafts rules restricting everything else.

The Digital Guardian platform, by contrast, comes ready to use, pre-loaded with thousands of best practice rules based on years of experience working in the field. And after a quick data discovery process, those rules are tailored to the specific network that it is protecting. This is all done nearly instantaneously, so that when agents are deployed, they can immediately begin protecting endpoints with good security policies.

Digital Guardian main console John Breeden II/IDG

The main console for the Digital Guardian Threat Aware Data Protection Platform looks the same whether users have everything installed locally or are getting their protection as a service. It gives a good overall glance, in real-time, at ongoing network security issues and endpoint health.

Administrators are not locked into the policies that Digital Guardian creates. The program’s main interface shows every rule that is being applied to their endpoints. Rules can be disabled using a simple slider bar, or dived into and tweaked as desired. As new threats emerge, teams of analysts at Digital Guardian will create new rules and push them out to the appropriate customers.

Digital Guardian manage rules John Breeden II/IDG

One of the biggest strengths of the Digital Guardian Data Protection Platform is the ability to instantly populate useful rulesets based on years of network monitoring experience. But users aren’t bound by them. They can be turned on or off using slider bars.

The new platform is also designed with a lot of automation, or at least potential automation, depending on how comfortable organizations are with allowing their software handle security functions without human intervention. There is no true artificial intelligence in the program; instead, there is a series of triggers that can launch program actions. For example, we configured our platform to automatically launch a threat scan on an endpoint following a user event where a suspect website was visited. The automation is fully configurable with actions based on user, data or system events on endpoints.

Digital Guardian alerts John Breeden II/IDG

While the entire platform is designed to incorporate automation, humans can be a part of the decision process as well, with critical alerts sent to them.

Automatic actions include most of the common defenses, such as blocking malicious or suspect programs from running on an endpoint, warning users that their actions are breaking policy, or recording actions for later auditing. In addition to automatic responses, suspected threat data can generate an alert that is sent up to human users for remediation, or to the Digital Guardian service for further analysis. Everything is designed to allow organizations to be as involved, or as hands off, as they want regarding the security of their endpoints.

To test the platform, we sent phishing e-mails into endpoints that were protected by Digital Guardian using different policy settings. Where we had everything set to monitor endpoints only, we could watch as an attack unfolded, first when the e-mail came in, and later as a user clicked on an attached file that opened up several programs, zipped up critical files, and sent them out of the network using an FTP channel. This was interesting because it allowed us to collect a lot of forensic data about the attack, though in practice nobody would likely set their system to monitor-only mode.

With a little rule tweaking, we launched the attack again and this time Digital Guardian halted the threat before it could do any damage on the protected endpoint. The platform still collected a wealth of forensic data, which could later be analyzed by internal IT teams or by the external analysts employed by Digital Guardian as part of the protection service. In either case, specific information about the threat could be added to existing rules to protect every other endpoint on a protected network from compromise. It could even be done automatically if an organization wanted.

Digital Guardian investigation mode John Breeden II/IDG

In addition to tracking events and generating alerts, the Digital Guardian Data Protection Platform supports deep forensic analysis and threat investigations.

Regardless of how a threat is handled, a lengthy and detailed report is generated by the program. These can be shared or written to a PDF for later study. The program even supports customized dashboards, so local administrators can keep a close eye on events, systems or users that they feel are most important or critical to operations. This can happen even if Digital Guardian is acting as the primary threat response team in the SaaS model, so that local IT staffers are never out of the loop.

Endpoint security is necessarily evolving to counter the proliferation of advanced threats assaulting endpoints. The Digital Guardian Threat Aware Data Protection Platform is at the forefront of this effort, offering ready-to-deploy endpoint security locally on-premises or as a service, and with whatever automation level a host organization feels comfortable supporting.

More on endpoint security:

Copyright © 2018 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)