Review: The enSilo platform traps threats that bypass traditional endpoint defenses

The enSilo platform offers traditional endpoint protection alongside the ability to offer post-infection protection. It can also trap threats, holding them in place and rendering them harmless until a threat hunter can arrive to investigate.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

There are two intersecting trends in cybersecurity that almost every organization will need to soon address. First, endpoints are the new battleground for network protection. They are the gateway that advanced persistent threats use to enter a network, and sometimes also comprise the target for certain attacks. Second, almost every organization, no matter how secure, will eventually get breached.

The enSilo platform sits at the intersection of those two trends, offering traditional endpoint protection alongside the ability to offer post-infection protection. It can also trap threats, holding them in place and rendering them harmless until a threat hunter can arrive to investigate, though that feature is completely optional.

Installing enSilo is not unlike other agent-based security programs. There is a central console called the Core where administrators set policies that get deployed to agents, which are called collectors by the program. Collectors can be lightweight, simply reporting threats and information back to the central console, or much more powerful, taking actions and remediating threats as they are detected. They can even be set to work autonomously when disconnected from a network or the Core, a huge boon for laptops and other devices that don’t spend their days tethered to network cables.

The collectors work with devices installed on-premises or in the cloud, or any hybrid setup. Pricing for enSilo is based on the number protected devices the program is protecting, with volume discounts available for large enterprises.

When thoroughly examined, enSilo is different from most other forms of protection available for endpoints, with a lot of control available to help it fit into organizations regardless of their cybersecurity maturity. It can be almost completely manual, or fully automated, though those are just two options in a wide spectrum.

The reason that enSilo works so well is because it’s based on allowed behaviors of programs and procedures as set forth by the operating system (OS). In the case of Windows, the teams at enSilo have reverse engineered how the OS works, what processes it allows, and the reasons for those actions. Collectors, once installed, sit between the OS and the rest of the system, giving administrators total control over what kinds of activities are allowed on endpoints.

For example, Windows allows some processes to communicate, while others are restricted. Advanced threats often break or bypass those rules. However, to do so on a machine protected by enSilo, the malware would have to pass through an enSilo collector first, which will trigger a rules violation even against a previously unknown threat. And because administrators have total control, they can allow some malware to take a few steps down the kill chain, while still preventing it from doing any actual harm. That way, it essentially traps the unknown malware in place, rendering it harmless but not removing it, so it can be studied to help build future defenses, or to reveal targeted campaigns and threat actors.

enSilo dashboard John Breeden II/IDG

The dashboard for enSilo shows all devices that need attention, including any that have been infected, but have the threat under control and trapped for analysis.

To continue reading this article register now

NEW! Download the Winter 2018 issue of Security Smart