BI.ZONE EDR expands capabilities to better assess endpoint configuration

The updated BI.ZONE EDR version received a new Safety Recommendations module. It is available on all operating systems and allows you to evaluate OS and software configuration on endpoints, identify their vulnerabilities and accounts with weak passwords

August 13, 2024

Key improvements include enhanced data collection and automatic response capabilities in BI.ZONE EDR for Windows and offline detection of indicators of attacks (IoAs) for macOS.

The BI.ZONE EDR agent for macOS have got expanded capabilities for offline detection of indicators of attack. Unlike the indicators of compromise (IoCs), which show that a system is already compromised, IoAs detect signs of an ongoing attack before it causes any damage. The IoA search correlation rules in BI.ZONE EDR agent for macOS analyze attempts to exploit vulnerabilities, detect unusual network requests, capture suspicious changes to the system, etc.

Another major change in the solution is the addition of Safety Recommendations module. It is available on all operating systems and helps to assess how secure the configuration is as well as identify the weaknesses, which the user can then eliminate to reduce the attack surface.

Security configuration assessment verifies how well the systems comply with predefined configuration settings. Moreover, the Safety Recommendations module can also detect accounts with weak passwords.

According to our data, the share of endpoint devices in any IT infrastructure is up to 85% and these devices are mostly targeted by adversaries. Identifying and eliminating endpoint weaknesses helps to reduce the attack surface and mitigate the risk of cybersecurity incidents.

Teymur Kheirkhabarov

Head of Cyber Threat Monitoring, Response and Research, BI.ZONE

The updated BI.ZONE EDR agent for Windows can now track the execution of any commands as telemetry events. The user can set up a schedule for running a specific command and parameters for output parsing. As a result, EDR will send the command output as telemetry events that can be utilized in IoA rules. This enables implementing threat detection scenarios where the EDR telemetry events are insufficient to trigger a rule, but the operating system has the required tools to address the task. Similar features have previously been implemented in the agents for Linux and macOS.

In addition to telemetry collection, automatic response capabilities have been extended in the Windows version. These enhancement enables users to run any command or process (for example, a custom script) when an IoA rule is triggered, allowing for a large number of automatic response scenarios.

Besides that, the updated version of BI.ZONE EDR for macOS has a number of new telemetry events: modification of extended file system attributes and changes to the owner or group of a file object. The agent for Windows is now capable of reading data from arbitrary Windows Events Logs. Improvements in the user interface of the management server have delivered a 30% reduction in time spent on routine diagnostics operations.

Earlier we presented an on-prem version of BI.ZONE EDR. It is intended for companies that prefer to address their monitoring and response tasks in-house using advanced tools, without resorting to service providers. Before that, the capabilities of the solution were available only as part of the BI.ZONE TDR cybersecurity monitoring service.