Presenting on-prem BI.ZONE EDR endpoint security solution
We have presented an on‑prem version of BI.ZONE EDR, a solution for endpoint detection and response to advanced threats. It helps to detect sophisticated threats on desktops and servers powered by Windows, macOS, and Linux as well as in containerized environments. Additionally, the solution allows users to speedily respond to incidents automatically and manually.
The BI.ZONE EDR functionality has also expanded. Key improvements have been made to the BI.ZONE EDR agent for Linux, which received extended capabilities for event detection within the containers. This applies primarily to creating and modifying files as well as starting processes.
The new version makes wide use of the eBPF (extended Berkeley Packet Filter) technology, which enables deeper integration with container environments such as Docker or Kubernetes. This enhances the visibility within the containers. Thus BI.ZONE EDR allows the security analysts to instantly see both the host and the specific container where the suspicious event occurred, thereby significantly reducing response time. Additionally, to better ensure the stable operation of critical applications in highly loaded and sensitive infrastructures, it is now possible to limit the resources consumed by BI.ZONE EDR for Linux.
Another upgrade of BI.ZONE EDR for Linux improves offline detection of indicators of attack (IoAs). Unlike the indicators of compromise (IoCs), which indicate that a system is already compromised, IoAs are used to prevent damage by detecting signs of an ongoing attack: attempts to exploit vulnerabilities, unusual network requests, suspicious changes to the system, etc.
The event monitoring capabilities of the BI.ZONE EDR for Windows have also been combined with monitoring support for named pipes and events from the WSL (Windows Subsystem for Linux) processes.
Named pipe technology is designed for processes to communicate through a specially named resource on the file system. Attackers often use it to inject malware, control an infected system, and bypass defenses. Named pipe monitoring allows for the detection of suspicious or unauthorized communications between processes, which could indicate malicious activity.
In turn, WSL support enables the detection of attackers that use a combination of Windows and Linux tools to accomplish their objectives. They use this tactic to more effectively bypass the security systems.
Moreover, the Windows version of BI.ZONE EDR provides additional automatic response features, including the suspension of a process or thread and termination of an active user session. These enhancements allow users to respond to threats more quickly and minimize potential damage.
Agent for macOS was equipped with monitoring and inventory features for autorun points that are specific to this operating system such as Launch Agents, Launch Daemons, and Login Items. Malware frequently uses these spaces to gain persistence in the system while monitoring these points helps to ensure timely detection of such attempts. YARA scanning of files and processes has also been added, providing advanced signature‑based malware detection capabilities.
Previously, BI.ZONE EDR functionality was expanded with the Deception module which enables companies to create decoys indistinguishable from their real infrastructure assets. This way, even a professional attacker capable of evading detection can be tracked down at the initial stage of reconnaissance.