Attackers don’t necessarily follow rules to achieve their goals. They adapt and move stealthily yet unpredictably. Traditional security systems expect the attacker to follow known techniques and widely used intrusion methods. If intruders slightly modify their attack method, these systems will no longer recognize the threat.
At Silicium we assume only one thing: by investing enough time, knowledge and energy, attackers will get through any security system.
ECAT is a detection system built to coexist with existing security products. It combines multiple cutting-edge technologies to perform state-of-the-art enterprise compromise assessment, breach detection and incident response.
How does ECAT work?
- Perform an inventory of every executable, DLL and driver in the machine.
- Check for internal structures and system anomalies indicating malware activity.
- Send the collected information back to a central server for processing.
- Compare the results with a clean baseline system.
- Identify known good files using digital signature validation and the Bit9 GSR.
- Send unknown files to the server for scanning using OPSWAT Metascan Antivirus.
- Flag abnormal behaviors and correlate them across the entire environment.
Using this simple workflow, a single compromised computer among thousands can be identified in hours.
- Digital Signature Validation
ECAT performs code signature validation of the “digital stamp” applied on files when they are released by software vendors. Code signing certificates are issued to companies and individuals by trusted authorities such as VeriSign who follow a strict authenticating process. The signature validation process is split between the ECAT client and server to avoid tampering by malware installed on the monitored systems.
- Bit9 GSR
ECAT supports the Bit9 Global Software Registry (GSR) to ensure that files are clean and safe. The Bit9 GSR contains more than 12 million unique hashes of “known good” Windows executable files. These hashes are provided by trusted software vendors such as Microsoft, Adobe, and IBM and are certified as being free from malware.
- OPSWAT Metascan Antivirus
The ECAT server can scan unknown executables with over eight antivirus engines using OPSWAT Metascan Antivirus. Since the scanning process is on the ECAT server, there is no performance impact on the client workstations and servers.
For more information on ECAT and how ECAT can detect compromised systems in your environment, contact us for a demonstration or evaluation, download the datasheet or download our whitepaper.