Endgame introduces Total Attack Lookback for incident review
Endgame has made critical threat intelligence data available to all customers free of charge through Total Attack Lookback – the forensic review feature to exceed average adversary dwell time. Endgame Total Attack Lookback provides a record of operating system events, to ensure assessment of the origin and extent of an attack, meet notification requirements, and minimize exposure to compliance and regulatory violations.
“At Endgame, my team focuses every day on the earliest possible prevention; however, there is a much larger and richer story to be told to understand all the behavior of the adversary. Total Attack Lookback tells that story. When you combine Endgame’s data retention with Endgame Artemis, I believe you get the most robust and accessible EDR capability in the market,” says Jamie Butler, Chief Technology Officer at Endgame.
Why 120 days?
According to the 2018 SANS Threat Hunting Survey, average adversary dwell time within an organization’s network exceeds 90 days, increasing the potential for damage and loss.
Endgame collects and stores a range of operating system events including process, file, and network events for up to 120 days, capturing all activity, and identifying the complete attack path, including all affected users and assets.
Automated investigations
The Endgame user interface includes three technologies to automate investigations across the Endgame event store, at scale.
- Artemis, the natural language understanding (NLU) chatbot that enables tier one analysts or security mangers to investigate incidents, triage, hunt and respond to threats in plain English.
- Resolver, Endgame’s visualization technology, provides a view into the entire attack, correlating all security events in the timeline and enabling users to interact, investigate, and respond using a graphical user experience.
- EQL, Endgame’s event query language provides investigators and analysts with a scripting interface to hunt for and identify suspicious activity across Endgame’s event data, using the Artemis chat interface.
Endgame’s multi-tier architecture ensures investigations scale to the largest enterprises, and include disconnected endpoints, while ensuring privacy across geographies with the lowest impact on resources.