EDR OPTIMUS

EDR OPTIMUS has several features to perform automated remediation, based on predefined parameters, which allows to fight effectively 24/7 against unknown threats, without the risk of depending on a human team that may be missing elements.

EDR OPTIMUS can search for more than 11,000 CVE-type vulnerabilities, sometimes uncovering things that are totally invisible, such as machines that are vulnerable because of an old Java, Adobe Reader or Flash engine that has been forgotten or installed in legacy mode. This means you can deploy EDR OPTIMUS to audit your IT assets, without consuming excessive resources, and thus have the opportunity to ensure asset compliance.

EDR OPTIMUS offers a range of protections against ransomware: the blacklists in our Threat Intelligence database enrich the choices made by EDRs, application security policies that can be used to define conditions on your network with advanced granularity, Honeytokens-type concepts with fake files that a ransomware will want to destroy while still being detected (file-type computer decoys), and numerous behavioural-based mechanisms: attacking certain points on the hard disk, and so on.

EDR OPTIMUS has several ways to combat lateral attacks, including the ability to process local logs in the operating system to detect if activity is being attempted remotely. This is a true SIEM tactical, local, capable of knowing whether a session is interactive or not, remote or not, in order to be able to track attacks of this type.

EDR OPTIMUS embeds an ultra-sophisticated analysis engine, capable of differentiating between a legitimate product and one that is not, in terms of PowerShell, by analyzing the code executed on the fly so as not to miss any of the many modern and stealthy attacks associated.

EDR OPTIMUS provides its own protection through layers that are directly installed in the Windows kernel, via a low-level driver, so that it cannot be uninstalled outside of an authorized centralized decision. It is not possible to remove the agent.

The analysis of malicious URL links with C&C lists, etc. is mainly conducted by the EPP product. However, we can do targeted searches for these threats with EDR OPTIMUS in hunting mode.

EDR OPTIMUS continues to operate with its security policy already loaded when it goes offline. It then stores the events that it will report upon reconnection to its endpoint appliance. Of course, throughout this phase, the risk of intrusion without a network connection seems to be reduced, since EDR Optimus can also contain USB attacks for example.

EDR OPTIMUS may request the TEHTRIS Cyber Threat Intelligence module of TEHTRIS XDR AI Platform, to perform sandbox scans, offline antivirus scans, neural network engine scans, or malware knowledge base searches.

TEHTRIS has many elements related to artificial intelligence and automatisms associated with the cyberworld. In machine learning mode, EDR OPTIMUS learns all the executions in your infrastructure in order to detect anomalies, as well as the persistence points used by hackers to survive a reboot or reconnection. In deep learning mode, EDR OPTIMUS has a compact neural network-based engine that can tell if software is malicious or not. This engine is also used in CTI. The latter is the first French product accepted by Google on its free service VirusTotal, where a public and non-commercial version is constantly running in search of unknown malware.

EDR OPTIMUS natively uploads at-risk files back to its infrastructure so that the payload can be detonated in a sandbox environment. Robots plan and control the execution, analyze the results, and return the right information back to the EDRs on their own, so they can make a decision.

To put it simply, EPP is the next-generation antivirus tool that protects the OS against known attacks. It is the real system shield. EDR solutions are used to detect unknown threats and handle security issues remotely with a range of incident response functions. TEHTRIS believes that EDR and EPP products will soon merge and become one tool through a necessary technological convergence. The existence of an EDR market was only necessary because they filled technical gaps on the EPP side. In a future that is already beginning, companies will choose one product, an endpoint protection solution, combining EDR and EPP features, to avoid agent issues. EPP and EDR OPTIMUS are already available for this purpose.

We must choose the criteria that allow neutralization by software robots. It’s a risky action, that some EDR solutions don’t want to offer for fear of breaking everything. Unfortunately, the day an unknown ransomware comes in, such products, which are only used for response and analysis, will only be able to say that they have understood why the company is being destroyed (not helpful at all). This is not our philosophy and we prefer to offer automatic neutralization, carefully and properly configured. Depending on the aspect of the unknown software, you will be able to decide whether to let it go or not: behavior, sandbox results, antivirus results, antivirus databases results, etc.

For mobile devices, we offer another range of products, called Mobile Threat Defense, different from EDR OPTIMUS.

We collect metadata in a way that is compatible with the GDPR, and we will able to exchange on these elements if you wish.

If your EPP agents plays at killing security software protecting your infrastructure, there might be a problem with the EPP settings or even the product. Currently, for all customers who do not have EPP, and who have been using EDR OPTIMUS since 2014, we have encountered a total of zero conflict issues with other EPP brands.

A EDR OPTIMUS agent can be instructed so that its hosts might only accept outbound network flows to its management appliance, so that a SOC can quietly study its host, without taking the risk of lateral movement or internal exploration.

EDR OPTIMUS is compatible with Linux, macOS and Windows environments. Our EDR continues to support obsolete Windows operating systems, such as Windows XP and Windows 2003, in order to adapt to our customers’ severe constraints, particularly in the industrial sector (OT, ICS, SCADA).

EDR OPTIMUS collects and analyzes security logs from workstations, providing a so-called tactical SIEM capability, in order to keep very interesting events for cybersecurity analysts.

EDR OPTIMUS uses less than 1% on average on the CPU, and less that 100 Mo to 200 Mo in RAM, depending on the settings you want to setup: loading the neural network in memory or not, etc.

EDR OPTIMUS has been tested and deployed by some of our customers in industrial environments on Windows boxes that were not advertised by the manufacturers as supporting it. These customers could no longer imagine not having antivirus (not enough RAM, too old, etc.) or EDR (light and powerful but not officially supported by the OT manufacturer). So, they made agreements with the manufacturers, and they conducted some tests alone, with the help of TEHTRIS in background. For example, we are in factories with equipment from different brands like Siemens (Simatic, Simoton, WinCC, TIA, etc.).

EDR OPTIMUS can prohibit the use of external storage, or even set it to read-only to prevent deliberate or inadvertent exfiltration. TEHTRIS logs all traces of connected USB devices to provide traceability regarding these threats.