Overview:
Modern SOC Challenges
Modern SOCs face several challenges, including the rapid evolution of threats, the high volume of security alerts, and a significant shortage of skilled cybersecurity professionals. The gap1 will grow by 35% by 2031. SOC professionals need to address these issues by providing scalable and flexible solutions that enhance threat detection with AI and machine-learning capabilities, automate complex processes, and offer realtime visibility, enabling more efficient threat hunting, detection, incident investigation, and response, ultimately improving SOC efficiency, managing the growing scale and sophistication of cyber threats.
What is WatchGuard Orion?
WatchGuard Orion is a multi-tenant threat hunting and incident detection, investigation, and response Cloud-native solution for SOCs that leverages security analytics, machine learning, and automation to proactively and efficiently uncover and respond to unknown, sophisticated threats.
Flexibility vs Pre-built, Out-Of-The-Box
WatchGuard Orion brings flexibility and efficiency to all SOC members, integrating into a single console powerful tools that enable expert analysts and hunters to configure threat hunting rules, freely investigate incidents by accessing the 365-day enriched telemetry, share their investigations, and extend to others through Jupyter Notebooks. The over-400 pre-built and automated detection analytics rules, created and managed by WatchGuard SOC, investigation console features, and assisted investigations increase analyst efficiency. The combination of Orion’s flexibility with automation makes it a perfect fit for SOC teams at any security maturity stage.
Robust APIs and Plugins: WatchGuard Orion offers cloud console and API access for easy SecOps integration. It enables actions on endpoints, real-time and retrospective IoC searches, access to WatchGuard’s data lake, retrieval of IoCs, IoAs, and OSQuery data, and more. It supports SIEM (ArcSight, QRadar), ticketing (ServiceNow), and TIPs (MISP) plugins.
WatchGuard Orion-EPDR Key Features
WatchGuard Orion is designed to enhance the efficiency of SOC analysts, expedite the detection process, and improve the cybersecurity resilience of customers, building upon the foundation of WatchGuard EDR, EPDR, and Advanced EPDR. It achieves this by augmenting their capabilities with the following features:
Hardening and Prevention
- Auto-Discovery & Enforcement: Protects unmanaged endpoints.
- Vulnerability Assessment and Anti-Tampering: Reduces threat exposure.
- Device Control: Manages device access and use.
- Contextual Detection and Anti-Exploit: Blocks threats before they can cause damage.
- Zero-Trust Application Service: Prevents malware and ransomware execution.
- Advanced Security Policies and Threat Hunting Service: Monitors or denies the execution of living-off-the-land techniques.
Monitoring and Detection
- Anti-Exploit: Behavioral and context-based protection.
- IoC & YARA Searches: Efficient threat identification.
- Cyber Threat Radar: Scalable behavior analytics.
- Hunting Library: Pre-built rules and custom tool creation.
- Prioritized IoAs: Contextualized and mapped to MITRE ATT&CK.
Threat Hunting
- Threat Hunting Service-as-a-Feature: Offers integrated, proactive threat detection.
- Premium Threat Hunting: Provides an optional advanced service.
- Cloud Data Lake: Keeps 365-day enriched telemetry data.
- Dynamic Query Library: Allows easy navigation of the data lake.
- Query Editor & Builder: Enables hunting in real time or retrospectively.
In-Depth Investigation
- Collaborative Incident Management: Team-based resolution.
- Investigation Tools: Event Timeline, Process Tree, Interactive Graphs.
- Pre-built Notebooks Library: Analytics at scale.
- Assisted Investigations: Faster detection and response.
- Customization Tools: Custom notebooks and playbooks.
- On-Demand Endpoints: OSQuery inspections and remote shell access.
Response
- Remote Access for Investigation: Transfers files, dumps, net info, pcap, etc.
- On-Demand Containment: Isolates or restarts endpoints as needed.
- Remote Containment & Remediation: Manages processes, files, and services remotely.
- Custom Mitigation: Utilizes notebooks to integrate across security tools.
By combining attack surface reduction, prevention, and effective detection and response strategies, WatchGuard EDR, EPDR, or Advanced EPDR and WatchGuard Orion empower SOC with a robust cybersecurity framework.
Figure. WatchGuard Endpoint Security solutions and modules collaborate with each other to reinforce the entire threat lifecycle, from attack surface
reduction and prevention to its detection, response, and investigation for improving defense for future attacks.
Benefits:
WatchGuard Orion aims to boost SOC analyst productivity, reduce timeto-detection, and enhance overall customer cybersecurity resilience. This is on top of WatchGuard EDR, EPDR, Advanced EPDR, and the Zero-Trust Application Service, augmenting their capabilities with the following:
- Alert Noise Reduction: an 80% decrease in alert noise through automated IoA prioritization.
- Collaboration: tools to effectively coordinate alert and incident case management, investigations, and response efforts across teams.
- Automation: alleviates repetitive tasks such as activity monitoring to detect suspicious behaviors, intelligence-driven and analytics-driven hunting, and investigating repetitive incident cases. It frees analysts for higher-level investigations and proactive threat hunting.
- Custom proactive threat hunting: Includes intelligence-driven, analytics-driven, and hypothesis-based hunting to uncover sophisticated threats or unwanted behaviors. The result can be automated through threat-hunting rules.
- Consolidated SOC tools in just one console: Streamlined integration with SOC tools out-of-the-box that enables swift triage, investigation, and response.
Switch to a Proactive Defense Strategy
Orion’s out-of-the-box behavioral analytics automatically detect, prioritize, and contextualize anomalous activity at scale. Backed by WatchGuard cybersecurity experts and up-to-the-minute intelligence, it enables SecOps teams to anticipate the stealthiest adversaries, elevating SOC accuracy and effectiveness.
Hunt Unknown, Sophisticated Attacks
Orion’s hunting rules analyze the endpoint telemetry in real time to uncover, prioritize, and contextualize indicators as attack signals, mapped to MITRE. SOC hunters can use WatchGuard’s up-to-date platform hunting rules, as well as build their own rules using the 365-day retrospective data lake to validate their attack hypotheses.
Investigate and Respond Earlier
SOC analysts can create and extend our out-of-the-box investigations through platform notebooks to fit their practices. WatchGuard’s data scientists include the machine-learning analytics and narrative to explain methodology and steps for root cause analysis.
Level Up Maturity with Collaboration
WatchGuard Orion speeds up analysts’ time-to-value through collaboration within incident cases and knowledge sharing. Novice analysts learn from senior practitioners how to build their skills with hunting rules, notebooks, and playbooks, accelerating the entire SOC maturity.
Assemble a Full Security Stack
Through its APIs and notebooks, WatchGuard Orion seamlessly integrates into your operation ecosystem to extend the investigation and orchestrate the cross-functional response workflow.
Figure. WatchGuard Orion and its features boost efficiency for analysts and threat hunters across WatchGuard's SOC, and partner, and customer SOCs
WatchGuard Orion Solutions – Proactive Security at Scale
Nearly two-thirds of companies have been compromised by attacks originating on endpoints in the preceding 12 months. Compromised endpoints are points of access that cybercriminals use to infiltrate a network. Detect and respond to advanced threats that evade security controls thanks to WatchGuard Orion and Orion-EPDR.
| WatchGuard Orion |
WatchGuard Orion-EPDR |
| Orion is a multi-tenant detection, hunting, investigation, and response platform designed for security operations teams. This Cloud-native platform helps SOCs boost their operational efficiency by stopping advanced threats in the early stages of the cyber kill chain using security analytics at scale. |
Bundle Orion with WatchGuard Advanced EPDR to minimize the security gaps and offer a full range of threat life cycle management service, in the threat life cycle management (TLCM), from hardening and prevention to proactive detection and response to threats. With the Zero-Trust Application Service, SOCs become more effective and scalable at stopping advanced threats at the endpoint. |
Documentation:
Download the WatchGuard Orion (.PDF)
