Information security products
IT security solutions in UAE
Home >> Solutions >> GATEWATCHER

GATEWATCHER


Based on a next-generation technology, Trackwatch® Full Edition detection system, published by Gatewatcher, efficiently protects organisations against intrusions and breaches.

Trackwatch® Full edition is the first advanced threats detection system qualified by the French National Cybersecurity agency (aNSSi)



Gatewatcher: a Breach Detection System


ADVANTAGES

  • Analyses all network flows.
  • Detects all types of attack vectors.
  • Multi-format analysis of unexecutable files.
  • Parallel analysis of files through Load Balancing algorithms ( > 6 million per day).
  • Detects malicious files.
  • Detects vulnerabilities exploitation (polymorphic shellcodes, encoded shellcodes, ROP...).
  • Detects 0-day attacks by dynamic controled execution.
  • Rebuilds attacks / killchain by syntaxic and comparative analysis.
  • Retro-analyses suspicious files automatically.

SOLUTION

GATEWATCHER is a new generation intrusion detection solution based on innovative technologies to detect the most recent anc crafted attack methodes.

GATEWATCHER analyses network flows with GCAP probes placed in derivation.

TRACKWATCH, the detection technolgy implemented in GATEWATCHER, is comprised of four new generation engines. Two engines are dedicated to network flows and payloads analysis: SIGFLOW and CODEBREAKER. The other two analyse files: MALCORE and RETROACT.

Threats detected by GATEWATCHER’s nextgeneration detection engines


EXPLOITS

0-Days: 0-Days can’t be detected, but their payload can. Most of the time, it’s a shellcode / ROP.
Local - Lateral movement: AD attacks are used for lateral movement and vulnerability exploitation. They can be detected by CODEBREAKER and SIGFLOW.
DoS: DoS and DDoS are specific to Anti-DDoS products. NETFLOW and SIGFLOW can detect some of them.
Remote: CODEBREAKER and SIGFLOW are fully operational to detect remote vulnerability exploitation
Shellcode: CODEBREAKER was designed to detect shellcodes.
ROP: version 2.6.1 will integrate ROP support
Webapps: SIGFLOW has an integrated web attacks category. Version 2.6 will integrate MISP support.


MALWARE

Classic malware: MALCORE was built to detect malware Advanced malware (with obfuscation, anti-debug - sandbox, etc): MALCORE is not subject to anti-debug/anti sandbox.
Hybrid malware (only a shellcode payload): version 2.6.1 will integrate shellcode extraction by IFG/CFG analysis.
One line malware (malware with embedded one line payload): version 2.6.1 will integrate one liner extraction by IFG/CFG analysis.
APT malware (designed for one campaign): version 2.7 (end of Q4 2019) will integrate Machine Learning engine. RETROACT has a very good detection rate on APT malware sample.


BOTNET

Unknown botnet
Known botnet


SIGFLOW

Detects attackers’ network activity
SIGFLOW analyses the whole network traffic, from a formal and statistical point of view and deeply inspects network packets. SIGFLOW and its signature base rely on a dynamic treatment in order to optimise detection accuracy and reduce false positives.

 


CODEBREAKER

Detects vulnerability exploitation methods
CODEBREAKER detects shellcodes (encoded and polymorphic) and code-reused attacks, that materialise through ROPchains (Return Oriented Programming) and JOPchains (Jump Oriented Programming). These intrusion methods are invisible to all existing security solutions and represent 70 to 80% of 0-Days attacks. The innovation brought by CODEBREAKER is unique on the market.

 


MALCORE

Detects malwares
MALCORE analyses all files travelling on the network with 16 anti-malware engines. Each file is load balanced in real time on each engine. The engines were selected by GATEWATCHER Lab Center: they were picked for their complementarity and detection accuracy. MALCORE is the widest detection spectrum on the market with superior results on all types of malware.

 


RETROACT

Detects post compromission
RETROACT allows the empirical re-analysis of potentially malicious files suspected by MALCORE heuristic analysis. This retrospective analysis duration and frequency can by configured (several days, weeks, months after), with new signatures and heuristic methods. RETROACT proved its efficiency on malware unknow from all editors.

 


DEPLOYMENT

GATEWATCHER is deployed with two types of appliances: GCAP and GCENTER.

GCAP probes capture network flows and partially analyses. A GCAP is connected to a switch with a port mirror or a TAP replicating network flow. One or several GCAPs can be deployed within an infrastructure, locally or on distant sites. GCAPs are connected to a management appliance: GCENTER.

GCENTER analyses the information gathered by GCAP, their storage, configuration and reporting interfaces and exports the information to a SIEM.