Invincea® Management (formerly Invincea Management Server) enables security teams to centrally manage Invincea Endpoint instances, while providing enterprise-wide threat identification, control and intelligence. The product analyzes unknown executables via cloud-based threat analysis services including Cynomix; remotely executes controls such as quarantine, process kill, or enterprise-wide eradication; and provides rich forensic information on attacks.
When an unknown software process is detected by Invincea Endpoint, Invincea Management sends the file’s identifying data to leading cloud-based and on-premise threat analysis services, which query their databases of millions of “known bad” (malware) and “known good” files, to reach a verdict on the unknown program. These cloud and on-premise services include VirusTotal, Metascan and ReversingLabs, and are growing over time.
But what happens when none of the threat analysis services are familiar with the program? That’s when Invincea Advanced Endpoint Protection really shines.
Invincea Management leverages Cynomix – Invincea’s cyber genome analysis technology developed under DARPA sponsorship – to apply the industry’s most rigorous malware analysis to unknown files. Referencing a mapping of the cyber genome of millions of malware strains, Cynomix extracts the genetic markers from the suspicious program and compares them to the cyber genome. In seconds, it provides a threat score that indicates the probability of the program being malicious, as well as a set of likely functional capabilities that it possesses. Based on this rich analysis, security teams can then take an escalating set of corrective actions to control and eliminate the malicious code.
“We get the best of both worlds – employees have free access, our business is secure.”
-CIO, U.S. Defense Contractor
Invincea Management provides the central management console for all Invincea Endpoint instances. It allows the security team to view and modify Invincea Endpoint configurations, while providing a full audit trail of all changes. Invincea Management also offers robust backup and restore capabilities.
To support complex enterprise requirements and multiple organizational entities, different groups of users and endpoints can be managed with unique configurations. You can configure and publish software and configuration versions on a per-group basis. Endpoints can also be easily moved between groups.
Invincea Advanced Endpoint Protection identifies suspicious processes that run on endpoints and provides analytic tools to determine whether the program is likely malicious. Invincea’s approach is unique in that we use an open, vendor-neutral API to perform best-of-breed cloud-based analytics on endpoint activity. Even better, we do this efficiently to minimize the performance impact – across disk, CPU, memory, network, and storage.
Invincea Endpoint avoids expensive disk scanning, and instead analyzes only anomalous software processes. Each time a process (application, DLL, etc.) launches, Invincea Endpoint instantly determines if the process has been seen on that endpoint before. If it has and it’s a known malicious file, Invincea enables the security team to take corrective actions. If it has not been seen on that device before, Invincea Endpoint quickly queries Invincea Management – sending less than 1KB of data to the server – to determine if it has been seen elsewhere in the enterprise before. If Invincea Management has seen the process before, it informs Invincea Endpoint that the program is either safe or malicious.
If Invincea Management has never seen it before (meaning, it’s the first time that program has been seen in the enterprise), Invincea Management queries a set of cloud-based and on-premise threat analysis services about the program, sending only the program’s metadata in most cases. These services include Invincea’s Cynomix technology, VirusTotal, Metascan and ReversingLabs. Such crowdsourced threat analysis services help the security team to “clear” or “indict” suspicious processes using a comprehensive body of global malware knowledge, typically completing the analysis within seconds. The security team can then take appropriate corrective actions using the solution’s granular controls.
In addition to Invincea Endpoint’s container-based controls, which kill any malicious processes within the container, Invincea Management also enables the security team to control and remediate any malware running on endpoints outside the container, from infections that existed before the Invincea container was deployed.
The security team can apply a set of granular, escalating controls to such malware. Invincea Management provides the management GUI and Invincea Endpoint performs the actual control actions, which include:
- Remove internal network access from the suspicious process
- Remove all network access from the process
- Quarantine the device from the network
- Kill the suspicious process
- Eradicate the process enterprise-wide
As soon as suspicious activity is detected in the endpoint container, Invincea Endpoint begins collecting rich forensic information, which you can view and analyze through Invincea Management. The solution isolates and identifies:
- Infection Source: We identify the URL, PDF document, or Office file that triggered the infection
- Timeline of Attack: We dissect the actions of the malware – file system writes, reads, launches, new process creations, forks, injections, and network command and control
- Registry Changes: We capture all changes the malware makes to the virtual registry and to non-compromised processes
- Connections: We identify all connections – whether inbound or outbound – and show you the command and control channels the adversary attempted to utilize
Invincea Management presents this forensic information to security teams and can also feed it to a number of other leading security technologies, via pre-built integrations:
- McAfee ePO
- HP ArcSight
- IBM Security QRadar
- RSA NetWitness
- iSIGHT Partners
- Open API for additional integrations
Licensing and Pricing
Invincea Management is available as a traditional server installation, virtual appliance, or cloud hosted service. It is priced per server instance, and available via annual subscription or a perpetual license.