What is RansomGuard™?

RansomGuard™ is a file integrity monitoring (FIM)/data loss prevention (DLP) endpoint tool which allows customers to discover and respond to attacks in different ways than traditional security products (and still helps organizations meet compliance requirements such as PCI DSS).

Why should I choose RansomGuard™ vs other security solutions?

RansomGuard™ is not meant to solve all of your security needs. It is meant to be used in tandem with other security solutions such as Endpoint Detection & Response (EDR) and Anti-virus (AV) solutions to help provide you with the best defense. RansomGuard™ is easy to install and integrates with other products in your security stack (think ELK or Splunk); if you do not possess any central security solution, LegioX offers a basic dashboard where you can view logs from RansomGuard™ across your network. RansomGuard can utilize AI to customize deception to your endpoints in less than a minute, without you having to lift a finger!

RansomGuard™ is built with deception in mind, meaning that even in two systems in the same company, it can appear differently. This makes it more difficult for attackers (and users) to discover that it is running on a protected system, and thus more difficult to circumvent. By taking extra steps to discover whether RansomGuard™ is running on a system, the attacker will need to potentially take louder action which will be more noticeable on the system. RansomGuard™ offers flexible response options, ranging from simple passive logging, to killing offending processes, to shutting down the affected system. Last but not least, RansomGuard™ works on Windows and Linux - and internet access is not required for it to run. A MacOS version is in development.

Why Cyber Deception?

Cyber deception is underutilized in most environments and fills gaps left by traditional security products. Think of the defenses you have in a castle: you may have a wall, station guards, and even have a moat and a drawbridge. But if an attacker manages to slip past these defenses, say by masquerading as a court jester, the castle is breached.

In our scenario, we add special trapdoors inside of the castle, which anyone who belongs in the castle will never trigger. Our attacker, despite being allowed in the castle, does not know about these trapdoors. As soon as they step on one, we have caught our intruder.

How does RansomGuard™ act as a DLP product?

DLP (Data Loss Prevention) enables businesses to detect data loss, as well as prevent the illicit transfer of data outside the organization and the unwanted destruction of sensitive or personally identifiable data (PII). It is also used to help organizations with data security and ensure they comply with regulations like the California Consumer Privacy Act (CCPA), EU General Data Protection Regulation (GDPR), and Health Insurance Portability and Accountability Act (HIPAA).The terms "data loss" and "data leakage prevention" are often used interchangeably, but DLP security enables organizations to defend themselves against both. RansomGuard™ can detect when protected files are accessed - this includes when protected files are uploaded outside of the network via methods such as scp, a browser, or c2 agent. As attackers won’t know which files are protected, when they attempt to exfiltrate files from the network they will trigger an alert and/or response when they hit a protected file. This enables organizations to quickly know if someone is trying to leak or exfiltrate data, and take action accordingly.

How does RansomGuard™ act to prevent Insider Threats?

RansomGuard™ can present itself differently on each machine in a network, and is built with deception in mind. This means that users as well as attackers will not know where RansomGuard™ is, or whether it is present on a system at all. If suspicious activity such as file exfiltration occurs to a protected file, your organization will immediately be aware that the individual is either compromised or engaging in suspect behavior, and can investigate accordingly.

How does pricing work for RansomGuard™?

Currently RansomGuard™ is sold on a per device basis; namely, one annual license is sold per device that is protected.

How do you protect client data?

Outside of basic license information, RansomGuard™ does not send data back to LegioX; the tool is designed so that all data is contained only on customer infrastructure and in customer systems. LegioX will not be aware if RansomGuard™ detects suspicious behavior in your network. LegioX will also not send any data related to AI back to itself for training or other purposes.

Does RansomGuard™ integrate with other security products?

RansomGuard™ is designed to integrate with other major security solutions, such as Splunk and ELK for logging and EDRs such as Crowdstrike, Carbon Black, etc. Whatever your stack looks like, we can find a way to work with it.

Does RansomGuard help satisfy compliance needs?

RansomGuard acts as a DLP and FIM product for compliance purposes, and can satisfy compliance requirements such as those required by:

PCI-DSS — Payment Card Industry Data Security Standard;

HIPAA — Health Insurance Portability and Accountability Act;

SOX — Sarbanes-Oxley Act;

FISMA — Federal Information Security Management Act;

NERC CIP — North American Electric Reliability Corporation critical infrastructure protection; and

NIST — National Institute of Standards and Technology.

GDPR — EU’s General Data Protection Regulation

What if I need help with setup?

LegioX will work with you for installs, and provides documentation on how to install RansomGuard™ so that your IT team will be able to install it independently. AI allows RansomGuard to be deployed to endpoints in less than a minute, with fully tailored deception to the device.

I have other questions.

Please contact us at https://legiox-cyber.com/contact-us and we will be happy to answer any questions you have or schedule a free consultation with you.