Myrmex Endpoint Security Event Collection Process
Myrmex Endpoint Security continuously and comprehensively collects security data using advanced technologies to monitor the operating system and connected devices, following a structured flow that ensures real-time analysis and protection.1. Kernel Mode
Syscall interception, network monitoring, etc.
2. User Mode
Security logs, audits, registry services, etc.
3. Myrmex Endpoint Security
Capture & Normalization, Enrichment, Local Protection Engines.
4. Myrmex Security Platform
Storage, Correlation, AI, Visualization, Distributed Response Actions.
The main steps of this process are as follows:
Event Collection
Kernel
- Syscalls (System Calls): Monitors low-level interactions, such as file accesses, file system modifications, permission changes, and network calls.
- Network Packet Monitoring: Captures and analyzes data traffic to identify suspicious patterns, such as malicious connections.
System
- Audit Logs: Documents critical changes, such as authentications and administrator actions.
- Hardware and Software Inventory: Generates a complete inventory of devices and applications.
- Event Logs: Collects information about operations performed by services and privileged users.
Process Events
- Inter-Process Interactions: Tracks process hierarchies and their communications.
- Associated Calls: Records associated commands and executions to identify potentially malicious activities.
Data Standardization
Collected events are normalized according to the Myrmex event model, allowing consistent analysis and integration with other platform functionalities.Local Processing and Enrichment
Collected data undergoes advanced analysis before being transmitted to the cloud:- Context Addition: Events are enriched with additional information, such as source IP, geolocation, and hierarchical relationships between processes.
- Behavioral Analysis: Specialized engines evaluate threat indicators, such as ransomware, cryptocurrency mining, abnormal resource usage, and exploits.
- Machine Learning: Machine learning algorithms analyze data in real-time to identify anomalies and suspicious behaviors.
- Event Classification: Events are categorized by criticality and risk levels, facilitating rapid response actions.
Local Protection (Offline/Online)
- Malware Blocking: Detects and blocks trojans, ransomware, and spyware using signatures, heuristics, and behavioral analysis.
- USB Device Control: Monitors connected devices, blocking unauthorized activities.
- Automated Response: Executes corrective actions, such as:
- Quarantining malicious files.
- Terminating suspicious processes.
- Isolating machines in case of critical incidents.
Secure Transmission to the Cloud
After local processing, events are sent to the Myrmex Security Platform with security guarantees:- Encryption: Data is initially encrypted with SHA256.
- Secure Connection: Uses the TLS 1.3 protocol for secure transmission to the cloud platform.
Myrmex Endpoint Collection Capabilities
This table describes the scope of the Myrmex Endpoint in event collection, enabling detailed analysis and proactive detection of cyber threats.| Category | Description | Examples of Collected Data |
|---|---|---|
| Process and Thread Events | Detailed monitoring of process and thread creation, termination, and interaction, including their hierarchies. | * Process hierarchy * Associated parameters and calls * Malicious scripts |
| Syscalls and System Calls | Collection of operating system calls to identify low-level interactions and potential API abuses. | * File accesses * Permission changes * Network calls |
| Network and Communication Events | Recording connections and traffic patterns to identify malicious activities, such as connections to C&C servers. | * TCP/UDP connections * DNS resolutions * Detection of abnormal traffic patterns |
| Security and Audit Logs | Collection of administrative logs and observation of changes in critical system configurations. | * Accesses/authentications * Modifications in critical configurations |
| File and File System Monitoring | Recording operations on files and directories, including changes to system binaries and libraries. | * Accesses, deletions, and modifications * Changes in system libraries |
Real-Time Analysis and Protection
While events are captured and processed, Myrmex Endpoint Security uses internal security engines to identify and respond to malicious behaviors. This is done in real-time, ensuring continuous protection, even in disconnected environments.Local Threat Detection
- Behavioral analysis to identify patterns associated with ransomware, trojans, cryptocurrency miners, and spyware.
- Identification of persistence techniques, such as:
- Modifications to startup files.
- Abuse of trusted processes.
Proactive Blocking
- Quarantining suspicious files.
- Isolating processes demonstrating anomalous behavior.
Device Restrictions
- Control of connected USB devices:
- Blocking unauthorized access.
- Monitoring data transfer.