ThreatSync and authentication attempts against sslvpn

Why doesn’t your XDR ThreatSync show anything in the WG Cloud about these authentication attempts against Mobile VPN with SSL attacks?

Unknown authentication attempts against Mobile VPN with SSL from a user named "test" or other random users:
https://portal.watchguard.com/wgknowledgebase?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US

shouldn’t the XDR show these and even be able to autoblock these attempts…

.Kimmo

Comments

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    Good day Kimmo! The PMs here at WatchGuard have decided that Brute Force Protection belongs in each product line. In our eyes, brute force protection is considered essential protection that our products should offer regardless of their use of ThreatSync. ThreatSync will ingest these brute force detections by each product and display them as Incidents that can be responded to, but ThreatSync will not be the primary source of brute force protection. Yes, I agree that what you describe is a potential solution, but this leaves you open the potential for the exact detection to occur in 2 places and be blocked in 2 places. We want to avoid a situation where you unblock one product in the portfolio only to have to unblock a second product. Both Endpoint and AuthPoint offer essential brute force protection, and we are working on implementing equivalent protection on the Firebox. Some upcoming products will provide more complex detections on logon events, so please be on the lookout for future product betas. I hope this helps! Thanks!

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • Hi Ricardo,

    You mentioned ”ThreatSync will ingest these brute force detections by each product and display them as Incidents that can be responded to”
    I haven’t seen this in my or customers ThreatSync Monitor view, is this something the ThreatSync should already be able to do?
    I would expect to see this kind of incidents in the ThreatSync, it’s the whole point with XDR, right…..

    .Kimmo

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    WatchGuard Endpoint Security has an IOA called "Brute-force attack against RDP." If the IOA is detected by WatchGuard EDR/EPDR/Advanced EPDR, it will appear as an Incident in ThreatSync. The AuthPoint Indicators still need to be sent to ThreatSync, so there are no AuthPoint-based Incidents yet. Our integration with AuthPoint will include these types of Incidents when that integration is complete. The same will happen for the brute force protection on the Firebox; once we have data to turn it into an Incident, we will.

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

  • What does the endpoint client have to with this issue?
    I am specifically asking about this problem:
    https://portal.watchguard.com/wgknowledgebase?type=Article&SFDCID=kA16S000000BcPmSAK&lang=en_US

    I don’t care about the WG endpoint client.

    Your TreatSync needs to be able to show these incidents from the Firebox (and AuthPoint data)
    Otherwise, it is really hard to say that the ThreatSync is a XDR solution….

  • Ricardo_ArroyoRicardo_Arroyo WatchGuard Representative

    I apologize for the confusion and your frustration. I was talking about capabilities that span the portfolio, as ThreatSync is a portfolio-wide product. ;-)

    Just because an XDR solution has access to the logs to interpret this as an attack does not make it the best place to protect against this specific use case. Detection and response systems are not as fast as in-product, preventative engines. As stated before we want to avoid "the potential for the exact detection to occur in 2 places and be blocked in 2 places." requiring "you unblock one product in the portfolio only to have to unblock a second product."

    We have determined that we first need to get you the brute force protection on the Firebox, and then we will show that the brute force event occurred in ThreatSync. Once we have AuthPoint integrated with ThreatSync, we will also show that the detection is an Incident.

    Please feel free to email me privately if you would like to continue this conversation.

    Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
    WatchGuard Technologies, Inc.

Sign In to comment.