The core of this is a product that has led a charmed - though somewhat complicated - life. It started as a product of AccessData, spun off as Resolution1 Security, and was subsequently acquired by Fidelis. Fidelis has merged it into its XPS platform and added to its capabilities. It really is one of the real success stories of this market space and we have been keenly following it since before the product was publicly available.
This is the 800-pound gorilla, if for no other reason than there really is little, if anything, that XPS cannot do in the digital forensics detection, analysis, prevention and response arena. Resolution1 started life as a largely stitched together suite of products under a single user interface and, as it matured, those products really became a single, tightly integrated system, merged into the Fidelis XPS system as the endpoint piece, with a huge amount of capability.
At a glance
Product Fidelis XPS
Price Starts at £70,543.
What it does Full-featured next-generation active breach protection system.
What we liked This tool does it all in the active breach arena. It is cleanly conceived and is modular so you can configure and deploy specifically for your unique environment.
Most of the XPS system comes together in the XPS CommandPost. This is a centerpiece that connects with the XPS Collector, XPS Sensors, XPS Insight and, if you wish, a SIEM. The Collector is at the heart of the analytics. It really is a big database that consumes and organises rich metadata. This is more efficient than full packet storage and the tool is smart enough to ensure that the metadata it stores fully categorises what the source packets were.
The sensors detect threats in real time, communicate with the CommandPost and feed extracted metadata to the Collector. Insight pulls in threat intelligence - both from the Fidelis Threat Research Team and over 50 other sources - and performs execution-based malware analysis. It communicates with the CommandPost as well.
Analysis is based on deep session inspection, deep content inspection and recursive content decoding and analysis. All of this feeds into Insight where malware is analysed in a variety of ways including emulation, execution in a virtual environment, static analysis and C&C communications. The system uses advanced analytics that is both intelligence-driven and behaviour-based. All of this leads to advance threat defence as well as retrospective analysis.
The dashboard is exactly what one would expect for a SOC - probably the most likely home for XPS - and it gives a clean, uncluttered overview of the current state of the enterprise. There is excellent drill-down from the dashboard overview and the overview itself breaks down attacks by types focusing around malware. The overview is highly customisable by adding the widgets that are appropriate for your environment.
Drilling down into alerts we get both summaries and a lot of detail including attack flows. You can enhance XPS with your own STIX or CSV indicators as part of whatever feeds you want to use to enhance its capabilities, again, specifically for your own customised environment. Because we do not always know that something is bad until it shows up in the wild, we can apply current threat intelligence retrospectively to the metadata that we have saved in the database. This allows us to proactively protect against something that, newly discovered, can prey on vulnerabilities that we did not know existed at the time.
Even though malware is a key focus for XPS, the biggest piece of malware analysis is behavioural. That way it is not required that one knows about a particular piece of malware as long as one knows how to distinguish bad behaviour. But, just in case you are dealing with a known strain, there is a seamless integration with VirusTotal.
Additionally, for dynamic analysis, there is a substantial execution forensics capability in the Fidelis cloud-based sandbox. That is augmented by an SSL interception engine that lets XPS behave as a man-in-the-middle to see data and metadata in the clear. The tool is especially adept at detecting evasion techniques and there are lots of decoders so that just about whatever protocol is in use, XPS can deal with it.
Fidelis has the expected first-class website and good support programmes along with all that suggests. The XPS platform is not cheap but what it does is far from trivial. We have used its predecessor - Resolution1 - in a production environment and we can attest that this is a first-rate next-generation.
It is best applied in a rather large, complicated environment where there are enough endpoints, servers and subnets to make threat management really difficult. It shines where the problem sets are the toughest to solve. While its predecessor might be thought of as an analyst's tool - as were many really first rate products that have evolved as it has - this is a real-time detection and prevention tool with a heavy dose of analytics, analyst capability and an indispensible SOC presence in complicated environments.