Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Binary Defense Vision with UEBA, Simpler Onboarding and 2FA, Improved Threat Hunting and Data Queries, Detection Visualizations

Binary Defense announces Agent 4.4 and Server 2.73 packed with substantial new features and enhancements to the Binary Defense Vision platform.

Binary Defense™ is excited to announce a new release of both Agent and Server packed with substantial new features and enhancements to the Vision platform.

These versions continue to position the Binary Defense Vision platform as a market leader in MDR and EDR and demonstrates our commitment to our customers and to innovation in the security industry. These new releases introduce several new features, enhancements, and improvements to performance for the benefit of all our customers.

Release Summary

  • User and Entity Behavior Analytics (UEBA)
    Binary Defense has released enhanced behavior analytics that includes comprehensive UEBA (User and Entity Behavior Analytics) features to enrich behavior pattern analysis and machine learning to detect anomalies that may indicate potential threats. With UEBA to analyze both entity and human behavior, Binary Defense Vision has improved ability to detect potential indicators of attack such as insider threats and advanced persistent threats. Vision learns over time with our machine learning capabilities to uncover information that truly indicates unusual behavior and then alerts our trained Security Operations Center (SOC) to respond immediately.
  • Simpler User Onboarding for Customers, 2FA Security
    Binary Defense Vision now has an improved user enrollment process that simplifies Vision Portal access and mandates two-factor authentication (2FA) for more secure zero-trust account logins. We support a variety of Time-based One-Time Password algorithm (TOTP) solutions such as Google Authenticator, Duo Security, and other two-factor authentication enrollment solutions.
  • Advanced Threat Hunting Capabilities, Complex Data Queries
    Included with Vision Server 2.73, we expand our available threat hunting capabilities and improve identification of indicators of compromise (IoCs) from unique edge cases. Binary Defense Vision logs a substantial amount of behavioral data and, as part of our Binary Defense MDR (Managed Detection and Response) service, our SOC actively threat hunts 24/7/365 for any suspicious attack indicators. With this new release, Vision now supports advanced search of all collected data. This includes complex query structures and the ability to search through all data sets for more proactive hunting, better detection, and faster incident response.
  • Interactive Lateral Movement Visualization, New Alarms and Improved Detections, Global Whitelisting, and Performance Enhancements
    Binary Defense is also excited to introduce an interactive lateral movement visualization in our Vision Portal that will allow customers to quickly determine with a glance any lateral movement within their environment, infrastructure, or endpoints. Vision has also added several new alarm types, new detections, and refined existing detections for improved security and visibility. Global whitelisting is now supported across all systems to keep all endpoint agents updated while significantly reducing network bandwidth traffic. There are also several performance enhancements to the Vision platform in this release.

Release Details

Simpler User Onboarding for Customers, 2FA Security
With two-factor authentication (2FA) all users will be required at logon to go through the enrollment process to help ensure secure logons to Vision instances moving forward. All users will be required to use the 2FA for each logon event to ensure that the Vision portals are protected against password-based compromises and to enhance the overall security of the Binary Defense Vision platform. Vision supports all major Time-based One-Time Password algorithm (TOTP) enrollment solutions including Google Authenticator, Duo Security, and more.

When new users are created, they are sent an invitation email with a single-use “Get Started” URL that allows the user to specify an account password for their Vision Portal.

Binary Defense Vision with UEBA
Figure 1. Vision new user welcome email with “Get Started” button

Once the user password is specified, there is a user enrollment process for two-factor authentication. This is a simple as using the official Google Authenticator or Duo Security apps and scanning the provided QR code to pair your phone with Vision. After pairing, a unique code (time-gated) will be presented to allow login to your Vision Portal.  See step-by-step tutorial from Binary Defense CTO Dave Kennedy.


Figure 2. Vision two-factor authentication in the Vision Portal

Interactive Lateral Movement Visualization
Lateral movement—a clear indicator of a threat that is attempting to extend its reach into the network—is commonly found in organizations and baselining normal behavior around this movement is paramount to effective detection. With Binary Defense Vision, we off-load this necessary work away from our customers and baseline behavior for you out-of-the-box. In this release an interactive visualization of the lateral movement is presented to allow customers improved comprehension and understanding what lateral movement may be occurring. This fully-featured and interactive visual representation of lateral movement allows for a ‘big picture’ look at lateral movement events within the enterprise right through the Vision Portal. Hovering over one of the involved hosts will show source, destination, logon account, and process information.


Figure 3. Interactive visualization of lateral movement in Vision Portal

With our interactive lateral movement visualizations, our customers can quickly see the process, accounts, and sources of the systems. In addition, customers can see the top lateral movement talkers within the organization over the past 24 hours. Alarms will still be generated as normal.

Advanced Threat Hunting Capabilities
Threat hunting is already performed as part of the Binary Defense Vision MDR service and our skilled analysts are continuously looking for suspicious behavior and edge cases. Threat hunting activities are integrated with our Binary Defense Threat Intelligence team to provide better detection across any organization. Prior to this release, the hunting section of Vision was limited to simple search criteria. With the new version of Vision, our advanced threat hunting functionality allows for more complex search queries through larger amounts of data. The search functionality includes regular expressions, nested queries, and the ability for complex search across all data that Vision ingests into the platform.


Figure 4. Advanced search functionality for threat hunting in Vision Portal

With advanced threat hunting and complex search functionality Binary Defense customers can create multiple ANDs, ORs, with the ability to stack them into rules or groups to help sift through large amounts of data on a regular basis. This new advanced functionality will help our customers discover indicators of compromise (IoCs) with more accuracy as well as augment Security Operations Centers (SOCs) and better identify anomalous threats lurking in your environment.

Vision Agent Improvements: Global Whitelist Pre-filters, New Alarms and Improved Detections
Agent 4.4 implements agent pre-filters which are now pulled down by the agent itself. When the Binary Defense agent connects with the Vision server it will now check for global whitelists to download and then apply locally. This will allow Binary Defense Vision to tune out top talkers at the asset level. A good example of this would be customers with environments where data is sent from multiple sources and the data is unique or specific to their environment—typically not data that would be actionable from a detection standpoint. We already automatically ignore these types of events at the server, but with Agent 4.4 Vision will not use resources to send those events to the server any longer, they are pre-filtered at the source. This is a significant performance improvement for Binary Defense customers and will save CPU, RAM, and substantially reduce network traffic since these events are ignored at the source.

Binary Defense Vision also improved and made additions to our alarms. For example, a Pass the Hash detection will now be seen as a Remote Administrative Code Execution alarm. Suspicious Process with Network Connections will now be an aggregate alarm. Multiple remote connections by the same process will be a single alarm with each remote IP address listed. Also there are improvements in this release to detection rules on how Vision generally handles multiple alarms that allows a higher saturation of detection and results in less false positives.

Improved Security for Our Customers

The Binary Defense Commitment is to Our Valued Customers
This new release is a significant leap forward in the Binary Defense Vision platform in terms of additional functionality and features. Vision is not just a security platform, but a complete managed detection, prevention, and response service with endpoint protection features such as Next-Generation Anti-Virus (NGAV), User and Entity Behavior Analytics (UEBA), and more. Our regular and free product updates keep you armed against emerging threats and new TTPs, help you maintain the 24/7/265 security of your organization and the health of your technology assets, and enhance the ability of the Security Operations Center (SOC) to discover true indicators of compromise (IoCs).

With a focus on our customers, Binary Defense is now more proactive than ever on pushing these updates directly to customer assets with their approval for seamless feature integration and adoption. We’re excited about this new release and serious about our continued commitment to our customers and to making the Binary Defense Vision platform the best in the security industry. If you have any questions, reach out and contact us.