WatchGuard Endpoint Risk Assessment
Applies To: WatchGuard EPDR and WatchGuard Advanced EPDR
The WatchGuard Endpoint Risk Assessment enables you to evaluate the cybersecurity posture of your managed accounts that use a third-party endpoint security solution. The Endpoint Risk Assessment is non-intrusive and enables you to identify threats, vulnerabilities, and other security risks. After the assessment period, you can schedule a detailed report that provides insights into the account risk profile, recommendations on how to reduce the attack surface, as well as overall security posture improvements.
The Endpoint Risk Assessment report includes graphical summaries of:
- Risks
- Endpoint risk status
- Zero-Trust Application Service assessment
- Threat Hunting Service assessment
The Assessment Details and Recommendations section includes detailed information on these security risks:
- Malware, PUPs, exploits, network attacks, indicators or attack detected
- Actively exploited vulnerabilities detected
- Critical and important vulnerabilities detected
- End-of-Life software detected
- Applications with high download and upload volume
- Living-off-the-Land applications executed
Why Activate an Endpoint Risk Assessment?
The Endpoint Risk Assessment is a tool for Service Providers to provide extra value to their customers through a cybersecurity evaluation of the customer network. You can use the risk assessment to show the benefits of WatchGuard Endpoint Security technology and products to a customer who wants to make sure that they are fully protected from security threats.
The Endpoint Risk Assessment focuses on a zero-trust approach to help the customer create a trusted IT environment. It provides visibility into the applications installed in the customer environment and which applications consume more bandwidth. It also provides visibility into living-off-the-land applications that are commonly used by malicious actors to introduce malware into networks.
The risk assessment is transparent to the customer. On their endpoints, the customer does not see local alerts, or the WatchGuard Endpoint Security icon in the Windows system tray. Automatic protection updates are disabled to make sure that the customer does not have to restart the endpoint for a protection upgrade.
If the customer does not activate a license for WatchGuard Endpoint Security, they can still apply most of the recommendations from the report. No additional hardware or testing tools are required.
Requirements and Limitations
The Endpoint Risk Assessment is available from WatchGuard Cloud for partners and customers with a trial of WatchGuard EPDR or WatchGuard Advanced EPDR. It is not available for partners or customers with an existing Endpoint Security product license. If the partner or customer has a Firebox Total Security Suite license with EDR Core, but has not installed EDR Core on any endpoints, then they can start a trial and activate the Endpoint Risk Assessment.
We also recommend that you start a concurrent trial of the WatchGuard Advanced Reporting Tool for additional visibility. The Advanced Reporting Tool provides advanced information used by the assessment such as an overview of all used applications, search capabilities, and traceability of currently active Microsoft Office licenses.
The Endpoint Risk Assessment applies to endpoints on Windows, Linux, and macOS platforms only. Android and iOS endpoints are not in the scope of the report.
Before You Begin
When the risk assessment starts, new settings automatically apply to the All group. However, any account group that includes settings from the multi-tenant Endpoint Security management UI does not receive the risk assessment settings. For information on settings in the multi-tenant management UI, go to Multi-Tenant Management of Settings Profiles.
If you use the multi-tenant management UI to assign settings, make sure that you do not have any configuration settings applied to the accounts you want to include in the assessment. We recommend that you create an account group called Risk Assessment to use for the assessment and do not assign any settings to this group from the multi-tenant management UI. For more information on account groups, go to Manage Account Groups. If you add new accounts to include in the assessment, make sure to include them in the Risk Assessment group.
Get Started with the WatchGuard Endpoint Risk Assessment
Complete these steps:
1. Start a Trial and Activate the Risk Assessment on Your Account
2. Install Endpoint Security on Your Endpoints
3. Review the Endpoint Risk Assessment Report
1. Start a Trial and Activate the Risk Assessment on Your Account
You can activate the Endpoint Risk Assessment on WatchGuard Cloud accounts that do not have a WatchGuard Endpoint Security product license.
Subscriber accounts with endpoints that have been allocated EDR Core (available with the Firebox Total Security Suite) but have not installed EDR Core on any endpoints, can also start a trial and activate the risk assessment.
To start a trial and activate the risk assessment:
- Log in to WatchGuard Cloud.
- From Account Manager, select Overview.
- Start a trial of Advanced EPDR or EPDR.
- Select Administration > Trials.
- Select the Endpoints tab.
- In the Account Name column, next to the account you want to start the assessment for, enable the trial toggle.
The Add Trial dialog box opens. - From the Product list, select Advanced EPDR or EPDR.
- (Optional) From the list of modules, select the Advanced Reporting Tool check box.
The Advanced Reporting Tool provides advanced information used by the assessment such as an overview of all used applications, search capabilities, and traceability of currently active Microsoft Office licenses. - Click Add.
The trial can take up to two minutes to become available in WatchGuard Cloud.
- Select Monitor > Endpoints.
The Security dashboard on the Settings page opens.
- Click Activate.
The confirmation dialog box opens.
- Click Activate.
2. Install Endpoint Security on Your Endpoints
After you start a trial and activate the risk assessment, deploy the WatchGuard Endpoint Security product to your endpoints. The more endpoints you install Endpoint Security on, the more extensive the risk assessment. We recommend that you install Endpoint Security on endpoints that are more vulnerable to threats, such as laptops. For information on how to plan deployment of WatchGuard Endpoint Security in your network, go to Endpoint Security Installation Plan.
The first Windows computer that you add to WatchGuard Endpoint Security is automatically designated as the discovery computer. The discovery computer finds other computers on the network without the WatchGuard Agent installed. Use the Unmanaged Computers Discovered List to find computers on the network to deploy the WatchGuard Agent to. For more information, go to Unmanaged Computers Discovered List .
You can then remotely install the endpoint software on Windows computers. For more information, go to Install the Endpoint Software Remotely (Windows Computers).
Installation should only take a few minutes. When you install the software on the endpoint, the Endpoint Security icon does not show in the notification tray and local alerts are disabled. This is because the risk assessment settings were applied to the All group and deployed to the endpoints.
Third-Party Antivirus and EDR Products
WatchGuard Endpoint Security and the Endpoint Risk Assessment are compatible with third-party antivirus and EDR products. The Endpoint Risk Assessment is installed on top of existing third-party antivirus and EDR products to inspect endpoints for active and latent malware, vulnerabilities, and other security risks.
For more information, review this Knowledge Base article: Are Endpoint Security products compatible with third-party antivirus and EDR solutions?
3. Review the Endpoint Risk Assessment Report
You can preview the Endpoint Risk Assessment report at any time. Or, you can schedule the report to be sent at the end of the assessment period. The report highlights the different types of security risks discovered in the assessment period. The report classifies risks by severity:
- Critical — Indicates that confirmed malware was executed or indicates a dangerous level of exposure to a cyberattack.
- High — Indicates that latent malware was found that could execute at any time or indicates an urgent need to reduce the attack surface.
- Medium — Indicates that additional risk factors were found that must be addressed preemptively.
The report includes only Windows, Linux, and Mac endpoints with an activate WatchGuard Advanced EPDR or EPDR trial license.
To only receive the final assessment report and not email alerts each time Endpoint Security finds a threat, you can disable email alerts for the Risk Assessment group. For more information, go to About Alerts.
Preview the Report
To preview the report, from WatchGuard Cloud:
- From Account Manager, select the account that you activated the risk assessment in.
- Select Monitor > Endpoints.
- On the Status page, select Scheduled Reports.
- Click Add Scheduled Report.
- Click Preview Report.
The report opens in a new browser tab.
Schedule the Report
Schedule the Risk Assessment report if you want to receive it by email daily, weekly, or monthly on specific days and at specific times. For smaller networks (1 to 50 endpoints), we recommend that you schedule the report to run 2 weeks after you start the assessment. For larger networks, we recommend that you schedule the report to run up to 4 weeks after you start the assessment. The Endpoint Security trial period is 30 days, but can be extended one time up to 60 days. Larger networks might require a longer assessment period. Contact your WatchGuard representative.
To schedule the Risk Assessment report, from WatchGuard Cloud:
- From Account Manager, select the account that you activated the risk assessment in.
- Select Monitor > Endpoints.
- On the Status page, select Scheduled Reports.
- Click Add Scheduled Report.
- In the Name text box, type a name for the scheduled report.
- In the Send Automatically section, select the frequency and time for the scheduled report. The Send Automatically toggle is enabled by default.
- In the To text box, type the email addresses to receive the reports, separated by commas.
- In the CC and BCC text boxes, type the email addresses to copy, separated by commas.
- In the Subject text box, type a subject for your email (for example, Endpoint Risk Assessment Report).
- To specify the Format of the report, from the drop-down list, select PDF or Word.
- Click Add.
Deactivate the Risk Assessment
You can deactivate the risk assessment at any time. When you activate the assessment, Audit mode is enabled to detect malware and other security gaps. While in Audit mode, Endpoint Security does not block or remove threats. You can deactivate the risk assessment and then disable Audit mode to enable Endpoint Security to block and remove found threats. You should also enable the default per-computer settings to enable automatic updates and to show the Endpoint Security icon in the Windows systems tray.
To deactivate the risk assessment and disable audit mode:
- Log in to WatchGuard Cloud.
- From Account Manager, select the account you started the trial and risk assessment on.
- Select Monitor > Endpoints.
- Click Deactivate.
A confirmation dialog box opens.
- Click Deactivate.
- Select Settings > Workstations and Servers.
- Assign the workstations and server default settings to the All group.
This disables Audit mode. If the account did not have a profile assigned by its Service Provider, the Endpoint Risk Assessment automatically assigned a settings profile with decoy files and anti-exploit disabled. When you deactivate the risk assessment, this profile is disabled. To enable Audit mode, decoy files, and anti-exploit protection, we recommend that you assign the default settings. - Select Per-Computer Settings.
- Assign the per-computer settings default profile to the All group.
Remediate Threats Found on Endpoints
At any time, you can apply remediation policies to improve the security posture of the account.
To remediate vulnerabilities with Endpoint Security, we recommend that you:
- Deactivate the Endpoint Risk Assessment.
- Assign the default workstations and servers settings to the accounts you want to remediate threats for. This disables Audit mode to make sure that Endpoint Security blocks and removes found malware, PUPs, or other exploits. For more information, go to Configure Workstations and Servers Security Settings and Assign a Settings Profile.
- Scan critical areas on all endpoint devices. For more information, go to Scan Computers and Devices.
- Start a trial of Patch Management to automatically apply available patches on your endpoints. For more information, go to Patch Management Best Practices.
- Review and follow the recommendations in the Endpoint Risk Assessment report to reduce the attack surface and improve the security posture. This could include device isolation, additional malware scan tasks, and application control (Program Blocking).
Start a Trial – Service Providers
Installation Requirements (external link)