WatchGuard Security News Q1 2023

WatchGuard’s XDR Solution ThreatSync is Here!

02 March, 2023 by Carlos Arnal

WatchGuard Threatsync

XDR or eXtended Detection and Response is a new term but not a new concept for us. In 2017, WatchGuard launched the first version of ThreatSync and our first Cloud-based XDR solution that correlated data from network and endpoint solutions. In 2020, with the acquisition of Endpoint Security solutions, we started integrating these solutions under one single platform.

Five years later, we are launching a new version of ThreatSync that equips you with XDR capabilities to centralize cross-product detections and orchestrate the automated response to threats from a single pane of glass. It simplifies cybersecurity while improving visibility and response to threats across the organization faster, reducing risk and cost and providing higher accuracy that would otherwise be impossible.

What is ThreatSync?

Now, ThreatSync is a comprehensive and simple-to-use XDR solution included as part of WatchGuard’s Unified Security Platform® architecture that unifies cross-product detections and speeds up the response to threats from a single pane of glass.

Why ThreatSync?

The cybersecurity industry has long been operating in siloes where security tools don’t communicate with each other. ThreatSync is also our entry into the XDR market. The market trend of vendor consolidation and the need to defend organizations against constantly evolving threats have produced a demand for a product that functionally ties our portfolio together.

In addition, IT security teams are long overdue for a solution that provides a comprehensive security posture. Now with ThreatSync, we are equipping you with a centralized incident intelligence tool to consolidate security and provide extended detection and response capabilities to your customers.

What are the main benefits?

  • Simple to Use with Zero Configuration: WatchGuard delivers XDR features for a skills-deprived market with an intuitive interface and automation for partners and MSPs
  • Comprehensive Security: by unifying data and alerts into a single platform where solutions can work together to prioritize and respond to threats to protect environments, users, and devices
  • Reduce Security Team Burdens: by automating the threat detection and response process and freeing up time and resources for security teams
  • No Added Costs to Access XDR: XDR is an essential tenet of effective cybersecurity for every security team. WatchGuard puts XDR at your fingertips through ThreatSync, which reduces the expenses associated with configuring and integrating multiple point solutions in-house without additional fees

Key Features

  • Unified Threat Visibility: ThreatSync gathers and displays cross-detections from computers, servers, and firewalls in a single interface without admins needing to learn and use multiple consoles
  • Unified Threat Detection: ThreatSync correlates operations automatically and related activities from individual security layers working in concert to alert admins of any suspicious activity
  • Unified Automated Response: ThreatSync enables IT and security teams to work more efficiently since it provides the ability to schedule, automate, or run on-demand response actions to threats faster across the enterprise
  • Security Orchestration: combine security orchestration and automated response to provide an organization with a more comprehensive and cohesive security posture

What else is new with this release?

WatchGuard’s Threat Detection and Response (TDR) Host Sensor, included as part of the Total Security Suite license, is replaced with WatchGuard EDR Core. As you may know, TDR correlated network and endpoint security events with threat intelligence to detect, prioritize and enable immediate action against threats. Now, with WatchGuard EDR Core, we are adding the primary endpoint detection and response (EDR) capabilities based on our endpoint security solution, WatchGuard EDR.

What is EDR Core?

WatchGuard EDR Core complements other next-gen antivirus solutions, protecting against APTs, fileless and malwareless attacks, and advanced ransomware that traditional solutions cannot detect. WatchGuard EDR Core is fully integrated into ThreatSync, providing complete visibility to any malicious activity that bypasses traditional security solutions. EDR Core installs on top of existing AV solutions to add EDR capabilities and ThreatSync (XDR)

Boost Security Performance: New Firebox T Series Firewalls

16 February, 2023 by Kirk Jensen

WatchGuard T Series Firewalls

We are pleased to announce the release of our next-generation Firebox T Series firewall appliances. With this release, WatchGuard is significantly improving firewall performance over previous generations without compromising the simple-to-use security you have come to expect.

Why a new Firebox T Series firewall?

In a word, performance! The new Firebox T Series firewalls are up to 2x faster than the current generation and are engineered to deliver enterprise-level security to SMB environments.

  • The Firebox T25/T25-W provides up to 3.14 Gbps firewall throughput and includes five 1 Gigabit Ethernet ports.
  • The Firebox T45/T45-POE/T45-W-POE provides up to 3.94 Gbps firewall throughput and includes five 1 Gigabit Ethernet ports.
  • The Firebox T85-POE provides up to 4.96 Gbps firewall throughput and includes the option to customize your port configuration with expansion modules for integrated fiber connectivity.

This increase in performance is accompanied by an upgrade to the Total Security Suite. EDR (Endpoint Detection and Response) Core replaces the Threat Detection and Response (TDR) Host Sensor, supplying the core capabilities of an EDR solution based on WatchGuard EDR. WatchGuard EDR Core enhances endpoint antivirus solutions with endpoint detection and response protection and enables new ThreatSync correlation and remediation capabilities. It complements traditional antivirus, protecting from attacks that traditional solutions cannot detect such as:

  • Fileless and malware-less attacks
  • Zero day attacks
  • APTs
  • Advanced ransomware

Total Security Suite puts IT professionals back in charge of their networks with enterprise-grade security and threat visibility tools. The Total Security Suite includes all services offered with the Basic Security Suite plus AI-powered malware protection, enhanced network visibility, endpoint protection, Cloud sandboxing, DNS filtering, and the ability to act against threats right from WatchGuard Cloud.


No matter where they are, your customers’ work environments are not immune to big threats. As part of WatchGuard’s Unified Security Platform® architecture, the Firebox T Series tabletop firewalls are designed to deliver comprehensive security against these threats while being easily managed in WatchGuard Cloud. But these threats are constantly evolving, with endpoints being consistently targeted. By using endpoint detection and response (EDR) technologies, you can get the visibility necessary to detect and respond to malicious activity that threatens your customers’ infrastructure. WatchGuard EDR Core is part of the Total Security Suite license, replacing the TDR Host Sensor, and provides an extra layer of protection against evolving threats by providing visibility into endpoint activity, detecting suspicious behaviors in real time, and enabling response coordination between your network and endpoint tools.

End Users

Potentially, you can have thousands of endpoints in your network, and WatchGuard’s Firebox firewall appliances secure branch offices, office equipment, remote devices, retail POS, and remote users from threats and minimize the amount of network configuration and management needed so that you can work efficiently with peace of mind. However, with the increasing sophistication of cyber threats that can evade firewalls and antivirus software, you need an extra security layer that provides greater visibility into the activity on endpoints and can detect and respond to suspicious behaviors as they happen. By adding endpoint detection and response (EDR) technologies, you can get the visibility necessary to detect and respond to malicious activity that threatens your organization’s infrastructure. As part of the Total Security Suite available with the new Firebox T Series firewall appliances, WatchGuard EDR Core provides that extra layer of protection against advanced threats by providing visibility into the activity on your endpoints, detecting suspicious behaviors in real time, and enabling an appropriate response.

Additional Features

WatchGuard Cloud Management

  • Streamlined network setup
  • Easily defined network segments – separating VoIP systems or IoT devices from business-critical applications
  • VPN deployment with pre-configured policies
  • Live Status network visibility in WatchGuard Cloud to make timely, informed, and effective decisions about network and security configurations

Network adaptation with SD-WAN

  • Adapt to changing conditions – optimize network performance and costs
  • Dynamic connection path selection with real-time monitoring of jitter, packet loss, and latency
  • Reduce the use of expensive MPLS or 4G/LTE and improve network resiliency without sacrificing security

With these new Fireboxes, Total Security Suite with EDR Core, and features in WatchGuard Cloud, we continue to enhance our Unified Security Platform® architecture to deliver powerful yet simplified security and remain committed to delivering industry-leading products and services to keep customers secure. Please get in touch with the WatchGuard team if you have questions about these new firewalls or want to learn more about our Unified Security Platform.

How to deal with sneaky spear phishing – and more – on Safer Internet Day

07 February, 2023 by Corey Nachreiner

What is Spear Phishing?

Each February, millions of people around the world observe Safer Internet Day, joining “Together for a better Internet.” This year marks the 20th anniversary of this global observance, and while a lot has changed over that time, some things remain constant. In particular, effective cybersecurity relies only in part on technology. Even as tools and systems become more powerful, avoiding security mishaps largely depends on people doing the right thing. And while every day is a good day to take stock of what you’re doing to protect yourself, your family and your business online, Safer Internet Day is a great opportunity to stop and reflect on how we can all help promote a responsible, respectful, critical, and creative use of digital technologies – with the ultimate goal of fostering a better Internet for all.

In support of a safer Internet for all – in 2023 and for years to come – here are some insights on today’s most prevalent threats and what you can do to stay cyber secure.

Stick to legitimate software, and keep it up to date

Malicious actors are constantly on the hunt for vulnerabilities in software that will allow them to infiltrate your devices and networks, which is why it’s so important to regularly update your software with the latest patches and security updates. And remember, this applies not just to business software but to games as well. Popular online games have been compromised recently, allowing attackers to take over gamers’ PCs or otherwise break into gaming accounts and systems.

While the price tag on some games might tempt certain users to opt for pirated versions they can download free of charge, the risks are high and can be extremely costly. Attackers often try to lure victims with pirated software that contains embedded malware or a backdoor into their computers. Key crackers, which can be used to get around software license keys, could also contain dangerous trojans. Beyond the fact that pirating software is unethical, you’re better off sticking to software purchased from legitimate sources for security reasons, too!

Combat hard-to-detect spear phishing attacks

Cybercriminals are improving at creating individually targeted emails or text and message app messages that pretend to be legitimate, often spoofing your friends and co-workers or businesses and organizations (like banks, retailers, and government agencies) that you trust. Their goal is often to get you to visit fake websites that harvest your log-in credentials and other personal information, transfer money, and/or deliver malware. Malicious messages might include attachments with documents that contain malware as well. And stolen data is often sold and used for things like identity theft and fraud.

These attacks have gotten better and more personalized with automated phishing tools and programs that cull social media networks and other places on the web where people post personal information. And with more people signing up for services like online shopping and banking during the pandemic, the opportunities for cybercriminals to take advantage of unsuspecting consumers are even greater.

Stopping spear phishing starts with being vigilant. Keep an eye out for warning signs like requests from managers or co-workers that seem out of the ordinary. Check for any details that just don’t add up. Always check the full email address to ensure a message is from a legitimate source, and delete it if it doesn’t look right; but also keep in mind that attackers can spoof email addresses if your domain doesn’t have the right protections (like DNS filtering). Check the domain on anything you click to ensure it really goes to the right place, and simply avoid clicking domains in correspondence. Sometimes it’s just better to type them in manually. Never download files from unfamiliar senders, skip the link in favor of manually typing in your intended destination, and when in doubt, forward the email to your IT or security department for closer inspection.

Beware of sneaky spear phishing attacks

Spear phishing attacks are a major security threat evolving in sophistication and efficacy as cybercriminals become more skilled at creating individualized and convincing emails and messages. They often appear to be from a trusted source – masquerading as a note from a friend, family member, co-worker, or other legitimate business or organization (like a retailer, bank, or government agency) – and are often used to deliver malware trick recipients into transferring funds, or get people to visit fake websites that have been spun-up to harvest login credentials or other personal information. Malicious messages might include attachments with documents that contain malware as well. Once your data is stolen, it’s often sold and used for identity theft and fraud.

Criminals increasingly rely on automated phishing tools and programs that cull information from social media networks and other web sources to better target and personalize their attacks. The growing number of users signing up for various online services year after year has only increased the opportunity for cybercriminals looking to leverage them against unsuspecting consumers.

Protecting yourself from spear phishing attacks starts with being vigilant. Keep an eye out for red flags, such as requests from managers or co-workers that seem out of the ordinary or messages with lots of grammar or spelling mistakes. Be sure to double-check the sender’s full email address to ensure the news is coming from a legitimate contact, and delete it if it doesn’t look right, but also keep in mind that attackers can spoof email addresses if your domain doesn’t have the right protections (such as DMARC’s combination of SPF and DKIM). Never download files from unfamiliar senders, and be wary of links.

At the same time, you should even remain skeptical of any unexpected links and attachments from senders you appear to know and validate that they were actually sent by the contacts they seem to be from first. You can always hover your mouse over a link to preview the URL before clicking – or skip the click instead of manually typing the URL for the intended destination in your Internet browser. Or, better yet, avoid clicking links in phishing messages altogether. And, when in doubt, forward the email to your IT or security department for closer inspection.

Ultimately, if the details don’t add up or anything feels off, it’s better to stay on the safe side. By staying alert and exercising an abundance of caution, you, too, can protect yourself from falling victim to sneaky attacks and ensure a safer Internet experience.

If you are looking for more information on how to face the trendy threats and predictions for 2023, don’t miss these materials:

Webinar – 2023 Security Predictions
Webinar – Top Security Threats Worldwide Q3 2022

What’s New with Wi-Fi in WatchGuard Cloud

06 February, 2023 by Adisa Hairlahovic

WatchGuard Cloud WiFi

In November 2021, WatchGuard launched the new Wi-Fi in WatchGuard Cloud solution, focused on providing Wi-Fi for our partners and their customers. Through 2022 we continued to enhance the platform and expand our wireless hardware portfolio, even as challenges with chip shortages and the global pandemic continued. As we move into 2023, WatchGuard continues to add features and hardware to enhance the wireless capabilities of our Unified Security Platform architecture.

Each year, we plan to do a wrap-up of feature enhancements and capabilities that impact our partners and customers. We break features into three buckets: Ease of Use, Unified Security Platform, and Industry Standard Features.

WatchGuard introduced two new pieces of wireless hardware in 2022. The AP432 is an indoor Wi-Fi6 access point designed for high-density environments. We also launched a mid-density rugged Wi-Fi 6 access point, the AP332CR. Both access points are designed to be managed inside WatchGuard Cloud and offer access to features like our remote access point and central Cloud management.

Features, enhancements, and capabilities delivered in 2022 focused on usability. WatchGuard released new firmware version 1.1.18 to support new hardware devices. We also enhanced our Cloud management interface to allow for device descriptions and better visibility into radio details. Diagnostic tools like Ping, DNS Lookup, and Traceroute from the Cloud help diagnose network issues, and support snapshots allow customers to capture specific time spans to diagnose intermittent issues. WatchGuard also launched Radius Accounting to better integrate with Radius LDAP servers to identify users. Many partners and customers use third-party tools to monitor and alert on events across their hardware stack, leading WatchGuard to launch integrations with Auvik, PRTG, and SolarWinds SNMP tools to allow our access points to participate in active monitoring.

WatchGuard continues to develop a product roadmap based on partner and customer feedback. This roadmap includes unique features to manage WatchGuard’s products and provide security more effectively when our solutions are deployed in a customer’s environment. We are excited about the development and direction of Wi-Fi in WatchGuard Cloud and what we will deliver throughout 2023. For more information about future features, contact your WatchGuard Sales Team.

WatchGuard Webinar: Top Security Threats Worldwide Q3 2022

16 January, 2023 by The Editor

WatchGuard Security Threat Report

WatchGuard Threat Lab report finds top threat arriving exclusively over encrypted connections. New research also analyzes the commoditization of adversary-in-the-middle attacks, JavaScript obfuscation in exploit kits, and a malware family with Gothic Panda ties. And much more!

Join WatchGuard CSO Corey Nachreiner and Security Engineer Trevor Collins as they cover the latest Internet Security Report from the WatchGuard Threat Lab. In this session, Corey and Trevor will dive into the attack trends and latest malware variants targeting WatchGuard Firebox and Endpoint customers worldwide.

When? The full webinar is now available for immediate replay HERE.

Wi-Fi routers and access points are the most vulnerable IT devices

11 January, 2023 by Kirk Jensen

WiFi Router and Access Point Vulnerabilities

Today, the number and diversity of connected devices continue to grow in enterprises, no matter which sector they operate in. This has created a new challenge for organizations as they need to understand and manage the risks they are exposed to.

We keep saying that the attack surface is expanding, and that’s because it now spans IT, IoT, and OT for most enterprises, with the addition of IoMT in healthcare. However, IT devices are still the primary target for malware, including ransomware, and are considered the main entry vector threat actors exploit initially.

In this regard, a recent report on the riskiest connected devices for enterprise networks observed that routers and wireless access points are becoming the most common entry points for malware and advanced persistent threats.

A new modus operandi for an attack campaign known as ZuoRAT has recently come to light that has managed to fly under the radar for nearly two years. This threat campaign is extremely sophisticated and primarily targets small office or home office routers, using the router as the entry vector.

So how does it work?

  • First, a compiled MIPS file is sent to the routers. This file is a malware called ZuoRAT, designed to gather information about devices and the LAN to gain access after infecting the computer.
  • Once installed, the malware enumerates the hosts and the internal LAN. It can also grab network packets transmitted through the compromised device and launch a man-in-the-middle attack, such as DNS and HTTP hijacking, based on a predefined set of rules. The hijacking operation causes the connected devices to deploy shellcode loaders on machines in the local network.
  • The next step is moving from the router to the workstations on the network, deploying a Windows loader that is used to download and execute one of three trojans: CBeacon, GoBeacon, or CobaltStrike.

This campaign typically targets US and European organizations. At least 80 targets have been affected over a nine-month period, but it is suspected that many more may have been targeted.

This threat can only be mitigated by deploying well-configured and up-to-date detection solutions.

Impenetrable wireless networks and a secure enterprise network

The rise of working from home and hybrid work has changed how employees connect to the Internet and complicate risk management for IT managers. Corporate teams now constantly access the Internet from an often-unprotected home network rather than from the protected network in the physical office.

This generates new security needs that can be addressed by incorporating secure Wi-Fi access points and wireless network management software that delivers optimized connectivity. As well as supplying a comprehensive and practical set of wireless functions, they provide the secure encryption required by today’s work environments. But the key benefit is the high level of visibility, which enables detailed monitoring and reporting of the wireless environment, giving IT administrators the insight they need to determine how well Wi-Fi access points perform. This makes it possible to view the device status and, more importantly, the device’s health, making it easier to keep up with updates and avoid potential vulnerabilities.

Combining this solution with a firewall protects users against sophisticated attacks such as ZuoRAT, as it will prevent any malware hidden in encrypted traffic from accessing the enterprise network. At Akubra, a company that designs, manufactures, and distributes iconic Australian hats, they knew that this was the route they needed to take to significantly reduce the number of threats targeting their servers. WatchGuard solutions have enabled Akubra’s IT team to always make the right decisions and maintain optimal security levels, resulting in increased productivity and employee satisfaction.

As the Akubra case shows, having the right protection solutions means that businesses can focus their efforts on other areas that add value to their business. All businesses need Internet access today. The best way to protect the riskiest connected devices in their environment is to look for a cybersecurity provider that offers the advanced solutions they need.