Endpoint protection has come a long way from just A/V
If you immediately think of antivirus when you hear the words “endpoint protection” you’re not alone. That close association has unfortunately resulted in the assumption that the only thing endpoint security consists of is running scans and installing updates (or, in other words, slowing your endpoints down).
That’s far from the case today, but before we look at the latest developments in endpoint protection, let’s quickly review how and why the security has evolved.
The rise and fall of signature-based endpoint protection
For all the innovation on the attacker side, up until recently the general approach to protecting endpoints has more or less remained the same — install software that scans files against a massive database of known malware. Flag anything that shows up as a match.
It’s basically like using fingerprints to identify criminals. And for a while, it worked. But it also left companies perpetually one step behind attackers:
- Attackers create new malware and infect as many machines as possible before the malware can be discovered.
- Security companies get their hands on a sample of the malware and create a “fingerprint” to add to their database. Now they know what to watch out for and block.
- Attackers create a new version of the malware that doesn’t match the fingerprint on file.
- Rinse and repeat.
For attackers, staying ahead in this game of whack-a-mole became all about accomplishing two things:
- Lengthening the window of time it takes to discover and detect their malware.
- Finding cheap ways to ramp up the production of new malware so security programs would have even more difficulty keeping up.
With those two motivations driving innovation, the game quickly began to change — and the good guys weren’t ready for it.
Did you know?
Over 390,000 new malware samples are reported every day.3.
Conscious of security’s reliance on signatures, criminals began developing ways of encrypting, parceling out, and introducing slight alterations into their malware’s code. This allowed them to spin off countless variations of the programs, each with their own unique “fingerprints.”
These new malware programs all functioned the same way, yet by introducing even slight variations in the code attackers were able to slip them past signature-based security unrecognized and undetected.
Did you know?
70-90% of malware samples are unique to an organization.4.
Leaving users exposed to new malware variants while security companies scrambled to create signatures and push updates was a big enough problem already. Now there was malware that defied signature-based detection altogether. In order to solve this problem, endpoint protection needed to evolve.
What is the difference between traditional and next generation endpoint protection?
Fast-forward to today: Proven blind spots and overall dissatisfaction with existing signature-based solutions has created a vacuum of protection. New and existing security vendors are looking to fill that vaccum with a variety of solutions, many of which are being described as “next generation.”
Did you know?
Nine in ten organizations aren’t satisfied with their current endpoint protection and plan on replacing or augmenting it.5.
That common label isn’t very descriptive, and it can make understanding and differentiating these solutions difficult. To help clear things up, let’s look at what point during the infection process they actually detect objects as being malicious. After all, as we covered in the Virlock ransomware attack breakdown, when you’re able to detect and block malware can be just as important as how.
Different solutions target different stages of an attack
1) Threat intelligence
Identifying a new malware sample, creating a new signature for it, and adding it to a blocked list takes time — and during that time, companies are vulnerable.
One approach to minimizing these windows of vulnerability is to gather threat intelligence from multiple sources, looking for new security events that can be associated with previously unidentified malicious programs. Doing this in nearly real-time provides security monitoring and detection tools with a valuable source of additional info they can use to identify new threats more quickly.
The problem — as with any signature-based protection — is that in order for a threat to be identified and shared there needs to be at least one victim. Worse, attackers are increasingly using malware that integrates encryption, obfuscation, and polymorphism to effectively create a new version of itself on each new device it infects.
Threat intelligence is most often an enhancement or contributor to one or more of the other solutions in this list.
Example vendor: Webroot
2) Behavioral analysis
While its signature may change often, the fundamental ways a piece of malware operates typically does not. By monitoring malware programs in real-time, solutions that utilize behavioral analysis are able to look for tell-tale signs of malicious activity and block those behaviors immediately, before the malware can do any harm.
Rather than reactively chasing after new malware samples to add them to a blacklist (remember, that’s 390,000 new samples generated every day), the benefit of blocking one malicious behavior is that it results in blocking a multitude of malware programs — including never-before-seen malware and even malware that will likely arrive in the future. You are effectively kicking the legs out from malware by blocking one or multiple critical functions it relies on to do its thing.
Vendors utilize behavioral analysis in different ways. When it is high-level and fairly general, organizations will use it for attack detection and incident monitoring. Others (like us here at Barkly) use specific and conclusive low-level information to actively shut down malware, stopping it in its tracks.
Example vendor: Barkly
3) Whitelisting and Blacklisting
As an administrative control, whitelisting — limiting the programs and applications authorized to run on an endpoint — is a proven approach particularly valuable to organizations with a very small and/or stable number of applications. Similarly, blacklisting — preventing specific applications running — has been used to eliminate access to either unknown or untrusted programs.
While whitelisting/blacklisting is an effective way to ensure that only approved applications are allowed to run, building and maintaining a whitelist or blacklist in a typical environment is complex and time-consuming. Just think of the variety of programs and apps being used in your organization right now. How many are mission critical, how many others are just running there, and how do you stay up-to-date on what the organization needs and approves?
Without this almost unheard-of level of software governance and control, whitelists and blacklists rapidly become frustratingly obstructive or sadly out of date. And as some well-known attacks have shown, the content of these lists can be manipulated by attackers with the appropriate stolen credentials, eliminating organizational confidence in the approach.
Advances in technology have made rolling out and enforcing smaller and special purpose whitelists and blacklists across organizations possible, but they remain unpopular as a standalone means of protection.
Example vendor: Bit9 component of CarbonBlack
4) Sandboxing / Virtualization
Of course, the most definitive way to determine whether or not a program is malware is to simply fire it up and let it do its thing — except, you know, over there, away from all the stuff you don’t want trashed or infected.
Sandboxing programs (sometimes called containers) create an isolated environment in which that can happen without corrupting the main parent system. New files that have never been seen before can be executed in this partitioned environment to see how they will behave.
The problem with sandboxing is that good malware can usually tell if it is being executed in a virtualized environment. Knowing this, it can hide its malicious attributes until it’s passed back into the mainline environment, or it can simply refuse to execute.
For solutions that attempt to make every program and process operate within a container, there are high costs in terms of system resources. The enforced isolation can be a significant impediment for users. It’s also rare for sandboxing to yield obvious, conclusive results. Malicious behavior at this level can look very similar to legitimate behavior, so solutions often require trained analysts on staff to run and monitor the tests.
Example vendor: Bromium
5) Intrusion / Anomaly Detection
Operating under the concession that endpoint breaches are inevitable, some vendors have shifted focus from prevention to post-infection detection, monitoring, and response. The primary goals their tools support are identifying when a breach has taken place, containing the infection, and gathering threat intelligence on the compromise to prevent additional breaches from taking place.
Simply confirming that a breach has in fact taken place is a valuable capability many organizations could benefit from. According to our recent survey on cybersecurity confidence, 33% of organizations currently don’t have the ability to determine whether they’ve suffered a breach or not. The ability to remotely isolate compromised endpoints is another appealing feature that can help prevent an infection from spreading.
But to take full advantage of these capabilities, intrusion detection solutions often require hands-on management by security analysts who are familiar enough with typical endpoint behavior to know when something is anomalous and requires further investigation.
In addition, when it comes to endpoint breaches, simply knowing you’ve been infected sometimes isn’t good enough. Ransomware provides the perfect example of how waiting to detect and respond to an infection until it’s already running can often mean you’re too late.
Example vendor: FireEye
6) Incident response and rollback
Our last group of solutions shares many of the elements of intrusion detection but adds continuous monitoring and recording of all endpoint and server activity into the mix. Not only does this allow you to maintain a clear view of what is happening before and during an attack, it also makes it possible to automatically restore affected machines to their pre-attack states.
The primary benefit of these solutions is reducing the costs and complexity associated with response and recovery. Without the continuous recording, security teams are left to piece together what happened manually from limited information and compromised sources.
Of course, any damage generated from the outset of an attack to the point of detection and response is damage done. Endpoints may be brought back online more easily, but any sensitive information accessed or stolen during that time has still been compromised.
Example vendor: CarbonBlack
- Verizon 2015 Data Breach Investigation Report
- CyberEdge Group 2016 Cyberthreat Defense Report
Endpoint protection is much more than antivirus. Evolutions in malware have rendered A/V and other signature-based detection solutions ineffective on their own.
Next generation endpoint security solutions can utilize a variety of different approaches aimed at improving on the shortcomings of traditional AV. Choosing the best one(s) for you will depend on your organization’s infrastructure, needs, and priorities.