Endpoint Protection Crash Course
Endpoint protection has evolved from antivirus software to a host of purpose-built solutions that use emerging technologies before and after an attack.
Endpoint attacks have matured tremendously during the past 20 years.
What started with viruses motivated by fame with the goal of widespread infection has evolved into targeted ransomware used by crime syndicates.
With all the information an attacker needs to damage an organization stored on a desktop, phone or tablet, the endpoint has become the new perimeter. This trend will continue as organizations push mobile workstations and employees increase their engagement with social media.
Types and characteristics of endpoint attacks
Today attackers use a variety of methods to attain BitCoin and other crypto currencies, personal identifiable information (PII), and banking usernames and passwords. Common endpoint attacks are:
- Vulnerability exploits
- Email phishing
- Drive-by downloads
- Watering holes
These attacks can be waged using different tactics, but they all share some common characteristics.
First, the Web is the attack distribution vector of choice. Using the Web, attackers can easily spread links to hosted malware via email and IM; use command and control servers to manipulate botnets; and install components after an infection for multi-staged attacks.
Second, these attacks are sophisticated. Unique malware variants are polymorphic and metamorphic with automated toolkits allowing for the quick creation of new variants and URL shorteners like bit.ly and ow.ly providing an easy disguise for malware.
Third, attacks are targeted in large part because of end-user behavior. As users engage more with social media and select sites, attackers can be more strategic in luring victims.
Types and characteristics of endpoint solutions
It used to be that the best weapon of defense against endpoint attacks was antivirus software. In fact, many companies still rely on antivirus as their endpoint security solution, even though the best antivirus scanners are incapable of keeping up with the amount of malware thrown at today’s endpoints. Today, there is the rise of purpose-built endpoint security solutions. These solutions forgo a chase-from-behind approach characterized by a reliance on signatures, product suites or pervasive presence, and instead proactively monitor and contain attacks using emerging technologies, such as security automation and machine learning.
The easiest way to examine endpoint protection solutions are to look at those designed to secure endpoints before an attack versus those focused on containing a breach after an attack.
Solutions to combat endpoint attacks before they occur
An endpoint protection platform covers the window of compromise between vulnerability and breach and is the best defense before a breach occurs. Gartner defines an endpoint protection platform (EPP) as “a solution that converges endpoint device security functionality into a single product that delivers antivirus, anti-spyware, personal firewall, application control and other styles of host intrusion prevention (for example, behavioral blocking) capabilities into a single and cohesive solution.”
Controlled Detonation: Sandboxing
Sandboxing is a security technique in which suspected files are pushed to a protected environment to analyze their behavior and traits. If traits match those of malware, they’re executed or detonated. This technique is particularly effective at preventing zero-day attacks, for which no signature exists.
Historically sandboxing has been done on-prem, however more organizations are sandboxing in the cloud as cloud-based solutions can offer faster analysis, better protection for mobile users and more attractive pricing.
To be effective, a vendor’s sandbox should look like a real endpoint within an organization and support an organization’s operating system platforms.
It’s important to note that threat sandbox isn’t a surefire solution. According to the 2017 Verizon Data Breach Investigation Report, ransomware attackers have started experimenting with a variety of ways to evade sandboxing, an example being execution time differences between real and virtual machines.
Math-based Intelligence: Machine Learning
Machine learning as applied to cybersecurity is an automated form of data analysis that builds a model or algorithm, which allows computers to find hidden insights without being explicitly programmed where to look. For each security event, statistical models produce a confidence score.
Like sandboxing, machine learning is highly effective against zero-day attacks, for which no signature exists. A major benefit of machine learning is its ability to weed out threat noise or non-threatening events, eliminating security operations teams performing unnecessary investigations.
Implementing machine learning technology doesn’t guarantee endpoint safety. Machine learning solutions are dependent on the skill level of security research and data science teams.
Crowd-sourced Intelligence: Threat Feeds
Threat feeds curate databases of suspicious or known threats based on IP address, domain name, malicious payloads, suspicious file activity, command-and-control centers and other filters. Filters can be provided by outside vendors, the community or government agencies based on subscription or open source.
Solutions to combat endpoint attacks after they occur
Endpoint detection and response (EDR) solutions are focused on security after an attack. These solutions detect security incidents by monitoring endpoint activity, policy violations and indicators of compromise (IOCs). Endpoint events are used to investigate security incidents to determine the technical changes that occurred and the effect imposed on business.
Once a security incident has been discovered, the endpoint can be contained such that network traffic or process execution can be remotely controlled. EDR solutions allow endpoints to be remediated to a pre-infection state, removing malicious and repairing other rollbacks.
Trace the Attack: Enterprise Visibility with Forensics
By providing proactive continuous monitoring and recording of all activity on endpoints and servers, EDR solutions reduce the need for after-the-fact data collection and provide instant aggregate threat information. This decreases the dwell time of targeted attacks and is useful in for countering insider threats, conducting internal investigations and improving regulatory responses.
Stop the Infection: Incident Containment
By isolating infected systems, organizations have the ability to limit or control network connectivity of endpoints being investigated and deny attacker access to further systems, preventing lateral movement. Some EDR products provide a secure shell for access to the infected system to perform trusted investigation. This capability removes the burden of distinguishing between malicious and legitimate content or executables while investigating an endpoint attack.
Back to Normal: Rapid System Remediation
System remediation provides a rollback capability that can restore system files that were deleted or modified during a security attack, and restore them to a state previous to the incident. This eliminates the need for a costly cleaning operation and significantly accelerates time to remediation.
Considerations when evaluating endpoint solutions
Although the endpoint market is crowded, the underlying technologies of vendor solutions are quite similar. Rather than comparing feature sets of all the products on the market, it’s best to start the selection process based on key requirements. Common key requirements for large organizations include:
- Endpoint agent flexibility
- Managed and professional services
- Whether solutions are based in the cloud or on premise
- Live response and automation
Many factors influence key requirements. For the business, influencing factors could include corporate objectives and priorities as well as an organization’s level of risk appetite. For IT, existing technical investments and future investments in cloud can narrow a solution. There are also functional considerations such as the level of collaboration between security and operations, and existing approaches to incident response.
Certain questions can help organizations identify solutions that best meet their key requirements. Some good questions to ask when evaluating endpoint protection solutions are:
- Does the solution offer tight integration with network infrastructure?
- Does the solution offer cloud-managed infrastructure?
- Is the solution resource constrained?
- Does the solution provide dedicated threat hunting?
- Does the solution offer strong API and automation capabilities?
- Is incident response outsourced as part of the solution?
- How quickly can the solution be deployed?
- Does the solution possess post-breach response capabilities?
We can help you answer all these questions and more. Request our Endpoint Security Workshop to get started.