Today’s Security Landscape
Over the past two decades of tech booms, busts, and bubbles, two things have remained constant: hackers continue to find ways to breach security measures in place, and the endpoint remains the primary target. And now, with cloud and mobile computing, endpoint devices have become the new perimeter of enterprise security, so there is even more pressure to secure them.
Companies are deploying numerous software solutions on the endpoint to secure it, including antivirus, anti-malware, desktop firewalls, intrusion detection, vulnerability management, web filtering, anti-spam, and more. Yet, despite all the solutions in place, high-profile companies continue to be breached. The recent attacks on large retail and hospitality organisations are prime examples, where hackers successfully used credit-card-stealing malware targeting payment servers to collect customer credit card information.
Why Traditional Security Is Not Working
There is a fundamental problem with the security that leaves us basically in the same spot: it is looking for something known - a known hash, IP address, vulnerability, or behaviour. Ultimately, hackers can devise enough masking techniques to bypass the security software, leaving the server or laptop once again the victim of an attack. It’s very easy to alter this malicious code with downloaded or created tools to bypass security measures. Anyone who has basic coding skills can do it. The diagram illustrates several attack masking techniques, which are often used in conjunction with each other to disguise a known binary, making it appear completely new, unknown, and benign on the surface.
Along with masking techniques, hackers are using different vectors or paths to deliver the malicious code and carry out their attacks. Top attack vectors are listed to the right. Attacks can be single-vector or part of a multi-vector, more sophisticated attack.
Is Antivirus Dead?
Antivirus software has been around for 25 years, yet it has not evolved to protect against attacks that utilise unknown threat techniques. It continues to look for a known hash, and small changes to the hash can bypass the system. Antivirus also overlooks the fact that attacks can be file-less, infecting memory and writing directly to RAM rather than relying on file systems.
In addition, Antivirus is knownnot to be user-friendly, hogging bandwidth with updatess, and spiking CPU with resource-intensive scans. This not only leads to downtime but also often causes users to become frustrated and take steps to turn off the software or ignore security warnings.
Sandboxing As A Defence?
Approximately five years ago, network-based sandboxes began to emerge. They, in essence, “implement the execution of unknown files inside a virtual machine residing on the network and monitor file behaviour throughout its execution within the protected environment. While these solutions have been able to increase detection rates of new threats, they are far from being 100% effective.
Attackers quickly realise that, while their current packing techniques could not be used to bypass the sandbox environment, they just needed to detect the environment, which could easily be done by noticing the limited emulation time, lack of user interaction, and the specific image of the OS. Once the environment is identified, they ensure that their malicious code will not run in the emulated environment, will be flagged as benign, and will continue its route to the endpoint, where it will only run. The endpoint antivirus can do little to stop it.
Math-Based Next Gen AV
There is an abundance of noise surrounding ‘ext-Generation Antivirus’ point products that claim to be developed using ‘predictive mathematics’, ‘machine learning’, and ‘artificial intelligence’. Regardless of whether the underlying technology constitutes true AI, the overall approach from a security standpoint is flawed. The industry’s most hyped math-based prevention product is one that will not come close to solving your overall endpoint protection challenges.
With the evolving threat landscape, a new model that employs a different approach is necessary.
Five Reasons To Look Beyond Maths-Based AV
File-Based Malware-Only Half The Battle
PE and DLL-based attacks account for only 50% to 60% of the new malware observed each week. Prevention-only products will be completely ineffective tagainstthreats that uutilisemultiple vectors, especially when they ddon’t involve file-based malware such as memory-based malware, exploits, and script-based attacks from twithin
Some Things Can’t Be Predicted
The true nature of a file (benign or malicious) can be predicted through statistical analysis of predefined attributes. However, Y malware is driven by human behaviour, which makes it nearly impossible to predict what new tactics and techniques attackers will develop next.
No On-Prem Management Option
If your organisation adheres to stringent data privacy policies that require it to own its data, then the industry’s most hyped math-based next-generation AV isn’t an option for you.
It is strictly cloud-based, with no option to deploy as an on-premise management server.
99% Is Not Enough
When 99% pertains only to file-based malware, that isn’t enough. Even if 99% of file-based malware is blocked, what will you do with the 1%?
If 100 variants of malware are threatening you, then 99.9% prevention sounds pretty good, but what if there are lillions?
One new zero-day attack is discovered almost every week, and nearly 1 million new malware variants are released each week.
Just ONE of these attacks could cause tremendous financial and reputational damage to an organisation.
Teaching The AI Can Takes Time
During initial deployment, there is substantial overhead where security and IT teams must spend time instructing the system on what is safe (versus what is not), as the product doesn’t utilise definition files.
It’s up to the admin to investigate files based on MD5 hashes and threat intelligence reports, as well.
Depending on the environment and the number of IT resources dedicated to the security project, this process could be extremely time-consuming.
Next-Generation Endpoint Protection
Over the past couple of years, a new type of technology has emerged, designed to detect and prevent threats at the endpoint using a unique behaviour-based approach, instead of looking for something known or its variant, like signature-based detection, next-generation endpoint security analyses file characteristics (to uncover known and unknown file-based malware) as well as the entire endpoint system behaviour to identify suspicious activity on execution. Endpoint detection and response (EDR) monitors for activity and enables administrators to take actions on incidents to prevent them from spreading throughout the organisation. Next-Generation Endpoint Protection (NGEP) takes it a step further, automating actions to prevent and remediate attacks.
Until recently, administrators have been hesitant to utilise the protection capabilities due to the false positives associated with flagging unusual behaviour that isn’t malicious. Skype, for example, defies many rules of a ‘normal’ application, jumping ports and protocols, yet it’s a legitimate application often used for business use. The NGEP must have the ability to learn the local systems and environment so it doesn’t flag benign behaviour.
Next Generation Endpoint Protection as an Antivirus Replacement
Suppose you’re evaluating a next-generation endpoint security solution. In that case, you may be thinking it’s yet another tool to install and potentially bloat your endpoint, as well as your budget. As you’re in a regulated industry, you may be required to keep your antivirus Software up-to-date and install endpoint protection as an additional layer to protect against new and unknown attacks. Many next-generation endpoint security vendors would not claim that they can replace antivirus. But suppose the next-generation vendor has been tested and certified as meeting Antivirus requirements (and passing the detection test). In that case, you can consider replacing your Antivirus with next-generation endpoint security.
To completely replace the protection capabilities of existing legacy, static-based endpoint protection technologies, NGEmust be able to stand on its own and secure endpoints against both legacy and advanced threats throughout the various stages of the threat lifecycle: - pre-execution, on-execution, and post-execution. Your Next Generation Endpoint Protection (NGEP) solution needs to address four core pillars that, when taken together, can detect and prevent the most advanced attack methods at every stage of their lifecycle:
Advanced Malware Detection
Your NGEP must be able to detect and block unknown malware and targeted attacks - even those that do not exhibit any static indicators of compromise. This involves dynamic behaviour analysis — the real-time monitoring and analysis of application and process behaviour based on low-level instrumentation of OS activities and operations, including memory, disk, registry, network, and more. Since many attacks hook into system processes and benign applications to mask their activity, the ability to inspect execution and assemble its true execution context is key. This is most effective when performed on the device, regardless of whether it is online or offline (i.e., to protect against even USB stick attacks).
Mitigation
Detecting threats is necessary, but relying solely on detection, many attacks remain unresolved for days, weeks, or months. Automated and timely mitigation must be an integral part of NGEP. Mitigation options should be policy-based and flexible enough to cover a wide range of use cases, such as quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down—quick mitigation during the inception stages of the attack lifecycle can minimise damage and expedite remediation.
Remediation
During execution, malware often creates, modifies, or deletes system files and registry settings and changes configuration settings. These changes, or remnants that are left behind, can cause system malfunction or instability. NGEP must be able to restore an endpoint to its pre-malware, trusted state, while logging what changes were made and what was successfully remediated.
Forensics
Since no security technology claims to be 100% effective, the ability to provide real-time endpoint forensics and visibility is a must. Clear and timely visibility into malicious activity throughout an organisation allows you to quickly assess the scope of an attack and take appropriate responses. This requires a clear, real-time audit trail of what happened on an endpoint during an attack, as well as the ability to search for indicators of compromise.
Evaluation Questions
Now that you know what to look for in a next-generation endpoint protection solution, you’ll need to start evaluating vendors on your shortlist. Request an evaluation from the vendor, ensuring it’s full-production software, so you can assess its actual performance in your environment and against the security tests you’ve outlined. For your evaluation, take the following considerations into account:
- Is the EPP and EDR solution combined into a single agent to be deployed via a traditional software deployment tool and managed and operated via a single central management console?
- Does the software offer a multi-tenancy functionality for endpoints, both on-premise and in the cloud? For example, if a company has two different IT teams that need to manage diverse entities or subsidiaries in other countries, can the software support this and manage the endpoints?
- For endpoints (including mobile devices, if supported), which operating systems and major operating system versions are supported? For each of these, what are the performance requirements (CPU, memory, storage)?
- How, in technical terms, does the product detect and prevent attacks from each vector, including malware, exploits, and live or insider threats?
- How frequently are updates made available? Are updates pushed or pulled to the endpoint?
- Do the updates require any user intervention (e.g., reboot)?
- Can the product prevent threats if the endpoint is offline from the network?
- How scalable is the product? How many clients can each management console support?
- Is the management server cloud-based or on-premise?
- What is done to prevent false positives and learn benign system behaviour?
- Do they integrate with SIEM systems for incident management?
- Are there prevention policies in place to protect against real-time threats?
- What levels of contracted support does the endpoint protection vendor provide?
- Are software updates and upgrades part of the licensing fee?