Security researchers and hackers are caught up in an endless game of cat and mouse, with threats constantly evolving to thwart even the most stalwart of defences. Traditional methods of combatting new threats, reliant on signature based approaches to detecting malicious files, URLs, or IP addresses, are failing to block more sophisticated attacks resulting in an overwhelming number of attacks slipping under the radar. Even the much acclaimed sandbox approach has recently come under attack, as hackers are finding innovative new ways to detect that code is running in a virtual environment and to lay dormant until released from captivity.
It’s not just the tactics that have dramatically changed, so too has the nature of ‘end points’ themselves. Today they are just as likely to reside in the cloud or be a mobile or tablet owned by the employee, as a traditional laptop or PC. And as the IoT comes of age the number and nature of end points in need of protection could spiral out of control.
The stark reality is that traditional security defences that use static signature-based methods to determine whether a file is malicious or benign are simply not up to the job. What’s more analysing the binary structure of suspected malicious code to identify similarities with different files or families of malware is only marginally more effective, since attackers can quickly adapt and create more variations on the theme that will render statistical, mathematical models almost as useless as a normal static signature. A new, more robust, disruptive approach that focuses on the actual core of malware, its behaviour – which cannot change as easily as its hash or other static indicators – is way overdue.
A new Era of Endpoint Protection
Enter the next generation of end point (NGEPP) solutions, which – like their cybercriminal adversaries – have dramatically evolved their modus operandi. Their emphasis is on a behaviour-based approach to malware detection which – unlike the signature, or sandbox approach -is not content to concentrate solely on mitigation; but focuses instead on offering real-time prevention, detection and mitigation along with forensic analysis across the entire attack lifecycle.
The ability to see what is running on an endpoint, and how every application or process
is behaving, is key to combatting the detection problem. What’s more this analysis needs to happen at the scene of the crime, namely the end point itself. Like any disguise, it’s a lot easier to change your appearance than it is to change the way you act. By tracking the behaviour of a threat in real-time from the point of detection, to mitigation, remediation and forensic analysis, security teams are able to start to bring advanced malware and zero day exploit threats under control.
Recognising the ‘Masters of Disguise’
So how does NGEPP work? A layer of pre-emptive protection initially stops existing known threats in their tracks at the point of entry, replacing the capabilities traditionally provided by antivirus or host-based IPS. The sheer volume of new threats that surface daily, including new forms of malware, zero day exploits or insider threats using tools like Powershell to avoid detection, mean you need to go much deeper than simply protecting against known threats, to detecting previously unknown threats. New end point technology is capable of detecting these new, stealthy threats not by what they are, but by how they act, regardless of what disguises they might use to try and evade detection.
Tackling these unknown, targeted attacks requires real-time monitoring and analysis of application and process behaviour as well as the ability to determine the context of the attack to minimise the possibility of false positives. This inspection needs to occur even when the user is offline to avoid the possibility of USB or other infected digital devices becoming the source for an attack. In this way, even attacks which have never been seen before can be detected and stopped at their source.
However, to complete the task it’s vital to ensure that the final steps of mitigation and forensic analysis are performed in order to complete the whole process and prevent the possibility of any reoccurrence. In order to avoid any negative residual impact, the NGEPP should be capable of responding to an attack in a variety of different ways such as: quarantining a file, killing a process, disconnecting an infected machine from the network or shutting it down completely. This needs to be automated to ensure that it occurs before the threat has a chance to ‘phone home’ to a command and control server to deliver its payload, or move laterally.
Rolling Back Time
To ensure the network returns to its former state and doesn’t harbour any unwanted vestiges of the attackers visit such as modified files or an encrypted hard disk from a ransomware attack, the end point software should be capable of rolling back to a pre-attack status. The final part of the puzzle is figuring out what caused the attack and that’s the forensics part. It’s vital to be able to quickly analyse the scale and scope of the attack, pinpointing who was targeted and with what type of threat. These learnings accelerate the remediation process and help organisations avoid a similar situation occurring further down the road.
With the advent of new regulations like the EU Data Protection Regulations looming on the horizon, it has never been more important to secure and protect sensitive data. Businesses everywhere are waking up to the fact that legacy security approaches are becoming less and less effective against an arsenal of constantly evolving attacks by cybercriminals, nation states, and terrorist organizations. As the risks and regulatory fines escalate dramatically, a new generation of security companies are rising to the challenge and proving worthy adversaries to hackers. NGEPP promise to provide the mousetrap to put an end to the eternal cat and mouse game of one-upmanship that has dogged the security profession for far too long and to put security professionals back in control of their IT environment once again.[su_box title=”About Tomer Weingarten” style=”noise” box_color=”#336588″][short_info id=”66174″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.