This is not the end for endpoint protection

It is easy to dismiss endpoint protection as a relic of an older time when information security only consisted of anti-virus solutions and perhaps a firewall, but as the threat landscape has changed, so too has endpoint protection. It has a troubled history, but this it not at all the end of endpoint protection today.

In our early computing days, it was sufficient to create signatures for each piece of malware that was discovered. With the tools they had at their disposal, malware authors could not churn out viruses and Trojans at a rate to compete with the efficiency of a team of security professionals seeking to stop them. Slowly, that began to change, but for a while the status quo remained, with anti-virus labs making use of then-new tools such as virtualised environments to quickly determine what their foes were creating and slow their fate of being overrun.

Of course, the picture that is painted today shows that signature-based malware detection lost that battle. The ZeuS Trojan, for example, continues to have detection rates that average around the 40% mark, despite being known to security vendors for over seven years. Its continued ability to evade detection, shows that its creators consistently remain a step ahead of researchers' efforts to shut it down using signatures.

In the off-chance that traditional endpoint security applications did discover an infected device, most operate on a per-device basis. Cleansing that single device was the main concern, and it was typically assumed that the threat would be equally detected on other devices. However, malware began to adapt according to the environment it was in, changing its behaviour if it realised it was on certain operating systems, or within a virtual machine.

Clearly, these two issues have made traditional endpoint protection appear less relevant to today's organisations, but the initial response of dealing with its pitfalls has not fared well either.

In the quest to out-do malware authors, some security practitioners moved up the stack to the network layer, examining traffic to identify if malicious activity was occurring. The problem with this model is that these systems typically required a network compromise in order to see that there was an infection. Although this provides an organisation with the visibility to realise it is under attack through the tell-tale signs of data exfiltration, at that point it is already too late as the damage is done. Although network forensics continues to be an important part of any security defence, the belief that it could replace endpoint protection was misplaced as it could not examine what was occurring on the device.

For endpoint protection to be relevant today, solving all three issues of signatures, cross-device detection and in-device interrogation is key.

Examining network traffic for compromise was a good theory on paper, but too far away from the initial point of infection. Ideally, this should occur closer to the application layer, where a piece of malware could be identified as performing malicious activity such as injecting code into memory, or hooking into processes it shouldn't.

This can be done without signatures at all by quickly comparing the files on a disk with what is actually occurring in-memory. Discrepancies between the two can be used to indicate a sign of compromise. Combined with application whitelisting, the traditional heavy, slow and ultimately ineffective scans that signature-based endpoint protection used to impose can be bypassed completely.

Read more: Three adware-serving Android apps on Google Play reach millions

Modern endpoint protection should also extend beyond sitting in a silo on each device. Combining indicators of compromise across multiple devices can yield more information about the scope and depth of an infection. For example, malware could create backdoor administrator accounts on five other devices, then delete itself to cover its tracks. Traditional endpoint protection may have detected the malware on the first device, but ultimately failed to discover the other four affected devices that already have backdoor accounts and had the malware dropper removed.

By instead understanding the actions the malware has taken, an entire fleet of devices can be instantly scanned, with an endpoint protection tool looking not for the signature of malware that has long departed, but for the fruits of its labour.

Lastly, while traditional endpoint protection systems failed to make use of their proximity to the application layer, modern systems take full advantage of their evidence gathering capabilities. Analysts frequently complain that network traffic alone allows them to see they are under attack, but that they cannot see dive deep enough to see what devices are compromised and to what extent. The modern endpoint protection system, however, has access to all of that information which would assist in putting together a full picture of what is happening on each devices across an entire organisation. This has a range of applications, from routine monitoring of a network for threats to proactive security assessments.

Today, endpoint protection has a significant role to play in an intelligence driven security model -- a security posture where every element of an organisation's defence network works together to provide actionable data to identify, analyse and respond to threats. It is the eyes and ears at the front line of where attacks occur and, contrary to initial belief, it's where the fight against online threats begins, not ends.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec and Peter Gutmann

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

 

Tags malwareendpoint securityrsaapplication whitelistingZeuS Trojansecurity intelligenceEndpoint Protection

Show Comments