Information Security

Defending the digital infrastructure

alphaspirit - Fotolia

Advanced endpoint protection takes on the latest exploits

Advanced endpoint protection is arriving from all quarters -- machine learning, crafty sandboxes, behavior analytics. Learn how tech advances are being applied to endpoints.

Scale is one measure of a security challenge. The AV-Test Institute registered 100 million-plus new malicious programs during a 12-month period ending in May 2017.

Another way to gauge a security problem's severity is by its price tag. The average cost of a data breach rose from $3.8 million to $4 million in 2016, according to Ponemon Institute's "Cost of Data Breach Study." Grand View Research Inc. expects the endpoint security market to surge to a $27.05 billion valuation by 2024, up from $10.12 billion in 2015. In short, an endpoint infection that leads to a breach will have you paying at least twice.

CISOs and directors who stay apprised of advanced endpoint protection developments can make informed decisions about where to invest in this market and provide input on its course of growth. Endpoint security is making strides in behavior analytics, sandboxing and machine learning, increasing its capacity to mitigate advanced malware. These developments play a significant role in defending the enterprise against evolving threats, including ransomware.

Behavior analytics

Advanced endpoint protection products track and monitor indicators of attack and indicators of compromise, such as attempts at unauthorized system and process changes. Behavior analytics (BA) and user and entity behavior analytics analyze these indicators and their interrelationships to form approaches to protecting endpoints.

BA builds a profile -- a baseline fingerprint -- of normal user behavior. With this baseline, vendors can detect uncharacteristic behavior. "Some manufacturers who have multiple security offerings are building user profiles based on data from across the network," said Peter Burke, CISSP, security and borderless networks technical consultant at Force 3. The robust profiles that result improve detection abilities to advance endpoint protection.

New BA systems drill down into user activities on a fine-grain level. "State-of-the-art BA looks at running processes, process changes, changes in file size or location, and users entering the kernel space and modifying things there," said Brandon McCrillis, CEO and principal consultant for Rendition Infosec.

"BA systems denote the difference between a valid and invalid person, identify bot actions and sleeper Trojans, and protect networks against patient zero scenarios," said Tim Cullen, CISSP, F5-CTS, who is senior security architect for Adapture Inc. Rather than detecting an infection, BA systems detect malicious behavior before the first infection in the hope that there won't be a patient zero.

Vendor models, BA and endpoint protection

Vendors use different models to provide BA and advanced endpoint protection. Some vendors are building new endpoint security tools by uniting their products with those of other providers. Crowdstrike has partnered with Exabeam to bring its cloud-based endpoint security to market with Exabeam's User and Entity Behavior Analytics. "Separating the analytics engine in this way means you can accept more data into the system and perform analytics on large amounts of evidence," Cullen said. You would expect such a system to get a complete picture of behaviors and threats and formulate a more thorough and comprehensive response.

Top endpoint security issues

Cyphort has formed partnerships with Carbon Black and with Bradford Networks to offer solutions that include BA in endpoint security. The more vendors involved, the more the threat intelligence that you can have available for use by these systems.

There are drawbacks to multivendor systems. To operate fully in concern, vendors on both sides of the interactions will need to make software and configuration adjustments. "This can add to the installation time based on API availability and versioning needs," Cullen said. "Multivendor solutions can also be a handful to manage with regression testing and software support costs."

Single-vendor products have their advantages. "All-in-one solutions such as those from FireEye and Checkpoint have value when it comes to consolidated support and ease of integration," he said.

Antisandboxing on the rise

Malware that uses antisandboxing and antivirtual machine techniques -- typically, sandboxes are virtual environments -- detects evidence that it is in a sandbox. This evidence has included anything that could be present in a virtual machine or sandbox such as certain files or registry keys. "We have seen malware that checks process lists to identify sandboxing binaries," said Brandon McCrillis, CEO and principal consultant at Rendition Infosec.

Brandon McCrillis, CEO & principal consultant, Rendition InfosecBrandon McCrillis

When malware detects that it is in a sandbox, it can go dormant or "sleep" so that the sandboxing technology has little to analyze. Some malware starts out latent and revives later to circumvent discovery by sandboxes. This ability allows the same malware to remain productive longer because no one has identified it. "Endpoint security counters malware that sleeps by moving time forward on the system to trick the malware into waking up," McCrillis said.

Other malware runs in memory and does not create, save or execute any new files and thus avoids sandboxes altogether. Advanced malware has many methods for countering sandboxes. Enterprises should consider endpoint security vendors who update their sandboxing technology on a continuous basis to successfully cope with advanced malware's evolving sandbox detection, response and evasion methods.

Sandboxing differences and updates

Peter Burke, CISSP, security and borderless networks technical consultant, Force 3Peter Burke

Endpoint security uses virtual bubbles called sandboxes to run and study threats without affecting systems external to the sandbox. These endpoint security tools learn how to better defend systems from experiments. "Sandboxing technologies vary between every manufacturer, depending on whether they deliver these on premises or as hybrid or cloud-based solutions and based on the operating systems used, the versioning of the software and what software each tests against," Burke said.

Some sandboxes run on separate appliances, and some use software agents on the endpoint. Separating the malware further from the production environment or business network by using appliances adds a layer of protection for the enterprise. "Sandboxes that run in local device agents add risk that the threat could infect the corporate network," Cullen said.

There are no silver bullets in security with a human opponent, but with the help of machines, the [time to respond] and [time to protect] come that much closer to actual 'patient zero protection.'
Mike Spanbauervice president of strategy, NSS Labs

The newest sandboxes simulate multiple OSes to see how threats affect different systems; this is essential for most enterprises, which must support various endpoints and OSes. Vendors that centralize sandboxing services in the cloud can efficiently collect new threat information and quickly disperse it to all their customers.

This cloud-based approach provides advanced endpoint protection even when a new attack has not yet hit your organization. This model is more expedient than waiting for an external publisher of new threat intelligence to collect threat data, process it and send it on to you. Still, external threat intelligence is necessary, as another vendor may see and publish a threat before your vendor does. 

The latest sandboxes integrate directly with BA and security event monitoring and alerting technologies. This integration increases the effectiveness of all these technologies and gives BA an additional, direct source of behavioral intelligence. These kinds of sandboxes are often called secure containers.

2017 security initiatives

Modern threats can determine whether they are in a sandbox by trying to ping Google's IP address. In response, new endpoint security products' sandboxes allow that threat to ping that external address. "Sandboxes that enable that granular approval of traffic escaping are useful to trick the malware into thinking it's not in a sandbox," McCrillis said. (See sidebar for more on advanced malware's antisandboxing maneuvers.)

Comprehensive sandboxing is intuitively preferable for advanced endpoint protection. Sandboxing approaches that address the many attack vectors of file, memory and process exploits offer more efficacy than single-vector methods such as browser-based isolation of threats, said Mike Spanbauer, vice president for strategy at NSS Labs.

Machine learning and advanced endpoint protection 

According to Spanbauer, machine learning uses machine processes to iteratively improve on endpoint security algorithms based on previously aggregated malicious file activity data; in short, the system learns from experience. "Machine learning helps endpoint security vendors to address the speed with which bad actors create and release threat variants, techniques, and malicious software packages," Spanbauer explained. "I refer to this concept as machine speed response."

Mike Spanbauer, vice president of strategy, NSS LabsMike Spanbauer

With this idea, computers and programs police themselves based on adaptive parameters of both pattern matching and quick inferences about new patterns, according to Spanbauer. "There are no silver bullets in security with a human opponent, but with the help of machines, the [time to respond]) and [time to protect] come that much closer to actual 'patient zero protection,' which is arguably the holy grail for endpoint protection," Spanbauer said.

Endpoint security fights ransomware

Ransomware can be polymorphic or metamorphic, meaning that it can change its code as it propagates to avoid detection. Metamorphic malware uses algorithms to change its code with each infection. Polymorphic code typically changes part of its system while some essential mechanism or component may be static.

Tim Cullen, CISSP, F5-CTS, senior security architect, AdaptureTim Cullen

According to Cullen at Adapture, endpoint security vendors are creating products that defend the enterprise against mutating ransomware by merging technologies like machine learning, behavioral analysis, file system monitoring and process monitoring. Though the ransomware recodes itself, its behavior is apparent, enabling these new techniques to distinguish it from benign software.

Building endpoint security intelligence

To detect and respond to an increasing number of altogether new malware strains, endpoint security must gather and analyze large data sets of behavioral information in real time, apply machine learning to think through the abilities and intents of suspect files and processes, and create and execute counteractive measures. "Endpoint security software must find meaning in massive amounts of data from a wide variety of sources; analysis on this scale is not easy, and this is where machine learning is essential," Burke said. 

Article 1 of 3

Next Steps

Learn how "bellweather technologies" also enhance company security

Machine learning, artificial intelligence, offer hope for greater IT security

Discover more tools to protect endpoints from malware and more

Dig Deeper on Network security