Context-aware application control: A new approach to block endpoint threats that bypass traditional security methods
- — 01 March, 2013 20:15
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Corporate endpoints are under attack from cybercriminals who have developed ingenious and effective methods for installing malware on endpoints that can steal control from the end user, and there is no indication these attacks will slow down anytime soon. One reason: popular defensive technologies have provided some protection against the most blatant attacks, but have had little impact against more advanced threats. A new approach to endpoint protection is desperately needed.
Despite using market-leading endpoint protection solutions most large enterprises are (knowingly or unknowingly) still breached by advanced malware. The first generation of endpoint malware protection relies on blacklisting known malware samples and includes some rudimentary analytics designed to detect malware behaviors.
[PRODUCT TEST: DLP tools deliver strong endpoint protection]
Blacklisting is very effective against known malware that remains relatively static, such as so-called "nuisance-ware" malware that serves up unwanted pop-ups or redirects search queries to unscrupulous sites. But, blacklisting approaches (anti-virus and anti-malware) are easily evaded by designing malware to circumvent blacklisting rules.
Second generation endpoint malware protection solutions use application control to significantly improve the security posture by preventing malicious files from executing on the endpoint. One approach, whitelisting, allows only "known good" applications to execute on the endpoint. Another approach, application sandboxing, uses virtualization to isolate applications from the underlying host environment and other applications. Finally, host intrusion prevention systems (HIPS) restrict changes to the underlying environment from unauthorized sources.
These approaches are considered to be highly effective from a security standpoint, but have one fatal flaw: manageability.
The primary challenge with application control methods is that organizations need to pre-determine which application files and activities can be trusted. Doing so requires substantial resources and effort to configure and maintain as literally billions of files need to be considered.
Due to the dynamic nature of application and user environments, administrators have to continuously adjust security policies. This requires approving exceptions and additions, or loosening defense policies, which may in turn open the door for malware attacks. These approaches and HIPS in particular, often require the end-user to respond to alerts when suspected fraudulent files are identified, creating both an unwanted annoyance and a security burden. End-users are notoriously ill equipped to make such critical IT decisions and routinely dismiss malware alerts. There have been relatively few meaningful application control prevention deployments to date due to these manageability shortcomings.
A New Endpoint Malware Protection Paradigm
An effective endpoint malware infection protection solution must be both effective and manageable, which are typically viewed as trade-offs when designing security systems. Manageable solutions tend to not be highly effective (eg. blacklisting) while effective solutions tend to not be highly manageable (eg. application control). Designing an approach that provides both effectiveness and manageability must begin with an understanding of the attack vectors that require mitigation.
Malware can compromise end user devices in several ways. For example, it can silently install by exploiting an application or operating system vulnerability, be downloaded by the end-user via social engineering, or be pre-installed on the device. Therefore, we need to prevent information-stealing malware from reaching the endpoint device in the first place. We also need to prevent information-stealing malware from successfully functioning when it does end up on the endpoint through other methods.
Context-Aware Application Control is a new approach to protect endpoint devices from advanced data-stealing malware. It combines two important components: one designed to prevent malware from installing on the device and the other designed to prevent malware from executing on the device.
The first layer, application exploit prevention, applies whitelisting to application contexts instead of the applications themselves, to prevent application exploits from leveraging vulnerabilities to introduce malware into the computer file system.
By analyzing application memory states during normal operations, this approach maps the legitimate application contexts of the targeted applications (i.e., browsers, Adobe, Flash, Java) when these applications write to the file system. For example, a legitimate application context occurs when a user saves a spreadsheet to disk or when the application updates its code. The creation of executable files that occur outside of a legitimate application context, as happens when exploits attempt to install malware, are prevented.
Context-aware application exploit prevention allows for more stable, effective, and manageable endpoint security than traditional application control approaches. This is because there are far fewer and more static application states to analyze and maintain compared to the multitude of application files that other application control approaches must inspect and manage.
In the event that malware is somehow able to install on an endpoint device, a second and different layer of protection is used to prevent it from accomplishing its goal and stealing information. This mechanism also uses the concept of whitelisting and applies it to data exfiltration contexts. In other words, it monitors and only allows legitimate external communication to be transmitted from the end point device.
When information-stealing malware enters the endpoint through an email attachment, web download, infected media, etc. it attempts to use data exfiltration techniques to communicate stolen data and credentials to the Internet. For example, malware can compromise a legitimate application process, create a "zombie" process that looks legitimate or directly send data to an external IP. Applications that exhibit data exfiltration context are restricted from communicating with the Internet or other processes, but allowed to perform other, more benign operations such as printing and file access. Restricted applications are analyzed and either whitelisted or removed if found malicious.
The key to implementing Context-Aware Application Control is making it highly manageable so that it requires no end user intervention and minimal IT staff involvement. This can only be accomplished through a sizeable network of endpoints that enable new, legitimate application and data exfiltration contexts to be detected, whitelisted, and immediately pushed out to all protected endpoints via the cloud. Additionally, corporations should be able to whitelist specific tools that would otherwise be restricted due to the nature of their operation.
Trusteer is the leading provider of endpoint cybercrime prevention solutions that protect millions of customers and employees against advanced malware and phishing attacks on their computers and mobile devices.
Read more about wide area network in Network World's Wide Area Network section.