This is not the end for endpoint protection

It is easy to dismiss endpoint protection as a relic of an older time when information security only consisted of anti-virus solutions and perhaps a firewall, but as the threat landscape has changed, so too has endpoint protection. It has a troubled history, but this it not at all the end of endpoint protection today.

In our early computing days, it was sufficient to create signatures for each piece of malware that was discovered. With the tools they had at their disposal, malware authors could not churn out viruses and Trojans at a rate to compete with the efficiency of a team of security professionals seeking to stop them. Slowly, that began to change, but for a while the status quo remained, with anti-virus labs making use of then-new tools such as virtualised environments to quickly determine what their foes were creating and slow their fate of being overrun.

Of course, the picture that is painted today shows that signature-based malware detection lost that battle. The ZeuS Trojan, for example, continues to have detection rates that average around the 40% mark, despite being known to security vendors for over seven years. Its continued ability to evade detection, shows that its creators consistently remain a step ahead of researchers' efforts to shut it down using signatures.

In the off-chance that traditional endpoint security applications did discover an infected device, most operate on a per-device basis. Cleansing that single device was the main concern, and it was typically assumed that the threat would be equally detected on other devices. However, malware began to adapt according to the environment it was in, changing its behaviour if it realised it was on certain operating systems, or within a virtual machine.

Clearly, these two issues have made traditional endpoint protection appear less relevant to today's organisations, but the initial response of dealing with its pitfalls has not fared well either.

In the quest to out-do malware authors, some security practitioners moved up the stack to the network layer, examining traffic to identify if malicious activity was occurring. The problem with this model is that these systems typically required a network compromise in order to see that there was an infection. Although this provides an organisation with the visibility to realise it is under attack through the tell-tale signs of data exfiltration, at that point it is already too late as the damage is done. Although network forensics continues to be an important part of any security defence, the belief that it could replace endpoint protection was misplaced as it could not examine what was occurring on the device.

For endpoint protection to be relevant today, solving all three issues of signatures, cross-device detection and in-device interrogation is key.

Examining network traffic for compromise was a good theory on paper, but too far away from the initial point of infection. Ideally, this should occur closer to the application layer, where a piece of malware could be identified as performing malicious activity such as injecting code into memory, or hooking into processes it shouldn't.

This can be done without signatures at all by quickly comparing the files on a disk with what is actually occurring in-memory. Discrepancies between the two can be used to indicate a sign of compromise. Combined with application whitelisting, the traditional heavy, slow and ultimately ineffective scans that signature-based endpoint protection used to impose can be bypassed completely.

Modern endpoint protection should also extend beyond sitting in a silo on each device. Combining indicators of compromise across multiple devices can yield more information about the scope and depth of an infection. For example, malware could create backdoor administrator accounts on five other devices, then delete itself to cover its tracks. Traditional endpoint protection may have detected the malware on the first device, but ultimately failed to discover the other four affected devices that already have backdoor accounts and had the malware dropper removed.

By instead understanding the actions the malware has taken, an entire fleet of devices can be instantly scanned, with an endpoint protection tool looking not for the signature of malware that has long departed, but for the fruits of its labour.

Lastly, while traditional endpoint protection systems failed to make use of their proximity to the application layer, modern systems take full advantage of their evidence gathering capabilities. Analysts frequently complain that network traffic alone allows them to see they are under attack, but that they cannot see dive deep enough to see what devices are compromised and to what extent. The modern endpoint protection system, however, has access to all of that information which would assist in putting together a full picture of what is happening on each devices across an entire organisation. This has a range of applications, from routine monitoring of a network for threats to proactive security assessments.

Today, endpoint protection has a significant role to play in an intelligence driven security model -- a security posture where every element of an organisation's defence network works together to provide actionable data to identify, analyse and respond to threats. It is the eyes and ears at the front line of where attacks occur and, contrary to initial belief, it's where the fight against online threats begins, not ends.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec and Peter Gutmann

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Read more: Three adware-serving Android apps on Google Play reach millions

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)


Join the CSO newsletter!

Error: Please check your email address.

Tags application whitelistingsecuritysecurity intelligenceendpoint securityEndpoint ProtectionmalwareZeuS Trojanrsa

More about CSOIT SecurityModern

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Lee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place