Next-generation endpoint protection not as easy as it sounds

Rather than looking for signatures of known malware as traditional anti-virus software does, next-generation endpoint protection platforms analyze processes, changes and connections in order to spot activity that indicates foul play and while that approach is better at catching zero-day exploits, issues remain.

Rather than looking for signatures of known malware as traditional anti-virus software does, next-generation endpoint protection platforms analyze processes, changes and connections in order to spot activity that indicates foul play and while that approach is better at catching zero-day exploits, issues remain.

For instance, intelligence about what devices are doing can be gathered with or without client software. So businesses are faced with the choice of either going without a client and gathering less detailed threat information or collecting a wealth of detail but facing the deployment, management and updating issues that comes with installing agents.

+ More on Network World: GAO: Early look at fed's "Einstein 3" security weapon finds challenges+

Then comes the choice of how to tease out evidence that incursions are unfolding and to do so without being overwhelmed by the flood of data being collected. Once attacks are discovered, businesses have to figure out how to shut them down as quickly as possible.

Vendors trying to deal with these problems include those with broad product lines such as Cisco and EMC, established security vendors such as Bit9+Carbon Black FireEye, ForeScout, Guidance Software and Trend Micro, and newer companies focused on endpoint security such as Cylance, Light Cyber, Outlier Security and Tanium. That's just a minute sampling; the field is crowded, and the competitors are coming up with varying ways to handle these issues.

The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected. They do this by gathering information about communications that go on among endpoints and other devices on the network, as well as changes made to the endpoint itself that may indicate compromise. The database of this endpoint telemetry then becomes a forensic tool for investigating attacks, mapping how they unfolded, discovering what devices need remediation and perhaps predicting what threat might arise next.

Agent or not?

The main aversion to agents in general is that they are one more piece of software to deploy, manage and update. In the case of next-gen endpoint protection, they do provide vast amounts of otherwise uncollectable data about endpoints, but that can also be a downside.

Endpoint agents gather so much information that it may be difficult to sort out the attacks from the background noise, so it's important that the agents are backed by an analysis engine that can handle the volume of data being thrown at it, says Gartner analyst Lawrence Pingree. The amount of data generated varies depending on the agent and the type of endpoint.

Without an agent, endpoint protection platforms can still gather valuable data about what machines are doing by tapping into switch and router data and monitoring Windows Network Services and Windows Management Instrumentation. This information can include who's logged in to the machine, what the user does, patch levels, whether other security agents are running, whether USB devices are attached, what processes are running, etc.

Analysis can reveal whether devices are creating connections outside what they would be expected to make, a possible sign of lateral movement by attackers seeking ways to victimize other machines and escalate privileges.

Agents can mean one more management console, which means more complexity and potentially more cost, says Randy Abrams, a research director at NSS Labs who researches next-gen EPP platforms. "At some point that's going to be a difference in head count," he says, with more staff being required to handle all the consoles and that translates into more cost.

+More on network World: Robots that cook, clean, sing and dance +

It's also a matter of compatibility, says Rob Ayoub, also a research director at NSS Labs. "How do you insure any two agents - of McAfee and Bromium or Cylance work together and who do you call if they don't?"

Security of the management and administration of these platforms should be reviewed as well, Pingree says, to minimize insider threat to the platforms themselves. Businesses should look for EPP with tools that allow different levels of access for IT staff performing different roles. It would be useful, for example, if to authorize limited access for admins while incident-response engineers get greater access, he says.

Analysis engines

Analysis is essential but also complex, so much so that it can be a standalone service such as the one offered by Red Canary. Rather than gather endpoint data with its own agents, it employs sensors provided by Bit9+CarbonBlack. Red Canary supplements that data with threat intelligence gathered from a variety of other commercial security firms, analyzes it all and generates alerts about intrusion it finds on customers' networks.

The analysis engine flags potential trouble, but human analysts check out flagged events to verify they are real threats. This helps corporate security analysts by cutting down on the number of alerts they have to respond to.

Startup Barkly says it's working on an endpoint agent that locally analyzes what each endpoint is up to and automatically blocks malicious activity. It also notifies admins about actions it takes.

These engines need to be tied into larger threat-intelligence sources that characterize attacks by how they unfold, revealing activity that leads to a breach without using code that can be tagged as malware, says Abrams.

Most of what is known about endpoint detection and response tools is what the people who make them say they can do. So if possible businesses should run trials to determine first-hand features and effectiveness before buying. "The downside of emerging technologies is there's very little on the testing side," Pingree says.


Endpoint detection tools gather an enormous amount of data that can be used tactically to stop attacks but also to support forensic investigations into how incursions progressed to the point of becoming exploits. This can help identify what devices need remediation, and some vendors are looking to automating that process.

For example Triumfant offers Resolution Manager that can restore endpoints to known good states after detecting malicious activity. Other vendors offer remediation features or say they are working on them, but the trend is toward using the same platforms to fix the problems they find.

The problem businesses face is that endpoints remain vulnerable despite the efforts of traditional endpoint security, which has evolved into security suites anti-virus, anti-malware, intrusion detection, intrusion prevention, etc. While progressively working on the problem it leads to another problem.

"They have actually just added more products to the endpoint portfolio, thus taking us full circle back to bloated end points," says Larry Whiteside, the CSO for the Lower Colorado River Authority. "Luckily, memory and disk speed (SSD) have kept that bulk from crippling endpoint performance."

As a result he is looking at next-generation endpoint protection from SentinelOne. Security based on what endpoints are doing as opposed to seeking signatures of known malicious behavior is an improvement over traditional endpoint protection, he says. "Not saying signatures are totally bad, but that being a primary or only decision point is horrible. Therefore, adding behavior based detection capabilities adds value."

So much value that he is more concerned about that than he is about whether there is a hard return on investment. "The reality is that I am more concerned about detection than I am ROI, so I may not even perform that analysis. I can say that getting into a next-gen at the right stage can be beneficial to an organization," he says.

Anti-virus replacement?

So far vendors of next-generation endpoint protection have steered clear of claiming their products can replace anti-virus software, despite impressive test results. But that could be changing. Within a year, regulatory hurdles that these vendors face may disappear, says George Kurtz, CEO of CrowdStrike.

Within a year rules that require use of anti-virus in order to pass compliance tests will allow next-generation endpoint protection as well, he says. "That's really our goal," he says. "From the beginning we thought we could do that."

He says everyone is focused on malware, but that represents just 40% of attacks. The rest he calls "malware-less intrusions" such as insider theft where attackers with credentials steal information without use of malware.

Until regulations are rewritten, it's important for regulated businesses to meet the anti-virus requirement, Abrams says, even though other platforms may offer better protection. "It some cases that's actually more important than the ability to protect because you won't be protected from legal liabilities."

Meanwhile having overlapping anti-virus and next-gen endpoint protection means larger enterprises are likely customers for now vs. smaller businesses with fewer resources, he says. But even for smaller businesses the cost may be worth it.

"What do they have to lose and how much does it cost to lose this information vs how much does it cost to protect it?" Abrams says. "

Join the CSO newsletter!

Error: Please check your email address.

Tags CylanceBit9trend microsecurityFireEyeNetwork WorldTaniumemc

More about CiscoCrowdStrikeCSOFireEyeGartnerGuidance SoftwareTrend Micro

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts