RSA

The premier provider of intelligence-driven security solutions . Learn more

​End point protection: Why you should expect more

The old model of security was simple: Install an anti-virus solution and your only obligations were to keep it patched and the signatures up to date. If a threat was detected on your network, remediation wasn't much more complicated than quarantining data and restoring from a backup.

But as threats have evolved, this isn't how threats are detected at all. Malware can be easily customised to evade all known signatures means and this has significantly hampered traditional end point protection solutions. That means that the role of defenders has changed. IT security used to be able to successfully block an attack, and were less interested in the motives on an attacker -- known malware had known behaviour that was easy to remedy. As far as they were concerned, their job was done.

But now that attacks are lingering within a network, having evaded detection and been allowed to dwell for longer, analysts looking at the endpoint now have new questions to ask, especially since they don't know what is expected behaviour:

  • Have I seen this threat before?
  • What data has it touched?
  • Has it been able to spread to another device on my network?
  • Was this device its final target, or just a stepping stone to its goal?

The answers to these questions are not within the domain of the traditional "gate-keeping" endpoint protection tool. For one, modern endpoint protection solutions must look beyond signatures and heuristics. Instead, they should be looking for suspicious activity beyond what is considered normal -- examining files on disk and seeing if they match what's in memory, and recognising when a normal executable deviates from its known behaviour.

However, more than this, as malware becomes more and more of a network issue, end point protection tools need to aid in network analysis. The greatest value an end point protection tool can add to network forensics is being able to report back on what malicious behaviour it has seen and, instead of treating this in isolation, correlate this with the behaviours seen across an entire fleet of devices.

In this fashion, each end point on a network becomes a new hunter for surreptitious activity, instantly giving analysts clues as to what an attacker's end goal is, how far they have progressed in achieving that goal, and a clear plan on how to stop it.

The idea of end points being able to collaboratively distinguish bad behaviour is certainly a step up from traditional anti-malware tools, especially when combined with security analytics, however it presents a unlikely helping hand to one of the more obscure and difficult problems facing the IT security industry today: talent shortage.

The manual analysis of threats and behaviours takes considerable amount of time, and requires skilled analysts -- a luxury few organisations have as we experience a talent shortage, and arguably the reason there is a greater demand for skilled analysts in the first place. While many organisations look at end point protection from a mere protection perspective, the larger picture is that businesses stand to gain more from their analysts if end point tools can provide improved efficiency.

For example, EMC's Critical Incident Response Center employed a modern end point solution that worked together with its security analytics platform. The result was that its Tier 3 to Tier 1 escalations dropped from 98 percent to 4 percent. Likewise, incident response timeframes were brought down from days to minutes. That translates to analysts being able to focus on the highest priority attacks, rather than the day-to-day alerts, such as drive-by malware.

The final issue to remember about end point protection is that there is no such thing as a magic bullet. While it would be a pleasant dream to believe that installing an end point protection tool will be able to catch 100% of all threats at a perimeter, the reality is that no piece of technology is bulletproof, and because of that, a person still needs to be there to understand the "exceptions". Our best hope is one that can assist our analysts and leverage them to the best of their ability.



Michael Lee, RSA APJ Security Evangelist

Join the CSO newsletter!

Error: Please check your email address.

Tags ​End point protectionmalwareCSO Australiarsaanti-virus solutions

More about EMCRSATier 3

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Lee

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place