The old model of security was simple: Install an anti-virus solution and your only obligations were to keep it patched and the signatures up to date. If a threat was detected on your network, remediation wasn't much more complicated than quarantining data and restoring from a backup.
But as threats have evolved, this isn't how threats are detected at all. Malware can be easily customised to evade all known signatures means and this has significantly hampered traditional end point protection solutions. That means that the role of defenders has changed. IT security used to be able to successfully block an attack, and were less interested in the motives on an attacker -- known malware had known behaviour that was easy to remedy. As far as they were concerned, their job was done.
But now that attacks are lingering within a network, having evaded detection and been allowed to dwell for longer, analysts looking at the endpoint now have new questions to ask, especially since they don't know what is expected behaviour:
- Have I seen this threat before?
- What data has it touched?
- Has it been able to spread to another device on my network?
- Was this device its final target, or just a stepping stone to its goal?
The answers to these questions are not within the domain of the traditional "gate-keeping" endpoint protection tool. For one, modern endpoint protection solutions must look beyond signatures and heuristics. Instead, they should be looking for suspicious activity beyond what is considered normal -- examining files on disk and seeing if they match what's in memory, and recognising when a normal executable deviates from its known behaviour.
However, more than this, as malware becomes more and more of a network issue, end point protection tools need to aid in network analysis. The greatest value an end point protection tool can add to network forensics is being able to report back on what malicious behaviour it has seen and, instead of treating this in isolation, correlate this with the behaviours seen across an entire fleet of devices.
In this fashion, each end point on a network becomes a new hunter for surreptitious activity, instantly giving analysts clues as to what an attacker's end goal is, how far they have progressed in achieving that goal, and a clear plan on how to stop it.
The idea of end points being able to collaboratively distinguish bad behaviour is certainly a step up from traditional anti-malware tools, especially when combined with security analytics, however it presents a unlikely helping hand to one of the more obscure and difficult problems facing the IT security industry today: talent shortage.
The manual analysis of threats and behaviours takes considerable amount of time, and requires skilled analysts -- a luxury few organisations have as we experience a talent shortage, and arguably the reason there is a greater demand for skilled analysts in the first place. While many organisations look at end point protection from a mere protection perspective, the larger picture is that businesses stand to gain more from their analysts if end point tools can provide improved efficiency.
For example, EMC's Critical Incident Response Center employed a modern end point solution that worked together with its security analytics platform. The result was that its Tier 3 to Tier 1 escalations dropped from 98 percent to 4 percent. Likewise, incident response timeframes were brought down from days to minutes. That translates to analysts being able to focus on the highest priority attacks, rather than the day-to-day alerts, such as drive-by malware.
The final issue to remember about end point protection is that there is no such thing as a magic bullet. While it would be a pleasant dream to believe that installing an end point protection tool will be able to catch 100% of all threats at a perimeter, the reality is that no piece of technology is bulletproof, and because of that, a person still needs to be there to understand the "exceptions". Our best hope is one that can assist our analysts and leverage them to the best of their ability.