For a long time, the main focus of most organization was to have a solid protected network perimeter, by installing the most powerful shiny firewall, IPS/IDS to avoid intruders to trespass inside their networks. The endpoint (host) protection was always considered the last line of defense, and never treated as a high priority. In fact, endpoints were always considered the to be an extremely time consuming commodity for IT departments to take care. IT departments until this very day, spend hours or even days performing remediation or even formatting computers in order to get rid of malware.
Since 2013 we have witnessed a seemingly unfinished parade of headlines, about high profile data breaches, many of which were result of compromised endpoints. For example:
- Target’s high-profile breach in December 2013, which cost it $162 million in expenses across 2013, 2014. This breach was reportedly the result of a compromised point-of-sale (POS) systems.
- Home Depot, another big-box retailer that in 2014 had 53 million email addresses, and 56 million credit cards impacted. According to the company report, a custom built malware was deployed on its self-check out systems in the U.S and Canada.
According to Panda Security, the creation of malware has broken all records with more than 15 million new samples, and more than 160,000 new samples appearing every day.
With the advance of new cyber threats, and more sophisticated malware attacks emerging everyday, protecting the endpoint have finally become top of mind for most organizations. It is still important to ensure that the network perimeter is as solid as it can be, but a lot of attention have been turned towards protecting the weakest link in the cyber ecosystem. The Endpoint.
Every endpoint connected to your network is a point of vulnerability, and it takes only one compromised host to allow attackers to infiltrate the entire infrastructure.
Redefining Endpoint Protection For the New Threat Landscape
Historically, the endpoint protection market has relied on antivirus products to protect endpoints. However, in recent years, the threat landscape has shifted from viruses to highly sophisticated attacks called Advanced Persistence Threats (APTs). Even the big guys like Symantec Senior VP Brian Dye, admitted in 2014, that Antivirus “is dead".
Antivirus still has its space in the market to fight against malware with known signatures, but let's face it, the typical antivirus products have proven to be ineffective at stopping the new advanced threats, because it relies on signature-based technology, and because these new threats are highly dynamic, most attacks go undetected. Advanced threats leverage vulnerabilities in software that we use on daily basis to view commonly used data files (e.g. doc, xls, pdf, ppt) or are designed to target proprietary software used in various industries.
These types of files are opened just fine using their native applications and the content is displayed normally (at least it seems normal), but there is a malicious code embedded in the file. The code exploits a vulnerability in the native application allowing the attacker’s code to run. All this happens while your endpoint solution keeps looking for a bad executable that it has seen before. So far, patching was the only way to ensure protection from known vulnerabilities and there was no reliable method to protect systems from unknown vulnerabilities.
To help preventing the recent threats, a whole new set of Next Generation Endpoint Protection, and approaches have emerged to combat the new advanced threats and stop zero-day attacks. Customers have been bombarded with market messages such as exploit prevention, hardware isolation, application whitelisting, sandboxing to describe this new approaches.
The New Endpoint Protection Approaches
Exploit Prevention: Zero-day exploits have become the top concern for enterprise companies. The technology is effective because it does not require advanced information about the exploit code, its source, and the vulnerability it is trying to exploit or the malware it downloads. These solutions prevent the successful execution of the exploit. Exploit prevention does not focus on a specific vulnerability, or on the malware itself; instead it focus on the techniques that an attacker must use in order to successfully exploit a 0-day vulnerability or a vulnerability that is already known in the wild and that has been patched by the vendor. Some examples of these techniques are heap spray, buffer overflow, among others. Basically, an exploit agent located in memory listens to these exploits, and once it detects an attack it shutdown the application being exploited. So, as long as the core technique is blocked the entire attack kill chain is terminated.
Hardware Isolation: Hardware Isolation works with the concept of micro-virtualization, which relies on the use of CPU features to isolate individual untrusted user tasks. Each browser tab, each document that is opened, is considered an independent task and a new Micro-VM is created. Once the browser tab or the document is closed, the Micro-VM is totally destroyed. For example, if the user opens a browser tab, and surfs through a website and an exploit is executed, that exploit will be running isolated in its own instance, without any access to other tasks or to the actual Desktop OS. By isolating each task individually in its own Micro-VM instance two concepts are enforced: Need to know and Least Privilege.
Sandboxing: Another powerful way to discover new malware attacks is sandboxing. The sandbox technology isolates a suspected or unknown file in a virtual environment that runs typical company’s desktop systems (e.g., Windows XP, Windows 7) etc. While the suspected file is in the sandbox it is being examined. This process is called "detonation". If the file exhibits malicious behaviour in the sandbox, it is recognized as malicious and the information about the file is used to prevent further attacks from the newly discovered malware. An increasing number of attackers, however, are creating malware that can detect when they are operating in a virtual environment. If the VM-aware code senses a sandbox it will disguise itself by not performing any malicious acts, which reduces the utility of the sandbox. There are two types of sandbox solution offered by vendors:
- Off Premise: It is basically a cloud solution managed by the sandbox vendor, and requires a subscription depending on the types of files that you want to be analyzed. This solution may not be the best to some companies since the suspicious files have to be sent to the cloud for detonation.
- On Premise: When there are regulation, compliance and privacy concerns, some companies (especially government and bank organizations) prefer to have the sandbox appliance on premise, so that the files do not have to leave their environment.
Application Whitelisting: Application Whitelisting is a technology that has been in use in the security world for a quite a long time. In essence, it is the opposite approach to blacklisting, which it is the technology used in almost every antivirus product in existence today. In the blacklisting approach, every new file on a system is checked to see if it appears to be malicious, and if so it is blocked from executing and carrying out its damage. Application whitelisting takes a different approach, and by default will deny the execution of any application that has not been explicitly approved before, to be known as malicious. In other words, it blocks everything that is considered unknown. “This default deny” approach can offer much more security than traditional antivirus blacklisting for a number of reasons, but the biggest is that it prevents the execution of malicious code that has never been seen before, (e.g., Zero-Day attacks).
The Bottom line
The bottom line is that cyber criminals are each day more and more motivated, especially because of the financial aspect, and it is our job as security professionals not to make things easier for them.
The best endpoint protection providers offer an efficient management console that can control all endpoints, software deployment and policy enforcement backed by a consistent, proven ability to protect your network from malware and other advanced threats.
There are endpoint solutions able to integrate with the vendor’s sandbox, which provides an immediate vehicle to verify whether a file is known to be malicious. Others are capable of integrating with third party SIEM solutions, by adding threat intelligence to internal watch lists or blacklists, disabling active sessions with source IPs known to be bad or even quarantine compromised hosts.
Choosing the endpoint protection technology that will protect your environment as your first line of defense, followed by careful planning, and intense proof of concept is critical to the success of your organization.
Senior Security Consultant