7 Elements Of Modern Endpoint Security
What it takes to secure and tap into the 'source of the truth' in today's threatscape.
October 31, 2015
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltfabebd4142c0d89d/64f0dbfc3a1231d36b237067/EndptIntroSlide.jpg?width=700&auto=webp&quality=80&disable=upscale)
Most businesses are still wrestling with beefing up their existing endpoint security tools--typically a mix of antivirus, host intrusion prevention system (HIPS), host firewall, whitelisting, and heuristics, for example--to better defend against attacks that are morphing so fast that it's impossible to catch everything and targeted malware or attacks that bypass security measures. Bottom line: the human behind the endpoint keyboard is impossible to shield from harm when all it takes is a click to be attacked.
But change is coming. Longtime endpoint security giants Symantec and McAfee, now Intel Security, this week each rolled out integrated security architectures that begin the process of evolving endpoint security beyond the old-school, signature-based prevention approach, to one that is more about quickly detecting and fixing endpoints when inevitable attack attempts occur. And next-generation startups are pushing the endpoint detection & response (EDR) approach, where the endpoint is not merely the problem with security, but a key piece of the solution.
[A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug. Read The Rebirth Of Endpoint Security.]
There are several key features in modern, or next-generation, endpoint security, and different vendors have different approaches. But the underlying philosophy of the new wave of offerings is the reality that endpoints will be targeted as the initial attack vector, so rapid detection and incident response at the device is crucial.
Here are some of the main elements in modern (or reborn) endpoint security.
It's no longer about preventing attacks at the endpoint--that can't be done 100 percent of the time--but instead catching an attack or attack attempt ASAP. The goal is to mitigate the damage and stop any further infiltration into the network via the victimized user's machine.
Detection also entails spotting unpatched vulnerabilities or misconfigurations in an endpoint on the network that could be used by an attacker. But detection alone is not enough for today's rapid-fire threat landscape.
Modern endpoint security technology includes better visibility into user devices, as well as anomalous user behavior and activity, such as bot-related communications. Any red flag activity that looks out of place then can be seen before it escalates.
Josh Applebaum, vice president of product strategy at EDR startup Ziften Technologies, says his company's DNA comes from the former AV heritage of some of its executives. "We saw the need for continuous [user] monitoring" so malware and attacks would no longer slip through the cracks, he says.
The key with real-time user monitoring is that it also lets you mitigate an attack more quickly, notes Tomer Weingarten, CEO of SentinelOne.
When application whitelisting came on the scene a few years ago, it was touted as the answer to preventing malware from executing on a user's machine. But whitelisting--where only certain applications are authorized to run on the system and others are blocked--alone hasn't stopped attacks, just as host intrusion prevention system (HIPS) and host firewalls have not. But that doesn't mean you should throw these tools away, security experts say.
As always, it's all about layered defense.
Trend Micro, for instance, runs all of the above -- whitelisting, heuristics, stateful inspection, firewall and new-generation endpoint sensors -- in its endpoint security platform. "I believe these [features] are really still needed," says Raimund Genes, CTO of Trend Micro.
No one wants to burden the endpoint with heavy client software anymore: that was one of AV's biggest drawbacks. The new generation of EDR vendors tout cloud-based or lightweight sensors that sit at the kernel -- for example, machine learning-based vendors like Cylance. And then there's the cloud-based next-gen endpoint providers such as CrowdStrike. AV companies have gotten religion here, for sure, with cloud-based options.
Symantec in its announcement last week of the Advanced Threat Protection (ATP) security platform, emphasized "no new agents" for its endpoint customers with the new architecture. Michael Brown, CEO of Symantec, says some endpoint security products come with agents that aren't so lightweight. "Often they're not lightweight, and it slows down performance. ATP doesn't require an additional agent," he says.
Even so, ATP currently only is available to existing Symantec endpoint customers with existing agent software.
Photo credit: Pixabay
Patient 0, the endpoint, holds valuable forensics clues and information, including malware footprints and other indicators of compromise. Gathering and storing that intelligence is key to getting to the bottom of an attack, as well as configuring systems to thwart a future one. As Mandiant founder and FireEye president Kevin Mandia says of the endpoint, "it's the ultimate source of the truth."
As Verizon found in 60 percent of the data breaches it investigated, attackers compromised the victim organization within minutes. And when it came to comparing the time it took for an attacker versus the time it took for the victim organization to discover the attack (see above graphic), the bad guys are still winning.
"My opinion is [the next generation of endpoint security] will detect what AV misses, and detect what AV detects but also empower forensics capability," Mandia says.
But forensics investigations are not simple, and not all companies have their own IR teams. Forensics requires a specific skillset that many organizations just don't have, so new EDR products are automating some of those tasks with "push-to-play" features that let you play back what the attacker did, etc.
Detecting and thwarting an attack's escalation is a big win, for sure, but if the victimized endpoint isn't properly cleaned up, patched, and reconfigured to fight another day, it may all be for naught.
Some next-gen endpoint tools provide automated patches and updates in addition to sandboxing the malware involved for further inspection.
Tomer Weingarten, CEO, SentinelOne, says endpoint security tools must harden the security around the endpoint in the wake of an attack or threat. "Allow them to behave only the way they learned to behave," for instance, he says. "And the ability to do full, rollback remediation" after a compromise.
Remediation assistance is a big priority for large enterprises that face a high volume of attacks, notes Peter Firstbrook, a vice president at Gartner. "As the EDR market gains mainstream attraction, the market will likely split into solutions that are aimed at improving protection for smaller, less technical teams, and those that will remain focused on detection and remediation needs of dedicated SOC analysts or MSSPs providing services to smaller organizations," he recently wrote.
Antivirus is dead. Long live antivirus: It's not going anywhere anytime soon, even with the emergence of much more effective, next-generation endpoint security technology.
It's easy to bash AV for all of its many shortcomings in today's threat landscape, but most organizations have no plans to ditch it now. Even EDR vendors admit their wares are working alongside and in conjunction with AV products. AV still does the job of catching everyday malware, which makes it tough to dismiss altogether. "We're still seeing Conficker ... all these [threats] that are pervasive around companies. They might now have sexy headlines as emerging" threats, but they still bombard the enterprise, says Samir Kapuria, vice president and general manager of cyber security services at Symantec.
The Council Rock School District in Pennsylvania still runs its Trend Micro AV product in addition to its Zifren EDR sensors. "We're not relying on it," Matthew Frederickson, director of IT for Council Rock School District, says of his enterprise AV system. "You're going to catch the common, everyday stuff" with AV, he says.
"You've got to augment AV ... we have additional [endpoint security] layers," he says.
Antivirus is dead. Long live antivirus: It's not going anywhere anytime soon, even with the emergence of much more effective, next-generation endpoint security technology.
It's easy to bash AV for all of its many shortcomings in today's threat landscape, but most organizations have no plans to ditch it now. Even EDR vendors admit their wares are working alongside and in conjunction with AV products. AV still does the job of catching everyday malware, which makes it tough to dismiss altogether. "We're still seeing Conficker ... all these [threats] that are pervasive around companies. They might now have sexy headlines as emerging" threats, but they still bombard the enterprise, says Samir Kapuria, vice president and general manager of cyber security services at Symantec.
The Council Rock School District in Pennsylvania still runs its Trend Micro AV product in addition to its Zifren EDR sensors. "We're not relying on it," Matthew Frederickson, director of IT for Council Rock School District, says of his enterprise AV system. "You're going to catch the common, everyday stuff" with AV, he says.
"You've got to augment AV ... we have additional [endpoint security] layers," he says.
Most businesses are still wrestling with beefing up their existing endpoint security tools--typically a mix of antivirus, host intrusion prevention system (HIPS), host firewall, whitelisting, and heuristics, for example--to better defend against attacks that are morphing so fast that it's impossible to catch everything and targeted malware or attacks that bypass security measures. Bottom line: the human behind the endpoint keyboard is impossible to shield from harm when all it takes is a click to be attacked.
But change is coming. Longtime endpoint security giants Symantec and McAfee, now Intel Security, this week each rolled out integrated security architectures that begin the process of evolving endpoint security beyond the old-school, signature-based prevention approach, to one that is more about quickly detecting and fixing endpoints when inevitable attack attempts occur. And next-generation startups are pushing the endpoint detection & response (EDR) approach, where the endpoint is not merely the problem with security, but a key piece of the solution.
[A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug. Read The Rebirth Of Endpoint Security.]
There are several key features in modern, or next-generation, endpoint security, and different vendors have different approaches. But the underlying philosophy of the new wave of offerings is the reality that endpoints will be targeted as the initial attack vector, so rapid detection and incident response at the device is crucial.
Here are some of the main elements in modern (or reborn) endpoint security.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024