End user security requires layers of tools and training as employees use more devices and apps
When Meritrust Credit Union wanted to improve its endpoint security to comply with financial regulations, information security officer Brian Meyer needed to go beyond antivirus. The commonly used endpoint security typically doesn't provide a way of tracking whether employees' devices -- the laptops, tablets and phones moving in and out of the network -- have up-to-date security or are running potentially dangerous applications. With attackers routinely evading endpoint security, Meyer was legitimately worried that one might get in.
"Antivirus and some of the all-in-one suites that are out there are reactive, not proactive, so you're always behind the gun and playing catch-up to what's happening to your devices," Meyer says.
Antivirus has largely failed companies and consumers. The software does provide a base level of security -- systems with out-of-date security are 5.5 times more likely to have an infection than those running updated anti-malware software, according to Microsoft's latest Security Intelligence Report. But the ability of attackers to modify malware to escape detection and to test new variants against the top-selling antivirus scanners has made traditional signature-based antivirus software much less effective.
"Antivirus has been a Band-Aid for years," says Peter Firstbrook, VP of research with analyst firm Gartner. "They really never addressed the root cause of malware infections."
Just ask The New York Times. In January, the media conglomerate said that Chinese hackers had breached its security, gathering employee passwords and information on the sources reporters used in a story on the wealth accumulated by relatives of Chinese Premier Wen Jiabao. Using social engineering techniques, the attackers duped employees into allowing 45 different pieces of malware to infect company computers, but only one of those programs was identified as malicious by the Symantec antivirus software the company used, according to an article in The Times about the attacks.
"We're at the point now where the weakest link in the whole technological chain is the endpoint. It's where the hackers go when they want to break into an organization," says George Tubin, senior security strategist with Trusteer, a firm that focuses on securing endpoint applications.
In its response to the attack on The New York Times, Symantec said companies should turn on the advanced features of its products, such as website reputation and exploit-blocking capabilities. They stop 42% of all malware before it can run on a targeted system, the company says. "Turning on only the signature-based anti-virus components of endpoint solutions alone is not enough in a world that is changing daily from attacks and threats," Symantec said in a statement it posted after the article. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."
Most endpoint security software has now defaulted to turning on the most advanced features. But many companies turn them off, because they require the features to be tested for compatibility within their environment and because they believe there would be a large number of false positives.
The bring-your-own-device trend has turned these cracks in the antivirus model into dangerous holes. With employees bringing their own devices into work and working across desktops, laptops and mobile devices -- some personal and some company-owned -- the number of devices that need to be secured has soared. "There used to be a clear divide between what people did on their PC and what they did on their phone," says Candace Worley, senior VP for McAfee's endpoint unit. "Now there's complete fluidity in how people work no matter what device they're on."
Data on those devices is frequently shared among work and consumer devices and even uploaded into the cloud to services such as Dropbox and Box.net. This situation, combined with the success of attackers in getting around endpoint security measures, has security pros exploring new endpoint security options and devising alternative tactics to help harden devices and give control back to the IT security managers.
Build A Better Blacklist
Two approaches to securing endpoints from malicious software are to detect known bad software, known as blacklisting, or approve known good software, known as whitelisting.
With blacklisting, employees can download and run any application that isn't banned. Blacklisting used to be more efficient than whitelisting because there were more good applications to track than bad ones. But recently attackers have overwhelmed security vendors' ability to maintain complete blacklists by generating millions of variants of their malware every month. In its 2012 Internet Security Threat Report, Symantec detected 403 million unique variants of malware, a 41% increase over 2011. (Starting in 2012, Symantec no longer reports this number.)
"I don't know if the problem is the hackers are getting smarter, or the hackers all know where the vulnerabilities are," says Srinivas Kumar, CTO at TaaSERA, a cloud security vendor. "They can make it very difficult to blacklist them."
Yet there are ways to improve blacklisting. The first is to focus on the initial download or attachment and the reputation of that file's source. Symantec uses a combination of techniques, such as website reputation and the blocking of exploits for known vulnerabilities, in its intrusion-prevention system, to stop malware from getting to the hard drive. Protection comes in layers: IPS blocks downloads, antivirus signature and heuristic technologies scan downloaded files, and behavioral detection tools block malicious behavior. The final step catches some of the most difficult-to-detect malware, says Michael Marfise, director of enterprise endpoint product management at Symantec.
Most malware today "changes so quickly that you can't generate signatures fast enough," Marfise says. "That's where you need technologies like reputation, so you don't have to wait for malware to be discovered."
Security vendors also link endpoints together to create something of a sensor network -- using information gathered from across the security vendor's customer base. When one endpoint detects a malicious file through behavioral analysis, information on the malware is passed back to the security provider, turned into a signature and available for download by the entire customer base through antivirus updates. By continuously updating information on suspicious files in this way, companies can more quickly react to malware.
Another improvement to blacklisting techniques is to continuously monitor files for malicious activity. A conventional antivirus tool checks files for signs of malicious activity just once, when it first encounters the file. Imperva, Sourcefire and Stegosystems are among the companies that watch for malicious behaviors on a continuous basis.
This idea of layered or continuous security changes security strategy by providing "lots of opportunities to analyze and detect something, rather than static analytics and detection that are 'one-and-done and I'm sorry if a missed something,'" says Marty Roesch, founder of Sourcefire, which bought cloud antivirus firm Immunet in 2011.
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
1 of 4