Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/30/2013
07:05 PM
50%
50%

Endpoint Security

End user security requires layers of tools and training as employees use more devices and apps

When Meritrust Credit Union wanted to improve its endpoint security to comply with financial regulations, information security officer Brian Meyer needed to go beyond antivirus. The commonly used endpoint security typically doesn't provide a way of tracking whether employees' devices -- the laptops, tablets and phones moving in and out of the network -- have up-to-date security or are running potentially dangerous applications. With attackers routinely evading endpoint security, Meyer was legitimately worried that one might get in.

"Antivirus and some of the all-in-one suites that are out there are reactive, not proactive, so you're always behind the gun and playing catch-up to what's happening to your devices," Meyer says.

Antivirus has largely failed companies and consumers. The software does provide a base level of security -- systems with out-of-date security are 5.5 times more likely to have an infection than those running updated anti-malware software, according to Microsoft's latest Security Intelligence Report. But the ability of attackers to modify malware to escape detection and to test new variants against the top-selling antivirus scanners has made traditional signature-based antivirus software much less effective.

"Antivirus has been a Band-Aid for years," says Peter Firstbrook, VP of research with analyst firm Gartner. "They really never addressed the root cause of malware infections."

Just ask The New York Times. In January, the media conglomerate said that Chinese hackers had breached its security, gathering employee passwords and information on the sources reporters used in a story on the wealth accumulated by relatives of Chinese Premier Wen Jiabao. Using social engineering techniques, the attackers duped employees into allowing 45 different pieces of malware to infect company computers, but only one of those programs was identified as malicious by the Symantec antivirus software the company used, according to an article in The Times about the attacks.

"We're at the point now where the weakest link in the whole technological chain is the endpoint. It's where the hackers go when they want to break into an organization," says George Tubin, senior security strategist with Trusteer, a firm that focuses on securing endpoint applications.

Sign of Chaos

In its response to the attack on The New York Times, Symantec said companies should turn on the advanced features of its products, such as website reputation and exploit-blocking capabilities. They stop 42% of all malware before it can run on a targeted system, the company says. "Turning on only the signature-based anti-virus components of endpoint solutions alone is not enough in a world that is changing daily from attacks and threats," Symantec said in a statement it posted after the article. "We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough."

Most endpoint security software has now defaulted to turning on the most advanced features. But many companies turn them off, because they require the features to be tested for compatibility within their environment and because they believe there would be a large number of false positives.

The bring-your-own-device trend has turned these cracks in the antivirus model into dangerous holes. With employees bringing their own devices into work and working across desktops, laptops and mobile devices -- some personal and some company-owned -- the number of devices that need to be secured has soared. "There used to be a clear divide between what people did on their PC and what they did on their phone," says Candace Worley, senior VP for McAfee's endpoint unit. "Now there's complete fluidity in how people work no matter what device they're on."

Data on those devices is frequently shared among work and consumer devices and even uploaded into the cloud to services such as Dropbox and Box.net. This situation, combined with the success of attackers in getting around endpoint security measures, has security pros exploring new endpoint security options and devising alternative tactics to help harden devices and give control back to the IT security managers.

Build A Better Blacklist

Two approaches to securing endpoints from malicious software are to detect known bad software, known as blacklisting, or approve known good software, known as whitelisting.

With blacklisting, employees can download and run any application that isn't banned. Blacklisting used to be more efficient than whitelisting because there were more good applications to track than bad ones. But recently attackers have overwhelmed security vendors' ability to maintain complete blacklists by generating millions of variants of their malware every month. In its 2012 Internet Security Threat Report, Symantec detected 403 million unique variants of malware, a 41% increase over 2011. (Starting in 2012, Symantec no longer reports this number.)

"I don't know if the problem is the hackers are getting smarter, or the hackers all know where the vulnerabilities are," says Srinivas Kumar, CTO at TaaSERA, a cloud security vendor. "They can make it very difficult to blacklist them."

Yet there are ways to improve blacklisting. The first is to focus on the initial download or attachment and the reputation of that file's source. Symantec uses a combination of techniques, such as website reputation and the blocking of exploits for known vulnerabilities, in its intrusion-prevention system, to stop malware from getting to the hard drive. Protection comes in layers: IPS blocks downloads, antivirus signature and heuristic technologies scan downloaded files, and behavioral detection tools block malicious behavior. The final step catches some of the most difficult-to-detect malware, says Michael Marfise, director of enterprise endpoint product management at Symantec.

Most malware today "changes so quickly that you can't generate signatures fast enough," Marfise says. "That's where you need technologies like reputation, so you don't have to wait for malware to be discovered."

Security vendors also link endpoints together to create something of a sensor network -- using information gathered from across the security vendor's customer base. When one endpoint detects a malicious file through behavioral analysis, information on the malware is passed back to the security provider, turned into a signature and available for download by the entire customer base through antivirus updates. By continuously updating information on suspicious files in this way, companies can more quickly react to malware.

Another improvement to blacklisting techniques is to continuously monitor files for malicious activity. A conventional antivirus tool checks files for signs of malicious activity just once, when it first encounters the file. Imperva, Sourcefire and Stegosystems are among the companies that watch for malicious behaviors on a continuous basis.

This idea of layered or continuous security changes security strategy by providing "lots of opportunities to analyze and detect something, rather than static analytics and detection that are 'one-and-done and I'm sorry if a missed something,'" says Marty Roesch, founder of Sourcefire, which bought cloud antivirus firm Immunet in 2011.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Previous
1 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.