Once upon a time, endpoint security was just a hall monitor. It watched for known bad files identified with a simple signature and sent you an alert when the file was blocked. To be safe, it would scan every machine daily, an intrusive activity that slowed down machines and sped up the heart rates of affected users and hapless analysts at help desks. Those days are gone, my friend. Those days are gone. Endpoint security, like all technology, is orders of magnitude more sophisticated now than when it was born. Features that once stood out as innovative and forward-leaning are now “table stakes” – essential for consideration, almost assumed. Here are some of the basic, and not-so-basic, features of modern endpoint protection software. Topping the list are three sine qua non capabilities:
- Detection of zero days (previously unknown malware)
- Detection and prevention of memory-based attacks (a.k.a. “fileless” attacks) that run on an infected machine but never deposit a file on the victim’s system
- Ability to monitor processes running on an endpoint and identify “bad”, or at least unusual, behavior
If malware somehow slips through the cracks, good endpoint software can and will search all machines in an organization – with no disruption to end users – to minimize the spread of an infection. Naturally, it must generate alerts in response to such events, but it must minimize false positives and provide severity levels and/or intelligible descriptions of the offending malware. Security personnel are notoriously overburdened. They cannot waste time chasing down false alarms, and they must know how to prioritize genuine notifications of intrusion. To quote John Donne, “No man is an island.” The same is true for endpoint protection, in fact, for any type of cybersecurity tool. Endpoint protection systems need to feed their findings into other systems, such as SIEMs or threat intelligence sharing systems, and must ingest data from multiple sources. Automatic quarantining of infected machines is also essential along with the ability to detonate malware on virtual machines or even on dedicated hardware, all without tipping off the malware that it is running in a “sandbox.” Endpoint protection systems must also protect themselves by detecting and reporting attempts to remove them. Finally, endpoint protection systems can assist the user or system administrator by walking them through remediation, offering suggestions and best practices along the way. So much for the “table stakes” – which are already pretty sophisticated. What are some advanced (for now) features of a modern endpoint protection system? There are many, limited only by the ingenuity and expertise of the developers. Automated vulnerability shielding, also known as virtual patching is key, along with the ability to route suspected malware to a dedicated sandbox machine to observe its behavior. In the never-ending cat-and-mouse game between defenders and attackers, attackers have learned to write malware that detects when it is in a sandbox, does not detonate and sits idle with an innocent look on its face. Endpoint vendors, in turn, can tell when malware knows it is in a detonation chamber and can detonate it anyway. This game could go on ad infinitum, so routing to a physical, dedicated detonation sandbox is clearly a useful feature. On the other end of the spectrum, though, is the ability to create a miniature VM on the endpoint itself and detonate the malware instantly but harmlessly. Many organizations are deploying deception technology, also known as “honeypots” or “honeynets.” Sophisticated endpoint software can route malware to a decoy network or system, slowing down an attack and allowing defenders to analyze an attack without fear of a breach of production data or machines. Even better, a good system can assist the harried security team with recommendations for response and remediation and can help identify the attackers. Security companies innovate every day, so there are many capabilities I did not list here, including those still under development or those no one has created yet. Endpoint protection: it’s a whole new world.
About the Author:
As Chief Cybersecurity Technologist for DLT, Don Maclean formulates and executes cybersecurity portfolio strategy, speaks and writes on security topics, and socializes his company’s cybersecurity portfolio. Don has nearly 30 years’ experience working with U.S. Federal agencies. Before joining DLT in 2015, Don managed security programs for numerous U.S. Federal clients, including DOJ, DOL, FAA, FBI, and the Treasury Department. This experience allowed him to work closely with the NIST Risk Management Framework featured in this article, and to understand its strengths and weaknesses. In addition to his CISSP, PMP, CEH, and CCSK certificates, Don’s holds a B.A. in Music from Oberlin, an M.S. in Information Security from Brandeis Rabb School, and is nearing completion of his second Bachelor’s in Mathematics. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
