Once upon a time, endpoint security was just a hall monitor. It looked for known bad files identified with a simple signature and sent you a notification when the file was blocked. To be safe, it would scan every machine every day, an intrusive activity that slowed machines down and accelerated the heartbeats of affected users and unhappy analysts on help desks.
Those days are over, my friend. Those days are over. Endpoint security, like all technology, is now order of magnitude more sophisticated than when it was born. Functions that once looked innovative and leaning forward are now "table sticks" – essential for consideration, almost adopted. Here are some of the basic and not-so-basic functions of modern endpoint security software.
At the top of the list are three sine non-capacities:
- Zero day detection (previously unknown malware)
- Detection and prevention of memory-based attacks (a.k.a. "neuter" attacks) that are executed on an infected machine but never place a file on the victim's system
- Ability to track processes running at an endpoint and identify "bad", or at least unusual, behaviors
If malware somehow slips through the breaks, good endpoint software can and will search all machines in an organization – without any interruption for end users – to minimize the spread of an infection. Of course, it should generate alerts in response to such events, but it should minimize false positives and provide severity levels and / or comprehensible descriptions of the abusive malware. Security staff is notoriously overloaded. They cannot waste time tracking down false alarms, and they need to know how to prioritize real burglary notifications.
To quote John Donne: "No one is an island". The same applies to endpoint protection, in fact for every type of cyber security tool. Endpoint protection systems must feed their findings with other systems such as SIEM & threat information sharing systems and must record data from multiple sources. Automatically quarantining infected machines is also essential, as is the ability to cause malware to explode on virtual machines or even on special hardware, all without hitting the malware it uses in a "sandbox". Endpoint security systems must also protect themselves by detecting and reporting attempts to remove them.
Finally, endpoint security systems can assist the user or system administrator by guiding them through a solution and thereby offering suggestions and practical tips.
So far the "table stakes" – which are already quite advanced. What are some advanced (provisional) features of a modern endpoint security system? There are many, only limited by the ingenuity and expertise of the developers.
Automated vulnerability shielding, also known as virtual patching, is crucial, along with the ability to send suspicious malware to a special sandbox machine to observe its behavior. In the endless cat-and-mouse game between defenders and attackers, attackers have learned to write malware that detects when it is in a sandpit, does not explode and is useless with an innocent look on its face. Endpoint vendors, in turn, can see when malware knows it is in a detonation room and can still explode. This game can continue ad infinitum, so routing to a physical, special detonation sandbox is clearly a useful feature. At the other end of the spectrum, however, there is the option of creating a miniature VM at the endpoint itself and detonating the malware directly but harmlessly.
Many organizations use misleading technology, also known as "honeypots" or "honeynets." Advanced endpoint software can route malware to a counter network or system, delaying an attack and allowing defenders to analyze an attack without fear of a violation of production data or machines. In fact, a good system can help the hardened security team with response and recovery recommendations and help identify the attackers.
Security companies innovate every day, so there are many opportunities that I have not mentioned here, including projects that are still under development or have not yet been created. Endpoint protection: it is a whole new world.
About the author: As Chief Cyber Security Technologist for DLT, Don Maclean formulates and implements cyber security portfolio strategy, speaks and writes about security issues and socializes the cyber security portfolio of his company. Don has nearly 30 years of experience with US federal agencies.
Prior to joining DLT in 2015, Don managed security programs for numerous US federal customers, including DOJ, DOL, FAA, FBI and the Treasury department. This experience enabled him to work closely with the NIST Risk Management Framework described in this article and to understand its strengths and weaknesses. In addition to his CISSP, PMP, CEH and CCSK certificates, Don & # 39; s holds a B.A. in music from Oberlin, an M.S. in Information Security from Brandeis Rabb School, and is almost completing his second bachelor's degree in mathematics.
Publisher's note: The opinions expressed in this article about the guest authors are solely those of the author and do not necessarily reflect those of Tripwire, Inc.