For a long time, the main focus of many organizations was to have a solid protected network perimeter by installing the most powerful shiny firewall/IPS/IDS they could afford. This could help them keep intruders from trespassing inside their networks.The end point (host) protection was always considered the last line of defense and never treated with the same priority as other assets. In fact, end points were always considered to be an extremely time consuming commodity for IT departments to care for. IT departments spend hours or even days performing remediation, including re-imaging computers in order to get rid of malware.Since 2013, we've witnessed a seemingly unfinished parade of headlines about high-profile data breaches, many of which were the result of compromised end points. For example:
- Target’s high-profile breach in December 2013 cost it $162 million in expenses across 2013 and 2014. This breach was reportedly to be the result of a compromised point-of-sale (POS) system.
- In 2014, Home Depot, another big-box retailer, saw 53 million email addresses and 56 million credit cards impacted. According to the company report, a custom built malware was deployed on its self-check out systems in the U.S and Canada. This was an extremely targeted type of attack.
- In 2014, Panda Security reported the creation of malware had broken all records with more than 15 million new samples. More than 160,000 new samples were appearing every day. In 2015, Panda Security reported another record, reaching an average of 230,00 new samples daily only during the Q2 of that year. This statistic shows us that malware is becoming more uncontrollable every day.
With the advance of new cyber threats and more sophisticated malware attacks emerging daily, protecting the end points has finally become top of mind for most organizations. It's still important to ensure that the network perimeter is as solid as it can be, but lately the holophotes have more clearly been turned towards protecting the weakest link in the cyber ecosystem: the end point.Every end point connected to your network is a point of vulnerability. It takes only one compromised host to allow attackers to infiltrate the entire infrastructure. By moving laterally, they can reach high valuable assets in the network.
Redefining End Point Protection For the New Threat LandscapeHistorically, the end point protection market has relied solely on antivirus products for protection. However, in recent years, the threat landscape has shifted from viruses to highly sophisticated attacks called Advanced Persistence Threats (APTs), and Exploit Kits. Even the big guys like Symantec Senior VP Brian Dye admitted in 2014 that
Antivirus “is dead". Today, we all know that he right.Don’t get me wrong, antivirus still has its space in the market to fight known malware threats. But let's face it, the typical antivirus products have proven to be ineffective at stopping the new advanced threats. The software relies purely on signature-based technology. Because these new threats are highly dynamic and evasive, most attacks go undetected. Advanced threats, specially those relying on Exploit Kits, leverage vulnerabilities in software we use on daily basis to view commonly used data files (e.g. doc, xls, pdf, ppt). Or, they're designed to target proprietary software used in various industries.These types of files open easily in their native applications and the content is displayed normally (at least it seems normal), but there's a malicious payload embedded in the file. The code exploits vulnerability in the native application allowing the attacker’s code to run. All this happens while your end point solution keeps looking for a bad executable that it's seen before. Patching was the only way to ensure protection from known vulnerabilities and there was no reliable method to protect systems from unknown vulnerabilities.A whole new set of Next Generation End Point Protection and approaches have emerged to combat these threats and stop zero-day attacks. Customers have been bombarded with market messages such as exploit prevention, hardware isolation, application whitelisting, sandboxing, and behavioral analysis to describe these new approaches.
The New End Point Protection ApproachesExploit Prevention: Zero-day exploits have become the top concern for enterprise companies. Solution technology is effective because it doesn't require advanced information about the exploit code, its source, the vulnerability it's trying to exploit or the malware it downloads. Proper solutions prevent the successful execution of the exploit. Exploit prevention focuses on the techniques that an attacker must use in order to successfully exploit a 0-day vulnerability or a vulnerability that's already known in the wild that's been patched by the vendor. Some examples of these techniques are heap spray, buffer overflow, DLL Hijacking - among others. Basically, an exploit agent located in memory listens to these exploits and once it detects an attack, it shutdowns the application being exploited. As long as the core technique is blocked, the entire attack kill chain is terminated.
Hardware Isolation: Hardware Isolation works with the concept of micro-virtualization, which relies on the use of CPU features to isolate individual untrusted user tasks. Each browser tab, each document that's opened, etc. is considered an independent task and a new Micro-VM is created. Once the browser tab or the document is closed, the Micro-VM is totally destroyed. For example, if the user opens a browser tab to surf through a website and an exploit is executed, the exploit will be running isolated in its own instance without any access to other tasks or to the actual Desktop OS. By isolating each task individually in its own Micro-VM instance, two concepts are enforced: Need to Know and Least Privilege.
Sandboxing: Another powerful way to discover new malware attacks is sandboxing. The sandbox technology isolates a suspected or unknown file in a virtual environment that runs typical company’s desktop systems (e.g., Windows XP, Windows 7) etc. while the suspected file is in the sandbox it is being examined. This process is called "detonation." If the file exhibits malicious behavior in the sandbox, it's recognized as malicious and the information about the file is used to prevent further attacks from the newly discovered malware. An increasing number of attackers, however, are creating malware that can detect when they are operating in a virtual environment. If the VM-aware code senses a sandbox, it will disguise itself by not performing any malicious acts, which reduces the utility of the sandbox. There are two types of sandbox solution offered by vendors:
- Off Premise: It's basically a cloud solution managed by the sandbox vendor and requires a subscription depending on the types of files that you want analyzed. This solution may not be the best for some companies, as the suspicious files have to be sent to the cloud for detonation.
- On Premise: When there are regulation, compliance and privacy concerns, some companies (especially government and bank organizations) prefer to have the sandbox appliance on premise so that the files don't have to leave their environment.
- Application Whitelisting: Application Whitelisting is a technology that has been in use in the security world for quite some time. In essence, it's the opposite approach to blacklisting, which it is the technology used in almost every antivirus product in existence today. In the blacklisting approach, every new file on a system is checked to see if it appears to be malicious, and if so, it's blocked from executing and carrying out any damage. Application Whitelisting takes a different approach. By default, it will deny the execution of any application that has not been explicitly approved. In other words, it blocks everything that is considered unknown.
The Bottom LineThe bottom line is that cyber criminals more and more motivated, especially because of the financial aspect. It's our job, as security professionals, not to make things easier for them.The best end point protection providers offer an efficient management console that can control all end points, software deployment and policy enforcement backed by a consistent, proven ability to protect your network from malware and other advanced threats.There are end point solutions integrate with the vendor’s sandbox, which provide an immediate vehicle to verify whether a file is known to be malicious. Others are capable of integrating with third-party SIEM solutions by adding threat intelligence to internal watch lists or blacklists, disabling active sessions with source IPs known to be bad and even quarantining compromised hosts.Choosing the end point protection technology that will protect your organization as your first line of defense combined with careful planning and intense proof of concept is critical to the success of your organization.
