Long Live Endpoint Security!
Palo Alto Networks’ acquisition of Cyvera earlier this year got me thinking about the evolution of endpoint defenses.
It’s been obvious for quite some time that traditional signature-based technologies do not provide adequate protection for an organization’s endpoint systems. To be clear, it’s not accurate to say they’re “broken” (a pet peeve of mine). They continue to work pretty much as they were designed, and, as a result, remain a fairly efficient technique for thwarting known malware. It’s just that the battleground, as well all know, is now unknown malware and entirely new threats leveraging zero-day exploits.
The initial round of responses to this situation was to layer in a variety of complementary technologies, including host intrusion prevention (HIP), heuristics, and application control. Each of these has helped, but often only incrementally, or only in a limited set of use cases (e.g., application control for fixed-function devices such as kiosks).
Over the past couple of years, however, the endpoint defense market has been experiencing a new wave of innovation, with contributions being made across all phases of the threat defense lifecycle (i.e., protection, detection, and response).
Here is a quick classification scheme and set of descriptions I came up with to facilitate evaluating these “next-generation” endpoint solutions and determining which ones might be the best fit for your environment/use case.
Next-generation HIP. Traditional host intrusion prevention technology works by blocking known-bad actions at the kernel level. The tools in this category operate on a similar principle by setting “traps” or “roadblocks” at “chokepoints” in the endpoint system that are associated with the relatively small set of mechanisms/techniques malware actually use to exploit systems. The technology from Cyvera and IBM/Trusteer’s Apex are representative of this class.
Isolation/containment. In this case, executables, files, or even individual processes are run/opened in a tightly controlled execution environment (or sandbox) that effectively shields the rest of the endpoint from anything bad that happens. Any “introduced” malware is wiped out at the same time as the associated sandbox upon completion of the related user activities. Instrumented variations also enable malware fingerprinting or identification of indicators that can be used by other tools for future detection. Solutions from Bromium and Invincea fit in this class.
Real-time file classification/execution control. With this technology, advanced machine learning techniques operate against an ever-growing corpus of data (i.e., clean and infected files) to produce a set of mathematical algorithms capable of discerning the extent to which a given file poses a threat. Endpoint agents running these algorithms subsequently make real-time decisions to permit/deny initiation within the run-time environment for each file that is encountered. Check out Cylance for a good example of this technology.
Big data correlation/analytics. The products in this category instrument endpoints and then leverage the centrally gathered data for out-of-band threat detection, advanced analysis, and facilitating response and remediation activities. Bit9 (with Carbon Black), CounterTack, and Guidance Software have representative solutions.
One more item to consider is that although each of these approaches show tremendous promise, they also have their limitations. With few exceptions they won’t be able to replace legacy signature-based solutions--only supplement them. Limited platform/device support is likely to be another issue, at least over the near term.
Anyway, chime in if you see any holes in my admittedly quick-and-dirty classification scheme, or if you have any other thoughts on the matter.