Endpoint Security Evolves to Address Smarter, Fiercer Threats
Organizations are shifting their data protection strategies to deal with challenges posed by mobile and cloud computing.
- by John Edwards
- Veteran Business Technology Journalist | March 29, 2018
The world of digital security is scarier than ever.
Gone are the days when an organization could protect itself by simply adopting a handful of security technologies and practices focused on the internal network. Mobile and cloud technologies have expanded enterprise boundaries, and increasingly dangerous threats from cybercriminals now require organizations to move strategically from a threat prevention mindset to an approach that focuses on detecting and responding to attacks, and then recovering from them.
At the same time, today’s mobile and cloud computing paradigm demands immediate access to data at all times from any location, says Lenny Zeltser, a senior instructor in malware analysis at the SANS Institute, a cybersecurity training organization. As a result, organizations find themselves struggling to maintain control over the enterprise networks that employees and contractors use to interact with a wide range of sensitive data. “The network perimeter became ephemeral, with access occurring from homes, satellite locations, internet cafes and other networks that the organization cannot secure in the way that it attempted to lock down its corporate network,” Zeltser says.
To address powerful new threats while protecting a shifting landscape on which sensitive data resides, many organizations are employing endpoint security solutions with powerful capabilities such as artificial intelligence (AI) and machine learning.
The New Endpoints
The evolution of the network has redefined what organizations view as an endpoint. “Traditionally, we identified network endpoints as any device that manages communication across a network from within a corporate firewall, such as a modem, router, printer or PC,” says Sri Sundaralingam, Symantec’s enterprise security product marketing lead.
The cloud allowed organizations to expand network access to devices and services outside the firewall, forcing the entire IT community to rethink what should be classified as an endpoint. “Today, we consider the modern network endpoint to include any device that can access a corporate network, and that includes PCs, smartphones, tablets, wearables, Internet of Things devices and more,” Sundaralingam says.
There’s now a vast number of devices connecting to enterprise networks, a wide variety that includes endpoints as diverse as building controls, vending machines and Internet of Things (IoT) components, such as industrial sensors and switches. “These devices typically carry less protection from attacks than a laptop or phone and must be monitored for compromise,” says Larry Lunetta, vice president of security solutions marketing at Aruba Networks. Organizations also need to pay close attention to endpoints used by an increasingly mobile workforce, as well as branch offices connecting directly to the internet.
Organizations are beginning to understand that breaches are inevitable and that they must strive to prevent as many attacks as possible. “They have to prepare to detect successful attacks and respond appropriately,” says Jim Waggoner, senior director of endpoint product management for FireEye. These capabilities are known as endpoint development and response (EDR).
EDR tools address the need for continuous monitoring of and response to increasingly sophisticated network threats. EDRs differ from standard endpoint protection platforms (EPPs), such as anti-malware solutions, in that they aren’t designed to automatically stop threats during the pre-execution phase. An EDR goes beyond EPP’s basic capabilities to offer deep visibility, providing insights that help security analysts discover, investigate and respond to advanced threats targeting multiple endpoints. For extra protection, many current security tools combine both EDR and EPP capabilities.
Polymorphic Malware Challenges Endpoint Protection
Malware never sleeps.
An emerging generation of “polymorphic” malware, cleverly designed to elude security detection, is now assaulting networks worldwide.
Polymorphic approaches have been used by malware authors for a long time. “What has changed is the diversity of evasive tactics that attackers employ and the frequency with which they use them,” says Lenny Zeltser of the SANS Institute. “Our adversaries aren’t standing still.”
Polymorphic malware creators devise numerous techniques for defeating network defenses. “For instance, they use malicious document files at the onset of the attack, or employ ‘fileless’ techniques to maintain malicious code solely in the memory of the infected system,” Zeltser says.
Analysts estimate that malware morphs every 60 seconds. “That’s because on the Dark Web there’s an ‘arms’ marketplace where basic malware can be acquired, altered and re-posted in a continuous cycle of refinement,” says Larry Lunetta, vice president of security solutions marketing at Aruba Networks. “This makes detection via signatures, rules or pattern matching practically impossible.”
Many organizations now realize that despite their best efforts to prevent breaches, adversaries are still sometimes succeeding at penetrating network defenses. Enterprises need to develop the ability to detect when the defenses have been breached so that they can respond and recover quickly, before the incident escalates into a major event. To meet this need, a growing number of organizations are adding Endpoint Detection and Response (EDR) capabilities to their network defenses. An EDRs provide deep visibility and offer insights that help security analysts discover, investigate and respond to advanced threats.
AI and Machine Learning
Unfortunately, most serious network attacks do not stop at the endpoint. “The endpoint is simply the jumping-off location for a more aggressive and expansive attack that involves small steps over days, weeks or months,” Lunetta says. “Artificial intelligence and machine learning can see small changes in endpoint behaviors, put them in context over time and raise a risk score within a security solution to an alert threshold so it can be investigated and mitigated before damage is done.”
Machine learning and AI also excel at identifying new types and variations of malware that haven’t existed in the wild for very long. “Every organization needs multiple detection engines to help prevent attacks, such as ransomware and commodity malware,” Waggoner says.
Sundaralingam agrees that sophisticated technologies are now essential for detecting and preventing malicious attacks. “Advanced machine learning employs a multi-layered threat assessment that analyzes how static files behave and interact with other files, machines and URLs,” he says. Machine learning can also scrutinize vast amounts of data to determine if a type of code seen on only one or perhaps a handful of machines around the world is likely to be malicious.
“Put simply, advanced machine learning acts as the first responder when an attacker gains access to private data, and effectively detects malware in the pre-execution phase to seamlessly respond and stop large known and unknown threats,” Sundaralingam says. “By combining machine learning and behavioral analysis with endpoint technologies, companies are able to minimize false positives and maximize protection when faced with large-scale attacks like WannaCry.”
Computers are inherently better at some tasks than humans, including the ability to analyze large volumes of data to spot hidden patterns that can indicate a possible network threat. “Many endpoint antivirus and related technologies now incorporate AI to detect malware in a way that extends the approaches available to us earlier,” Zeltser says. “This is an evolutionary step that allows the defenders to keep up with the constantly-changing threat landscape.”