Endpoint Threat Detection without the Pain

Transcription

1 WHITEPAPER Endpoint Threat Detection without the Pain Contents Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder... 1 A New Solution, with a Hitch... 2 Introducing Outlier: Agentless Zero Impact Cyber Defense... 3 Use Cases: Endpoint Monitoring, Validating Alerts, Incident Response and Remediation... 4 How Outlier Works... 5 Summary... 8 For more information contact Outlier Security... 8 Motivated Adversaries, Too Many Alerts, Not Enough Actionable Information: Incident Response is Getting Harder There is no silver bullet to prevent your enterprise network from being compromised by motivated and well- funded adversaries. Traditional endpoint and network- based detection systems miss new and unknown threats that can lead to serious intrusions. As Cisco Systems says, All organizations should assume they ve been hacked, or at least agree that it s not a question of if they will be targeted for an attack, but when. 1 All organizations should assume they ve been hacked Security- conscious organizations have responded by emphasizing the need for security and incident response teams to identify and remediate intrusions faster. Yet the process and the tools used in incident response are not keeping pace. Security teams are overburdened running down false alerts spewed out by legacy cyber security systems. Highly skilled, expensive security professionals are forced to gather and sift through large volumes of data manually to find evidence of compromised systems. By the time they find the information they need, 1 Cisco 2014 Annual Security Report: 1

2 cybercriminals have had days, weeks, or even months to find and exfiltrate customer and personal information and intellectual property. 2 The problem is most acute on endpoints. While security professionals may have good tools for collecting and analyzing log data and capturing network traffic, they lack visibility into malicious activities on laptops, desktop PCs and servers. Logs and network traffic don t have the detailed contextual information needed to verify threats and understand the adversary s actions on computers. Incident responders are forced to gather information manually from endpoints before they can separate false positives from real threats, or begin to analyze actual attacks. This labor- intensive model is slow and costly, and clearly doesn t scale. Also, it doesn t help organizations identify and remediate intrusions faster. A New Solution, with a Hitch A new type of security product addresses those issues. Industry analyst firms have given different names to these solutions: Gartner calls them Endpoint Detection and Response (EDR) systems, Forrester Research uses the term Endpoint Visibility and Control (EVC), and IDC classifies them as Specialized Threat Analysis and Detection (STAP) tools. 3 Regardless of what you call them, these systems are needed to help organizations speedily investigate security incidents and detect malicious activities, without dependence on signatures. But there is a hitch. The products for endpoint visibility require that agents must be installed on the monitored devices. Many organizations have balked at implementing endpoint threat detection and response systems because of this requirement. Everybody hates agents IT operations groups invariable resist products that require yet another agent. It turns out their concerns are legitimate, as: 2 In 2013 attackers were present on victim s networks an average of 229 days before being discovered, according to the Mandiant 2014 Threat Report. Even then, only 33% of the victim s discovered the breach themselves; the other 67% were notified by an external entity. 3 "Competitive Landscape: Endpoint Detection and Response Tools, 2014", Gartner, Inc., Lawrence Pingree, November 26, 2014; Prepare for the Post- AV Era Part 1: Five Alternatives to Endpoint Antivirus, Forrester Research, by Chris Sherman, June 9, 2014; Worldwide Specialized Threat Analysis and Protection Forecast, IDC Market Analysis, by Charles Kolodgy and Phil Hochmuth, August

3 Every new agent needs to go through elaborate interoperability testing to ensure it doesn t affect users or interfere with other software on endpoints. Nothing irritates employees more than downtime due to a security product. Desktop teams are already bogged down distributing, installing and managing multiple agents on every endpoint (often 5 or more), not to mention upgrading operating systems, deploying new mission critical applications, and supporting users. The last thing they want is yet another agent to deal with. Agents can degrade performance, disrupt users, conflict with existing system software, and even destabilize the operating system, all of which impact user productivity. As a result, most organizations have postponed the deployment of EDR systems, despite the powerful benefits. Introducing Outlier: Agentless Zero Impact Cyber Defense The Outlier system is a zero impact solution that provides comprehensive endpoint monitoring, alerting, analysis and remediation capabilities without the use of endpoint agents. An infected computer holds a treasure trove of contextual digital evidence much like a real world crime scene has physical evidence. Logs, user and network histories and registries on each device act like digital recorders, retaining evidence for months or years to support historical analysis. This data can be used not only to pinpoint the presence of malware and threat- related activities, but also to create a detailed historical record of the actions and effects of attacks. Computers retain digital evidence about malicious activities The Outlier system continually collects digital evidence from endpoints throughout your network and applies advanced analytics, including statistical analysis, machine learning algorithms and cloud- based big data threat intelligence. The analytics platform replicates the best practices of world- class cyber threat investigators, in an automated, highly scalable manner. Using advanced diagnostic techniques it: Identifies and collects threat indicators on endpoints Discovers anomalies and outliers that show attack patterns relative to all of the systems in that specific enterprise. Dramatically reduces false positives by following the same type of multi- step reasoning process used by experienced incident responders. True Alerts and supporting evidence are available immediately to analysts, as well as a variety of underlying evidence and analytics graphs. Analysts can also query a comprehensive database of endpoint- related information in order to drill down into evidence of threat- related activities on endpoints across the enterprise to accelerate the investigation. 3

4 And the Outlier system is agentless, eliminating the primary issue that has prevented organizations from embracing EDR. It can be deployed and managed with far less operational overhead and cost than agent- based products, because it uses an innovative fast scanning approach to gather digital evidence from endpoints. Endpoint scans are passive and unobtrusive, with no impact on users. Deployment and operational costs are also minimized because Outlier leverages a cloud- based Software as a Service (SaaS) model that requires only a single on- premises Data Vault to manage endpoint monitoring. (See the How it Works section below). Use Cases: Endpoint Monitoring, Validating Alerts, Incident Response and Remediation Endpoint monitoring The Outlier system can be used as a tool for endpoint monitoring and threat detection. In this capacity it increases the productivity and scalability of security and incident response teams by: Alerting analysts to threats, by compiling and analyzing endpoint information and finding indicators of compromise and anomalous behaviors. Providing endpoint threat data that would otherwise take hours or days to collect. Using sophisticated threat analysis to eliminate most false positives. Providing unique query capabilities designed specifically for security incident responders. Validating alerts from SIEM systems and other security tools The Outlier system validates alerts created by Security Information and Event Management (SIEM) systems, Next- Generation Firewalls (NGFWs), Intrusion Prevention Systems (IPSes), anti- malware packages and other security products. These tools provide numerous alerts about possible malware and threat- related events on endpoints, but many of these alerts turn out to be false positives. Additionally these alerts don t provide nearly enough contextual endpoint data for incident responders to understand what really happened. Outlier can play an important role in ensuring your responders focus on what is real and don t waste time on what isn t. For example, a network sensor might alert on a malicious PDF file delivered to a particular endpoint. However, the network sensor would not know if the malicious file actually detonated or not. The network sensor would not know if detonation resulted in other malicious software tools being downloaded to the endpoint or successful lateral movement to neighboring computers. The security analyst would have only half the story. Outlier provides a complete story and allows analysts to focus on the real threats, filter out the numerous false positives, and start reviewing endpoint data immediately, without spending hours collecting data. 4

5 Rapid data collection for incident response and security assessments The Outlier system is also an ideal tool for incident response teams and security service firms to collect data from hundreds or thousands of endpoints, on demand. Setup is easy, since there are no agents to install on the target endpoints, and each data collection point ( Data Vault ) can support thousands of systems across an entire business unit. Whether the goal is discovering the actions of a newly- detected attack, identifying which systems have been compromised and require remediation, or conducting a one- time security assessment, no other endpoint threat detection solution is as fast and easy to deploy as the Outlier system. Automated Remediation to Clean Up Infected Computers Alerts include automatic clean up of infected computers with a click of the remediation button. Malicious files and associated registry keys are removed. Changes are enacted with the next system reboot. Alerts also include contextual information identifying the user account and network communications associated with the detected malware, providing the security investigator with actionable information to modify user credentials and block malicious traffic. How Outlier Works Figure 1 presents an overview of the Outlier system. Figure 1: Overview of the Outlier System: Endpoint data collection, security analytics, true alerts, security decision support and automated remediation Endpoint data collection The Outlier system uses agentless scanning technology to collect digital evidence from Windows systems, replicating what an expert security investigator would do in an automated 5

6 and scalable fashion. The sources of evidence include system, network and application logs, browser history files, system files, binaries, and running processes. Endpoint scans are done by the on- premise Data Vault (see Figure 1) using native Windows networking services. These scans have no impact on users, because they are passive, unobtrusive, and completed in between 2 and 45 seconds, depending on the type of scan. The Data Vault is provisioned from the cloud and installed on one or more servers within the enterprise network, depending on the organization s topology. The Data Vault can initiate endpoint scanning on a schedule or on demand. It requires only the IP ranges of the systems to be scanned and domain admin credentials, which are encrypted before they are stored in the Data Vault. A single Data Vault can manage scanning for thousands of endpoints. Automate the best practices of expert cyber security investigators No customer confidential data is sent to the cloud. The Data Vault sends only calculated data, metadata and binaries, but not application data or any protected information, over an SSL encrypted link to the Outlier analytics engine in the cloud. Security Analytics The Outlier Analytics Platform incorporates the knowledge and best practices of world- class cyber threat investigators and applies them in near- real time across the endpoints of an entire enterprise. The Outlier system provides analytic capabilities that go far beyond detecting known IOCs, and give it the ability to identify new and unknown malware, zero- day threats, APTs, targeted attacks, polymorphic malware, lateral movement, hacker behaviors, system misuse and other advanced threats. Outlier s analytics go far beyond IOCs and signatures The Analytics Platform uses a proprietary multi- stage reasoning process to separate real threats from low- risk indicators and false positives. This reasoning process follows the same steps that would be employed by an experienced and highly skilled cyber threat analyst, allowing your team to focus on the alerts that matter. For example, the system might detect an application file with a registry setting that causes it to be persistently installed at start- up. That is a common feature of malware and of some legitimate applications employed every day by computer users. To determine if the file is a real threat or a false positive, the Outlier Analytics Platform would go through a series of tests: Does the file appear on industry white lists or blacklists, does it turn up in a search engine query, does the code include text strings or function calls typically found in malware, has it attempted to access data or communicate outside the network during non- work hours? 6

7 The statistical methods and reasoning processes are constantly being refined and optimized through machine learning within the Analytics Platform and research from Outlier Security s staff of cyber threat analysts. In addition, customers can provide input by instructing the system to scrub (ignore) events that are not threatening in the context of their organization. True alerts and security decision support The Analytics Platform combines the results from multiple forms of analysis to assign a suspicion score to every security event and artifact detected. Suspicion scores are continually updated: the risk score of a specific workstation or an unknown file might start low and increase (or decrease) based on the additional behaviors and events observed on that system and on other systems in the enterprise. True alerts with contextual endpoint information High suspicion scores trigger true alerts to designated security team members. These alerts are accompanied by contextual endpoint data that helps the analyst quickly verify the existence of the threat and begin planning remediation steps. Because of the sophisticated analytics the Outlier system uses to separate real threats from false positives, the security team can place a great deal of confidence in true alerts. Many organizations interested in endpoint monitoring and in validating alerts from other security tools (see the discussion of use cases above) may choose to deploy the Outlier system solely for the fast data collection and high reliability provided by the true alerts. However, some of these organizations, as well as those interested in incident response and security assessment, will want to use the security decision support capabilities provided by the Analytics Platform. These include: Severity ratings and endpoint information associated with potential threats (that is, files and artifacts that fall below the threshold for true alerts). Charts and graphs that allow security experts and managers to observe trends and focus on high- risk areas. Timeline analyses, statistical analyses, and other analytical tools that help security teams understand in detail the actions of malware and the intentions of attackers. A powerful query capability, designed specifically for incident responders. The query capability uses regular expressions to search and filter information based on machines and IP ranges, users, file hashes, text strings and other variables. Security analysts can compare information across an entire business unit or enterprise, or drill down to find a single infected endpoint and determine the events that occurred during and after the infection. 7

8 Summary Security- conscious organizations have recognized the need to strengthen their incident response capabilities in order to detect and remediate attacks faster. Yet they are severely handicapped by the lack of practical tools to collect and analyze data on endpoints, and actually undermined by SIEM and other tools that generate vast numbers alerts without the ability to distinguish real threats from false positives. They are forced to rely on highly skilled security professionals to conduct manual analyses of potentially infected endpoints a model that is costly and non- scalable. New products, variously called Endpoint Detection and Response (EDR), Endpoint Visibility and Control (EVC), or Specialized Threat Analysis and Detection (STAP) systems, are designed to address these issues. However, most are simply not practical for most organizations because they require burdening IT operations and users with yet another agent on every endpoint. The Outlier system provides the answer: agentless monitoring, threat validation and analysis for endpoints. It replicates the best practices of world- class cyber threat investigators in order to pinpoint known malware and Indicators of Compromise (IoCs), to identify anomalies and outliers that show suspicious behavior, and to eliminate false positives by following the multi- step reasoning processes used by experienced incident responders. The Outlier system is quickly deployed across an enterprise, minimizing operational overhead. Endpoint scans are fast and unobtrusive, ensuring a non- disruptive experience for users. Security teams can have high confidence that true alerts represent real threats. They can also use unique query capabilities to find threat- related activities on endpoints across the enterprise quickly and accurately, and to drill down into evidence of threat- related activities on specific systems when doing an investigation. The system provides an automated remediation capability to automatically clean remote computer of malicious files. The Outlier system helps organizations eliminate vulnerabilities on endpoints and reduce risk, increase the productivity and scalability of security and incident response teams, improve the ROI on existing security tools like SIEM systems, and shorten the time needed to detect, analyze and remediate zero- day attacks and advanced threats. Outlier s SaaS agentless system delivers the lowest total cost of ownership For more information contact Outlier Security 1150A HWY 50, Box 487 Zephyr Cove, NV Telephone: info@outliersecurity.com 8