What is Next Generation Endpoint Protection?

Transcription

1 What is Next Generation Endpoint Protection?? By now you have probably heard the term Next Generation Endpoint Protection. A slew of companies, startups and incumbents alike, which are using the term to describe some of their offerings. But what does it actually mean? What are the capabilities you should look for in a Next Generation Endpoint Protection Platform? What makes it next generation?

2 Overview This whitepaper will lay out and define the critical core pillars of a next generation endpoint protection platform (NGEPP), the role of each, and the challenge they address. In addition, it will provide recommendations and capabilities to look for when deciding to implement NGEPP solutions in a modern enterprise environment. Summary The ineffectiveness of traditional endpoint protection has spurred the rise of solutions seeking to fill the gap. A next generation endpoint protection solution requires certain capabilities to secure the next generation of endpoints by stopping the next generation of threats. To avoid repeating mistakes of the past, comprehensive protection needs to support multiple platforms and integrate the following pillars into a single agent: Prevention Dynamic exploit protection Dynamic malware protection Mitigation Remediation Forensics

3 Background Due to the immense amount of threats, high profile successful attacks, and the growing ineffectiveness of traditional security solutions, a new model is needed to protect ever evolving endpoints from a new age of malware. Endpoints are no longer just desktop computers running a Windows operating system. When we say endpoint, we mean any type of machine that can execute code, including: laptops, desktops, servers, mobile devices, embedded devices, SCADA systems, and even IoT devices. It is obviously a very different world and as endpoints evolve the difficulty to keep them protected from sophisticated attackers also increases. As attackers evolve, they use different techniques to evade traditional security solutions (such as endpoint antivirus, gateway antivirus, and even IPS, IDS and Firewalls) - which are based on static form signatures to identify malicious files, URLs or IP addresses. Common techniques include using polymorphic malware, packers and wrappers and other methods that take a known binary and cause it to appear completely new, unknown, and benign on the surface. Defenders needed a new way to identify whether an unknown file was malicious or benign.

4 Network-based sandboxes To address this need vendors created network-based sandboxes, also known as Breach Detection Systems (BDS) or Advanced Threat Detection systems, that in essence emulate the execution of unknown files inside a virtual machine residing on the network and monitor file behavior throughout its execution inside the virtual, emulated environment. Attackers quickly realized while their current packing techniques and malware variations could not evade these sandboxes as easily as they bypassed static signature-based solutions, with various other techniques they could either: Detect they are running inside a sandbox and not on the real end device they want to compromise Take advantage of inherent conceptual sandbox faults (limited emulation time, lack of user interaction, and only a specific image of the OS). Attackers use these techniques to help ensure their file and malicious code will not run in the emulated environment, will be flagged as benign, and continue its route to the end device and only run there (where the endpoint AV can do little to stop it). Scene of the crime It s become clear that truly effective endpoint protection needs to be at the scene of the crime, the endpoint the place where malicious code has to run - and cannot evade.

5 Next Generation Endpoint Protection In an era when attackers automatically generate and tailor files per target, using static methods to try to determine whether a file is malicious or benign is futile. In addition, analyzing a binary structure to identify similarities among different files or families of malware is only marginally more effective, since attackers can quickly adapt and create more significant variations that will render statistical, mathematical models almost as useless as a normal static signature. While this approach may be labeled next generation, it simply returns us to the same cat and mouse game of catch up. A new, more robust, disruptive approach that focuses on the actual core of malware, its behavior, that cannot change as easily as its hash or other static indicators was needed. The ability to see what was running on an endpoint, and how every application or process is behaving was the biggest missing piece in solving the malware problem. A New Approach A comprehensive next generation endpoint protection solution needs to profile, track, assemble a context and identify malicious patterns of behaviors across the entire malware lifecycle of execution in real time, and on the end device. In essence, full, live system monitoring, is one of the core pillars of a Next Generation Endpoint Protection Platform. Effective protection against modern, sophisticated threats requires a disruptive innovation in the way threats are detected, blocked, mitigated, remediated, and analyzed. A next generation endpoint protection solution needs to stand on its own to secure endpoints against both legacy and and advanced threats throughout various stages of the malware lifecycle. Administrators must be confident they can completely replace the protection capabilities of their existing legacy, static-based solution with one labelled as next generation endpoint protection.

6 Next Generation Endpoint Protection Platform Critical Pillars Real-time analysis & root cause forensic investigation Rollback & Immunize - Automatic remediation to undo system changes Automatic Mitigation Quarantine files and endpoints Dynamic Exploit Detection - Protect from app and memory based exploits, drive by downloads Dynamic Execution Inspection - Full system monitoring to protect from evasive, packed malware, social engineering/spearphising Reputation-based preemptive block & prevention polices - Protect from known threats

7 Prevention While next generation endpoint protection at its core needs a new approach to stop advanced malware and zero-day threats, it should also leverage proven techniques to stop known threats that are in-the-wild. A layer of preemptive protection allows NGEPP to block existing, known threats before they can execute on endpoints. But unlike the past, when you could benefit from only one vendor s reputation services and intelligence, you can now leverage up to the minute cloud intelligence and and select reputation services and enjoying wider coverage. Recommendation: Choose an NGEPP solution that can not only leverage multiple vendors reputation services to proactively block threats, but also uses a lightweight method to index files (passive scanning or selective scanning) instead of resource-heavy system scans. Dynamic Exploit Detection Leveraging exploits is a sophisticated technique used by attackers to breach systems and execute malware. Drive-by downloads are a common threat vector for these exploit attacks. An NGEPP solution needs anti-exploit capabilities to protect against attacks that leverage both application and memory-based exploits. Recommendation: An NGEPP solution must be able to demonstrate detection of memory exploits using methods not dependent on static measures, like shellcode scanning, but detection of the actual techniques used by exploits attacks (for example heap spraying, stack pivots, RPO attacks, and memory permission modifications). These prove to be a much more robust method to detect exploitation attempts, as they are not as easily changeable and modifiable as shellcodes or the droppers and payloads that are typically involved.

8 Dynamic Malware Detection At the core of an NGEPP solution is the ability to stop zero-day and targeted attacks. This dynamic malware detection capability requires real-time monitoring and analysis of application and process behavior based on low-level instrumentation of OS activities and operations, including memory, disk, registry, network, and more. Since attackers have learned to take advantage of hooking into system processes and benign applications to mask their malicious bidding, the ability to inspect execution and assemble the true execution context is key. The detection intelligence must be local to the agent to protect against a variety of attacks and scenarios, for example: when the endpoint is offline, the detection intelligence can protect against infected USB sticks. Recommendation: Look beyond the indicator. While using low-level endpoint visibility to seek indicators of compromise is a leap forward from the visiblity network products deliver, it still stops short in dealing with attacks that have never been seen before and therefore cannot be identifed with any static indicators of compromise. Dynamic behavioral analysis and an approach that does not rely on prior knowledge of a specific indicator to detect an attack, will prove to be superior when dealing with true zero days - which will rarely display any static indicator of compromise - even though its behavior will remain the same and can be recognized. Ensure the NGEPP solution can dynamically detect zero-day threats and advanced malware without the need for static measures. Mitigation Detecting threats is necessary, but insufficient and the ability to perform mitigation (either manually or through automation) needs to be an integral part of an NGEPP solution s capabilities. The mitigation options should be policy-based and flexible enough to cover a wide range of use cases; for example, quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down. Recommendation: After confirming the NGEPP solution has mitigation capabilities, make sure that automatic mitigation is possible, and is performed in a timely manner (e.g., if the product needs to phone home to a central server to receive a mitigation command it might be too late). Quick mitigation during inception stages of the malware lifecycle will minimize damage and speed remediation.

9 Remediation During execution malware often creates, modifies, or deletes system file, and registry settings as well as makes changes to configuration settings. These changes or remnants left behind can cause system malfunction or instability. An NGEPP solution needs the ability to restore an endpoint to the pre-malware execution state. Recommendation: Similar to mitigation capabilities, confirm the presence of remediation functionality along with visibility regarding what changed and what was successfully remediated. Forensics Since no solution is always 100% effective, the ability to provide real-time endpoint forensics is a must for an NGEPP solution. Clear visibility of malicious activities that have taken place on endpoints across an organization in a timely manner is essential for security staff to quickly identify the scope of the problem, report to others both vertically and horizontally across the organization, and make better decisions based on the provided data. Recommendation: An NGEPP solution that can provide full visibility in a simple-to-understand display of what happened on an endpoint during an attack in real time and provides the capability to search for IOC s across endpoints. A New Approach

10 Beyond the Pillars - Additional Considerations Consideration Description What to look for: Always On Protection With the cloud completely changing where assets are located, and how users are accessing them, the definition of a secure perimeter is changing. This further illustrates the need of an autonomous endpoint agent that can monitor and protect against malware attacks even when a user is outside the workplace in a much less secure environment, but can still access sensitive assets. Outside of the network, roaming users are still connecting to the Internet, swapping USB drives, and working for periods offline. Solutions that can protect endpoints both on and off the network as well as if they are on or offline (in other words the ability to detect attacks and take action is contained on the agent and doesn t require any type of offloading of data for centralized analysis or decision making). Cross-Platform Support Performance The definition of endpoint has expanded as the enterprise is no longer just a homogenous collection of machines running Windows operating systems. An NGEPP needs to support multiple platforms to fit the needs of modern enterprises which have become a heterogeneous mix of endpoints. Endpoint security solutions must remain unobtrusive and cannot interfere with the end-user s productivity. This is especially important for NGEPP solutions which must run on the end-user s device to effectively protect and provide the necessary visibility of the endpoint s health. Solutions that can be managed from a single console and support Windows, and non-windows endpoints including OS X, and mobile operating systems. Stay away from solutions that work in-line and can delay execution of applications (opt for asynchronous processing).

11 Consideration Description What to look for: False Positives Scale Tamper Proof Integrations There is always a balance of monitoring for true zero-day attacks and false positives. An NGEPP solution should have mechanisms in place to minimize false positives to maintain a high degree of confidence in the solution To be enterprise-ready a viable NGEPP solution needs the capability to scale to thousands of endpoints in both centralized and highly distributed environments. This requires the agent be lightweight, the agent-to-server transport kept to a minimum, and the server itself can scale to support endpoint growth. An NGEPP must have measures in place to protect itself and prevent malware from disabling or interfering with the protection. As an NGEPP solution becomes more effective and harder to bypass, attackers will look for ways to compromise protection to increase the probability of a successful attack. Enterprises use various solutions to collect threat information and indicators of compromise to monitor the health status of their organizations and perform timely mitigation. In addition, while protecting endpoints is critical, an NGEPP solution also needs to be a piece of the overall security picture by easily integrating into an organization s security infrastructure. Solutions that can baseline an environment and learn automatically what applications can and cannot run. Stay away from big data type solutions that need massive storage and compute power on the server side in order to crunch a lot of data. These will typically not scale well, and introduce a lot of latency. Solutions that are installed at a low level in the operating system (i.e., kernel level). Agents that are active in both user space and kernel space are less likely to be circumvented, and solutions that have visibility into system events can in most cases detect tampering attacks, unlike solutions that don t monitor process execution. Solutions that can offload indicators to SIEMs or other tools using industry standard formats (CEF, STIX, openioc), and can integrate with leading network security solutions.

12 Consideration Description What to look for: Gartner Adaptive Security Architecture 1 The adaptive security architecture as defined by Gartner includes four stages (Preventive, Detective, Predictive, and Retrospective) along with the assertion that continuous monitoring and analytics must serve as the core of the architecture. An NGEPP solution should align with this architecture and its four stages to deliver comprehensive, adaptive protection from attacks. Compare the NGEPP solution to the Gartner Adaptive Security Architecture to ensure the capabilities map to the four stages and to identify any gaps. Predictive Determines the threatʼs next action based on attack patterns, malware techniques, and up-to-the-minute crowdsourced threat intelligence Predicts attack patterns, utilizing automated real-time analysis and machine learning Scans for application vulnerabilities, anticipates new threat tactics, and shields vulnerabilities Preventive Leverages the cloud intelligence of over 40 scan engines to proactively block known threats Hardens defenses through dynamic whitelisting Diverts attackers utilizing anti-debugging and anti-analysis detection Uses SentinelOneʼs Auto Immune to prevent newly detected threats from spreading Automatically mitigates threats to minimize impact and reduce administrative overhead Continuous Monitoring and Analytics Integrates with firewalls and IPS to send immune data at the network level Detects incidents and tags anomalies using EDRʼs real-time behavioral detection engine Real-time forensic data allows you to track threats in real time or investigate post-attack Dynamic, graphical forensic reports allow you to identify where attacks originated and trace malicious actions Speeds incident response and automates threat removal to accelerate cleanup Confirms and prioritizes risk by setting an aggres siveness level and defensive action Contains threats by automating mitigation actions including: shutdown, network disconnect, halt system, kill process, and quarantine Remediates and adapts protection through Shadow Immune, dynamic blacklisting, hash and IP filters Ret rospective Next generation endpoint security mapped to the Adaptive Security Architecture Det ective 1 Gartner Designing an Adaptive Security Architecture for Protection From Advanced Attacks, Neil MacDonald, Peter Firstbrook, 12 February 2014,

13 Conclusion In the era of the cloud, and data access from everywhere, endpoint protection becomes more relevant than ever and the need to secure users wherever they are has never been greater. However, without a clear definition of next generation endpoint protection, confusion about which offerings in the market can effectively secure endpoints will continue. To truly protect enterprise endpoints against continuously evolving sophisticated, advanced threats an effective next generation endpoint protection must be installed on the endpoint itself, support multiple platforms, and include the following critical pillars: preemptive protection, dynamic exploit protection, dynamic malware protection, mitigation, remediation, and forensics. About SentinelOne SentinelOne is a startup formed by an elite team of cyber security engineers and defense experts who joined forces to reinvent endpoint protection. With decades of collective experience, SentinelOne founders honed their expertise while working for Intel, McAfee, Checkpoint, IBM, and elite units in the Israel Defense Forces. They came together in 2013 to build a new security architecture that could defeat today s advanced threats and nation state malware. SentinelOne was the first company to coin the term next generation endpoint protection, and use it to describe its product offering, and vision. i 2513 E. Charleston Rd Mountain View, CA SentinelOne [email protected] [email protected] [email protected]