Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional “evidence of compromise” process is needed.
This Next Generation Endpoint Protection (NGEPP) model needs to address six core pillars that, when taken together, can detect the most advanced attack methods at every stage of their lifecycle:
* Prevention. NGEPP must leverage proven techniques to stop known threats in-the-wild. A layer of preemptive protection can block existing threats before they can execute on endpoints. Instead of relying only on one vendor’s intelligence, it’s now possible to collectively tap more than 40 reputation services via cloud services to proactively block threats. This approach also uses a lightweight method to index files for passive scanning or selective scanning, instead of performing resource-intensive system scans.
* Dynamic Exploit Detection. Using exploits to take advantage of code level vulnerabilities is a sophisticated technique used by attackers to breach systems and execute malware. Drive-by downloads are a common threat vector for carrying out exploit attacks. NGEPP should provide anti-exploit capabilities to protect against both application and memory-based attacks. This should be achieved by detecting the actual techniques used by exploit attacks -- for example: heap spraying, stack pivots, ROP attacks and memory permission modifications -- not by using methods that are dependent on static measures, like shellcode scanning. This approach is much more reliable, since the exploitation techniques themselves are not as easy to change or modify as the shellcode, encoder, dropper and payload components used in malware.
* Dynamic Malware Detection. Detecting and blocking zero-day and targeted attacks is a core NGEPP requirement. This involves real-time monitoring and analysis of application and process behavior based on low-level instrumentation of OS activities and operations, including memory, disk, registry, network and more. Since many attacks hook into system processes and benign applications to mask their activity, the ability to inspect execution and assemble its true execution context is key. To protect against a variety of attacks and scenarios this detection capability is most effective when performed on the device. For example, even if an endpoint is offline, it can be protected against USB stick attacks.
While many vendors now offer endpoint visibility, which is a leap forward, it cannot detect zero day attacks which do not exhibit any static indicators of compromise. Dynamic behavioral analysis that does not rely on prior knowledge of a specific indicator to detect an attack, is required when dealing with true zero threats.
* Mitigation. Detecting threats is necessary, but insufficient. The ability to perform mitigation must be an integral part of NGEPP. Mitigation options should be policy-based and flexible enough to cover a wide range of use cases, such as quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down. In addition, mitigation should be automated and timely. Quick mitigation during inception stages of the malware lifecycle will minimize damage and speed remediation.
* Remediation. During execution malware often creates, modifies, or deletes system file and registry settings and changes configuration settings. These changes, or remnants that are left behind, can cause system malfunction or instability. NGEPP must be able to restore an endpoint to its pre-malware, trusted state, while logging what changed and what was successfully remediated.
* Forensics. Since no security technology will ever be 100% effective, the ability to provide real-time endpoint forensics and visibility is a must for NGEPP. Clear and timely visibility into malicious activity that has taken place on endpoints across an organization is essential to quickly assess the scope of an attack and take appropriate responses. This requires a clear, real time audit trail of what happened on an endpoint during an attack and the ability to search for indicators of compromise across all endpoints.
To completely replace the protection capabilities of existing legacy, static-based endpoint protection technologies, NGEEP needs to be able to stand on its own to secure endpoints against both legacy and advanced threats throughout various stages of the malware lifecycle. The six pillars described above provide the 360 degrees of protection required for the Cloud generation, where the endpoint has become the new security perimeter.
Weingarten is one of the founders and CEO of SentinelOne, a startup formed by an elite team of cyber security engineers and defense experts that joined forces to reinvent endpoint protection. With decades of collective experience, SentinelOne founders honed their expertise while working for Intel, McAfee, Checkpoint, IBM, and elite units in the Israel Defense Forces.