Code

Next-generation endpoint protection not as easy as it sounds

Longform
Image: IDGNS

21 July 2015

Rather than looking for signatures of known malware as traditional antivirus software does, next-generation endpoint protection platforms analyse processes, changes and connections in order to spot activity that indicates foul play and while that approach is better at catching zero-day exploits, issues remain.

For instance, intelligence about what devices are doing can be gathered with or without client software. So businesses are faced with the choice of either going without a client and gathering less detailed threat information, or collecting a wealth of detail but facing the deployment, management and updating issues that comes with installing agents.

“The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected”

Then comes the choice of how to tease out evidence that incursions are unfolding and to do so without being overwhelmed by the flood of data being collected. Once attacks are discovered, businesses have to figure out how to shut them down as quickly as possible.

Vendors trying to deal with these problems include those with broad product lines such as Cisco and EMC, established security vendors such as Bit9+Carbon Black FireEye, ForeScout, Guidance Software and Trend Micro, and newer companies focused on endpoint security such as Cylance, Light Cyber, Outlier Security and Tanium. That is just a minute sampling; the field is crowded, and the competitors are coming up with varying ways to handle these issues.

The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected. They do this by gathering information about communications that go on among endpoints and other devices on the network, as well as changes made to the endpoint itself that may indicate compromise. The database of this endpoint telemetry then becomes a forensic tool for investigating attacks, mapping how they unfolded, discovering what devices need remediation and perhaps predicting what threat might arise next.

Agent or not?
The main aversion to agents in general is that they are one more piece of software to deploy, manage and update. In the case of next-gen endpoint protection, they do provide vast amounts of otherwise uncollectable data about endpoints, but that can also be a downside.

Endpoint agents gather so much information that it may be difficult to sort out the attacks from the background noise, so it is important that the agents are backed by an analysis engine that can handle the volume of data being thrown at it, says Gartner analyst Lawrence Pingree. The amount of data generated varies depending on the agent and the type of endpoint.

Without an agent, endpoint protection platforms can still gather valuable data about what machines are doing by tapping into switch and router data and monitoring Windows Network Services and Windows Management Instrumentation. This information can include who is logged in to the machine, what the user does, patch levels, whether other security agents are running, whether USB devices are attached, what processes are running, etc.

Analysis can reveal whether devices are creating connections outside what they would be expected to make, a possible sign of lateral movement by attackers seeking ways to victimise other machines and escalate privileges.

Read More:


Back to Top ↑

TechCentral.ie