The term “next-generation endpoint security” is used often these days. It means different things to different people so sometimes it's good to clarify exactly what we are talking about when it comes to terms that are so broadly defined. With that in mind, I am going to answer some FAQs about next-generation endpoint security, which build on previous SC Media articles I've written on this topic.
What's different about next-gen endpoint security, versus traditional AV?
“Next-gen endpoint” can refer to any number of technologies that have been introduced into endpoint protection products in the past few years. Some of the most common are machine learning, behavior analysis, and exploit mitigation. The most effective products combine several technologies (often traditional and next-gen) to ensure high accuracy, low false positive rates, and a minimal impact on performance.
How has the threat landscape changed, and why are these next-gen technologies important in protecting against the latest threats?
There have been two major changes. First, the volume of malware, and its ability to mutate and disguise itself in new ways, has become extraordinary. Second, the attackers have become more sophisticated. Businesses are no longer just protecting against a computer getting infected. Now they're protecting against their business being breached.
Next-gen tech doesn't try to spot known malware samples or families. Instead, it takes a more a holistic approach to identifying whether a file, an action, or a pattern of behavior is a threat. When implemented well, it can be a valuable part of the complete endpoint security proposition: prevention (exposure and execution), detection, and response.
How does machine learning fit into a next-gen endpoint security strategy?
Machine learning offers an important layer of protection as part of next-gen endpoint products. And, multiple layers of defense are key to stopping endpoint attacks. Machine learning has the ability to detect both known and unknown malware before the file executes. This means that the malware is blocked before it ever has the ability to run on an endpoint and cause damage. Since machine learning does not rely on signatures, it can stop malware that has never been seen before by determining how similar it is to the universe of known threats. Machine learning is best when trained on very large data sets that have been analyzed and accurately categorized by experts.
What about behavior analytics?
User and entity behavior analytics (UEBA) is still a relatively new technology. It is great at detecting anomalies, but it's not as good at isolating malicious activity. This means security pros need to dig further to see if there is an actual issue. The classic example that vendors seem to give is, “Fred was logged in in Utah. Two minutes later, he is logged in in Boston. This could be a compromise.” Yes, it could be. Fred probably hasn't invented travel at the speed of light. But, Fred might have just started using a VPN that routes his traffic through Boston.
If you have a big team with time on their hands, UEBA can be a useful way of identifying actual compromises. However, it could also be a false alarm, the bane of SOC operations. Having highly trained, expensive IT staff chasing an anomaly and not a real threat is extremely expensive.
UEBA can also be used to spot insider threats, such as an employee downloading large amounts of sensitive data. The key to UEBA is that it is attempting to see what is normal and what is abnormal for a specific user, versus a universal population. This is often helpful when trying to defend against an adversary that has already infiltrated the organization, as opposed to keeping them out in the first place. Again, though, this depends on having the resources and expertise to investigate each anomaly and determine whether it's a true threat.
What lessons should companies take away from the recent WannaCry ransomware attack?
The most important lesson is the need for a multi-layered approach to security. The WannaCry attack took advantage of a recently-patched Windows vulnerability to spread via the network, and then dropped previously-unseen malware that encrypted users' files. Other ransomware has been spread via phishing emails, malicious URLs, application exploits, and document macros. This shows that a comprehensive security program that covers everything from your users' behavior to what enters your organization via email or web to how your endpoints are protected, is critical.
Next-gen endpoint protection is a valuable part of this multi-layered strategy. Anti-exploit technology reduces the exposure to ransomware delivered via the web or email attachments. Machine learning detects and stops previously unseen malware. Behavior-based protection catches ransomware “in the act” and prevents files from being encrypted. Collectively, these additional layers of protection add a layer of assurance that wasn't available just a few years ago.