Endpoint security needs a new approach. The adage "AV is dead" can be debated, but the idea the landscape has changed can't. The industry changed, and new tools have arrived. Technologies such as endpoint detection and response (EDR) and Endpoint Protection Platforms (EPP) claim to save the day. But customers still are not getting the value and outcomes they need. This write up will dive into what has changed, explain what EDR and EPP is, why they are needed, and why they don't always provide the outcomes needed. Finally, we will touch upon how organizations are securing endpoints, using next generation technologies, and driving the outcomes desired - secured endpoints across, and beyond, the origination’s infrastructure.
Why the current landscape demands a different approach to endpoint protection.
Infrastructures have changed greatly in just the last five to ten years. Device are more connected, mobile, and ubiquitous. Technology has changed too. Cloud, BYOD, and work from home has completely changed the approach to securing endpoints, making traditional AV no longer the norm.
The use cases for attackers has also changed. Attackers are no longer trying to bypass a firewall to "infect" a machine with a debilitating virus. Often, they are looking for ways to reach the machine outside of the network, quietly hide code, and use the machine for other reasons (data theft, relay attacks, C&C networks, bitcoin mining, etc..).
These changes mean corporations have more risk, less levels of protection, and new methods of attack they need to worry about. Because of this, traditional AV solutions will not work for these three reasons;
It isn't about virus signatures anymore
Endpoint security used to be signature-based where AV companies would tout how large their signature database was, how quickly they updated, and how fast they could protect the newest virus attack. Now, most attacks do not have a signature. Memory-based attacks, powershell scripting language, remote log Ins, and Macro-based attacks don’t always have a signature to que an alert from. These types of attacks aren't rarities anymore. According to Peonemon Institute 77% percent of attacks last year was a fileless attack or exploit. This means you need more than a signature to find a threat.
The other problem with signatures is that today's viruses aren't always black and white. Some are valid programs but using data in ways you may not want. Remember weather bug? Many other programs are like that bug in that they serve a purpose. I may not want or need it, and I'm not sure what else it is doing. Traditional AV isn't sure what to do with this either. Yeah, the application isn't great, but maybe you are okay with it tracking your location, accessing your contacts, and recording your deepest-darkest google searches. The point is, virus protection isn't black and white anymore, so a signature may not be the best way to protect a machine. That is what has led us to “next generation endpoint protection.”
Next Generation Endpoint Protection focuses on events, not file signatures. Next Generation Endpoint Protection looks at file transfers, file changes, processes running on the machine, and network events coming to or from the device. The goal is to try to look at behavioral analysis, find signs of malicious intent, and events out of a "baseline" of activity.
Endpoints need more than just virus protection
Endpoint protection solutions need to go beyond virus detection and to an approach that centers on device monitoring and information gathering. For too many security leaders, a virus is the symptom, not the main cause of their issue. The underlying problem to tackle that is to harden the endpoint so it isn't susceptible to vulnerabilities. To do this, security managers need data. They need to know the status of their machines, patch levels, and risk levels and this level of information needs to be included in a modern endpoint protection solution that then feeds information to a designated team to perform advanced investigations, automate responses, and communicates with other security tools.
Endpoint Security is not a standalone solution, you need people
The days where endpoint security consisted of AV software and a machine are long over. Threats don't always originate or end at that endpoint. To understand where the event started (and what it did) involves data from other sources, coordinated with other tools, and managed by people. Today's endpoint security solutions need to coordinate information with security information event management (SIEM) platforms, then enrich this data with supporting information, threat intelligence, and incident response guidance. This information then needs to be automated, orchestrated, and put into a playbook or a standardized process for a response team to act upon. The tools, people, and processes vary from organization to organization, but one thing remains the same - it takes more than just software and a machine to adequately protect an endpoint. It takes coordination with other tools, teams, and processes to be effective. This is where an endpoint protection platform can assist.
What is an endpoint protection platform (EPP)? Why doesn't it work?
Many people think of endpoint protection platforms (EPP) as AV 2.0 and think that after the saying "AV is dead" that the AV companies rebooted their solutions to a new acronym. This isn't exactly the case. Leading security software providers took into consideration why people believed AV was dead and adjusted accordingly. As stated earlier, the primary change was to shift the focus from signature-based protection (which doesn't work) to software that protects endpoints based on events (which also doesn't work - more on that later).
Capabilities to look for in EPP:
Outcomes aside, EPP software did make improvements in capabilities and features not found in traditional AV solutions, including:
- Threat prevention (blocking malware without using a signature)
- Automatic event protections such as file quarantine and host isolation
- Detecting suspicious activity (not signature-based) on the machine
When evaluating Endpoint Protection platforms, make sure they have the following capabilities, because they play a crucial role in protecting against todays threats. These Include:
Block known and unknown threats. This means blocking threats not just based on the signature but what it is doing. Some examples include:
- Blocking communications to known malicious IPs (such as command and control networks)
- Blocking events that are attempting to remove or alter the EPP software without your approval
- Blocking events based on the behavior or process it is attempting
Integrate with other solutions. As mentioned above, endpoint security is not a stand-alone solution. It should be able to communicate with other technologies and teams. Some examples include:
- Sending alerts to a ticketing system
- Sending log data to a SIEM
- Sending activity to network monitoring solution
- Integration with vulnerability management systems
Quarantine files and machines. When an event is happening, sometimes the best course of action is to isolate the machine or file from the rest of the network.
Work with, or add on, Endpoint Detection and Response capabilities. You need advanced capabilities to threat hunt, detect advanced threats, and store and record system behaviors. Picking an EPP solution with this capability (either as an add on or integrated into another solution) is imperative.
Drawbacks of EPP software:
If EPP overcame the major setbacks of AV, why do we say it isn't working? Simply put, it is still just software. And it's complex. Most organizations find quickly that traditional AV had one redeeming quality: you just installed it and let it do its thing. EPP isn't that easy. It's more like a SIEM, where it needs constant tuning, updates, and management. More importantly, many of the advanced features provide an output that needs to be acted upon. Because it's a next generation security technology, without the people, process, and expertise to manage the technology and output, you don't get the value or protection needed in today's security landscape. You need to pair security experts with your EPP software to create a robust security posture and properly protect your endpoints and monitor activity 24x7x365.
What Is Endpoint Detection and Response (EDR) software? How does software "respond."
To aid with the people, process, and expertise side of endpoint protection, many vendors are offering endpoint detection and response (EDR) software. EDR is a solution that records endpoint behaviors and mines this data for advanced threat detection. After a threat is detected, an alert can/should be sent to a security team. This information can also be used to automatically block an event, isolate a host, and provide remediation suggestions to restore the injected system. It essentially is a software that empowers an organization's security team with the data and tools to detect and respond to advanced threats.
Capabilities to look for:
EDR technology enables a new host of capabilities that drive outcomes organizations need by helping to detect security incidents, contain the incident at the endpoint, investigate security events, and provide remediation guidance. These are the outcomes security professionals set out to achieve with endpoint security. However, not all EDR solutions are created equally. Since EDR is a newer term, many vendors play with the definition.
Make sure when selecting an EDR solution you look for the following capabilities:
- Understand the normal operations of the device, so it can predict threats. This means understanding patch levels, vulnerabilities, and normal behavior. This will help the solution, and your team, anticipate threats.
- Help you harden your system. If the system can anticipate threats based on patch levels and vulnerabilities it should provide guidance to help your team proactively harden your system to mitigate those risks.
- Detect advanced threats. The goal of an EDR solution is to record system level behavior so it can mine data for indications of a threat. A good solution will have a strong track record, and case studies explaining how, when, and why it was able to detect threats that AV and EPP software could not. When it detects these threats, it should also prioritize, communicate, and assist with the next step: response.
- Respond to threats. This can be done both automatically, but quarantining machines, or manually, by feeding threat data to other systems, SOCs, and incident response teams. Furthermore, it is imperative the solution can assist with the investigation of threats. This includes the activity of the machine, a timeline of events, and historical reference to normal operations.
An EDR solution with these capabilities will help drive the outcomes needed; being able to detect, respond, and mitigate threats. However, most organizations are finding out there are challenges getting to this goal.
The drawback of endpoint detection and response is that is doesn't "respond" like you think it will:
Organizations are still having the same problems as they did with EPP - it's still just software. EDR provides advanced capabilities and analytics that need to be worked, managed, and responded to by an experienced team of security professionals. The word "team" is key here. This is why having a dedicated security team is important:
- Most organizations have migrated from desktops to primarily laptops, which allows employees to take their machines home after work.
- This opens the door for events happen to the endpoints after normal business hours.
- Which leads to needing people to respond to these events around the clock, especially if your EDR agent is configured to automatically perform some events (such as host isolation or rollback).
- This opens the door for events happen to the endpoints after normal business hours.
This example is where companies are faltering with EDR. Most organizations only have one, maybe two, experienced security professionals. Not many organizations have the team, experience, knowledge, and around the clock capabilities to respond to endpoint events in real-time.
The response is the other issue. Beyond basic isolation, EDR doesn't respond by itself. That's your job (unless you have a third party MSSP, then that's their job). EDR empowers you to respond appropriately, but it isn't doing it all for you. The information EDR provides you is fantastic. It can integrate into your process workflow, be part of your team's orchestration, automation, and incident response efforts. But, for the most part, the response is still on you.
Overall, EDR is a great tool to have and plays a vital role in preventing today's threats. But many companies fall short of the human component. It takes an entire team, it takes response, it takes expertise. This is a difficult tool to use properly. You need experts and you need those experts monitoring and managing your endpoints 24x7x365.
EDR and EPP Combined
We've seen EPP providers start to offer EDR capabilities. For instance, many EPP solutions have the granular visibility, workflow automation, orchestration, and tools for incident response. Likewise, we see EDR solutions taking on more of an EPP capability set. Modern EDR solutions can scan a PC, isolate a file, and even block specific actions and providers are already marketing both under one software platform. They can scan an endpoint, use signature or signature-less detection methods, isolate files, hosts, and even roll the device back to a known good state. They have the capabilities to stop attacks, detect advanced threats, and inform security teams. However, even combined, they are missing the human component.
The goal of hackers is to get around known systems and safeguards. It doesn't matter if it is a firewall, endpoint, or access point. Bad guys have the advantage because they are unknown, responsive, flexible, and innovative in their approach. That will always win against a rigid, code based, ruleset. By combining EDR and EPP, we think we have every capability and feature needed to protect an endpoint. In reality, software tools alone cannot outsmart innovative hackers.
Because EDR and EPP are advanced tools, they must always be managed and maintained. The most successful organizations are evaluating EDR and EPP technology, their current capabilities, and potential resource constraints and gaps. From there they can determine how to fill those gaps and drive the outcomes they really want. Here are three examples that illustrates this methodology.
Every customer situation varies, but in each case the organization was able to adopt next generation EDR and EPP technology, then apply the people and processes necessary to use the software and capabilities in order produce the outcomes necessary to remain in front of the shifting security landscape.
Endpoint security needs a new approach. Technologies such as endpoint detection and response (EDR) and Endpoint Protection Platforms (EPP) claim to save the day. While these tools provide great capabilities for endpoint protection, organizations still are not getting the value, and outcomes, they need. This is often because organizations lack the teams and expertise to utilize the capabilities of these tools in order to drive value. A better approach to endpoint security is to start with an understanding of your endpoint project scope: what capabilities you need. Then gain an understanding of your team, resources, and expertise. From there understand your gaps. Evaluate EDR and EPP software providers, and service providers to fill those gaps. In most cases software alone will not suffice. If you don't have the expertise, partner with an organization that does.