After extensive testing of 10 advanced endpoint protection products, we have identified a series of broad industry trends:
1. Virus signatures are passé. Creating a virus with a unique signature is child’s play, thanks to the nearly automated virus construction kits that have filled the internet over the past several years. Instead, many of today’s advanced endpoint protection products make use of security news feeds that report on the latest attacks such as VirusTotal.com and other reputation management services. Some, like CrowdStrike, have a long list of integrations with security and log management tools to make them more effective at spotting attack trends.
2. Tracking executable programs is so last year. In the old days of malware, exploits typically had some kind of payload or residue that they left on an endpoint: a file, a registry key or whatnot. Then the bad guys graduated to run their business just in memory, leaving little trace of their activity, or they would hide inside PDFs or Word documents, or would force your Web browser to a phished site that contained Java-based exploits.
Today’s hackers have become more sophisticated, using Windows Powershell commands to set up a remote command shell, pass a few text commands, and compromise a machine without leaving much of a trace on an endpoint. To be effective at fighting this new kind of behavior, today’s products look at what effect the attacker has on the endpoint: does it drop any files, including what may seem at first benign text files, or make any changes to the Windows Registry? Figuring this out isn’t easy and many of the products are focused in this area to prevent the bad guys from gaining control over your computers.
3. Can the product track privilege escalation or other credential spoofing? Modern attackers try to penetrate your network with a legit user credential that uses a default setting from when you installed SQL Server or some other product, and then escalates to a domain administrator or other more significant user with greater network rights.
4. Insider threats are more pernicious, and blocking them has become more compelling. One of the reasons why traditional anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.
5. Data exfiltration is more popular than ever. Moving private user data, or confidential customer information, out of your network is the name of the game today. Look no further than Sony or Target as examples of what the EDR tool has to deal with now. Tools that can track these exfiltrations are more useful.
6. Many tools are using big data and cloud-based analytics to track actual network behavior. One of the reasons why sensors and agents are so compact is that most of the heavy lifting happens in the cloud, where they can bring to bear big data techniques and data visualization to identify and block a potential attack. SentinelOne and Outlier Security use these techniques to correlate data across your network in real time.
7. Attack reporting standards like CEF, STIX, and OpenIOC are also being integrated into today’s endpoint products. SentinelOne is an example.This is a welcome development and hopefully more products will move in this direction.
This story, "7 trends in advanced endpoint protection" was originally published by Network World.