There are seemingly an uncountable number of ways cyber attackers can wedge their way onto enterprise networks, but one of the most common is through an end point .
Ransomware, Trojans, viruses, infected attachments are more often than not spread through endpoints which CISOs thought (hoped?) were protected through signature-based solutions from vendors like Symantec, McAfee and Trend Micro and others.
But not only is it hard for traditional solutions to scale to thousands of endpoints in large enterprises, it’s hard for them to keep signatures up to date with the explosion of malware.
So an increasing number of infosec pros are looking at a new generation of non-signature-based endpoint solutions from companies such as Bromium, Bit9, SentinelOne, Invincia, and Cylance (protection) and CrowdStrike, CounterTack, Cybereason, Tanium and others (detection and response).
Their products boast of dropping signatures in favour of sophisticated algorithms, machine learning and artificial intelligence to improve visibility, and detect and prevent infection. Some are at least as effective as traditional AV against known threats, but their attraction is that they may be better at detecting unknown malware.
Rick Holland, analyst at Forrester Research figures his firm tracks as many as 50 new entrants. “It’s an overwhelming market for an analyst to cover,” he said in an interview. “Imagine being a buyer and trying to take in everything that’s happening.”
However, while many CISOs are evaluating or have deployed these solutions beside traditional end point solutions, few are willing to completely drop their current software for new technology.
For example, Toronto Hydro will soon test Bromium Inc.’s vSentry micro-virtualization technology, which it says isolates each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to enterprise resources.
“It’s a pretty cool technology that reduces the surface area of your potential attack to the smallest window possible, isolates the application, gives you some situational awareness,” Robert Wong, the utility’s executive vice-president and chief information and risk officer, said in an interview.
“If this proof of concept is successful we could possibly be replacing a lot of our old stuff.”
At the same time, his team is also deploying new capabilities being added by Hydro’s existing endpoint suite provider
“At the end of the day we’re still going to need a full suite of solutions and tools,” Wong said, and some of these newer players may be able to augment some of the traditional antivirus technologies we’re familiar with.”
This conservatism — don’t necessarily throw everything out –is expected, says Holland, for a number of reasons: These solutions are new, don’t combine prevention, detection and response (so several are needed to get all three), and few meet the Payment Card Industry security standards, which mandates companies following the PCI rules have an approved anti-virus solution. Gartner analyst Peter Firstbrook also noted that existing AV solutions may have capabilities that the new solutions don’t such as more firewall and application control, or come with features such as email and Web gateway protection, encryption or data loss prevention.
This year the market has seen notable announcements:
— Over the summer SentinelOne passed the corporate endpoint protection tests of AV-Test and is an approved PCI endpoint solution. Separately, Netflix announced it is replacing its AV solution with SentinelOne;
–This week Dell Inc. announced it will start selling Cylance’s threat protection solution at the end of January alongside it’s own endpoint suite;
–Tanium, an endpoint and systems management supplier which says it is being used at half of the Fortune 100 companies, forged an alliance with Paolo Alto Networks to provide an integrated threat detection and response solution;
–Trustwave has become a global managed security services provider of the Bit9 Security Platform, which includes application control;
–and, Forrester notes, some have fresh investment money: CrowdStrike, which makes an endpoint visibility and control solution, raised US$100 million over the summer, Tanium raised US$52 million in March and Cylance raised US$42 million.
At the same time a number are merging to expand capabilities: Fidelis Cybersecurity, a spin-off from General Dynamics, acquired EVC’s Resolution1 Security; Digital Guardian acquired application whitelist vendor Savant Protection
Don’t be surprised Forrester wrote in a September report, if existing AV vendors buy some of these startups to protect their positions.
Many are already adding capabilities: RSA has Enterprise Compromise Assessment Tool (ECAT), Trend Micro has a family of tools called Custom Defense, Check Point Software has added capabilities to its blades, and Symantec’s will add an EDR solution early next year called Advanced Threat Protection.
“We’re kind of in this ‘tweener stage,” Holland says, where protection/prevention, monitoring and response don’t exist yet in a single suite.
Organizations need all three he pointed out. “There’s all this talk where you have to fall back on detection and response,” he said, because it’s a given that if an attacker wants to get in it will. “I think many people have bucketed prevention as the traditional endpoint prevention. I always warn my customers to not pivot too far to detection and response. We should not be giving up prevention — its foolhardy to assume prevention or protection isn’t going to get better.”
Detection and response don’t help if ransomware has seized a PC, he adds.
New endpoint vendors are confident their time has come. “Antivirus has proven to be ineffective when it comes to dealing with unknown threats,” says Scott Gainey, chief marketing officer, SentinelOne, whose company last week announced a new version of its Endpoint Protection Platform EPP that includes the ability to rollback an endpoint to a pre-attack state (although it won’t help files that have been deleted.)
“We rely on a heuristic model that looks at the characteristics that malware exploits perform as they are trying to compromise and endpoint system.” Those characteristics don’t change much, he said. “As long as you can stop of one those stages you’ve thwarted the attack.”
Dave Cole, chief product officer at CrowdStrike Inc., is one of those who doesn’t unload on traditional antivirus companies, perhaps because he and the company’s founders came from big vendors.
“The AV industry unfairly takes a few blows that they’re entirely signature-based. They’re not — they have a lot of behavioural defences, they have a lot of capabilities that are beyond signatures,” he said. “But there’s a few things they are missing: One is that the entire product assumes you are dealing with malicious executables. What that means is if the bad guys aren’t using malware, or if they sneak one piece of malware past the AV product, it isn’t looking at what the user is doing on the system” — for example if commands are being executed at the command shell.
CrowdStrike’s Falcon Host — an agent-based solution that communicates with the company’s intelligence in the cloud — has a sensor that detects known and unknown malware, he said, as well as looks at the full chain of events that happens on a machine, such as whether a user is trying to escalate their privileges or dump credentials.
Interestingly, the company makes no claim it can replace traditional AV. “We’ve intentionally designed the product to be complimentary to an existing antivirus solution. That will not always be the case. There will be a day we will offer something more than that. ”
Peter Firstbrook, a Thornbury, Ont.,-based Gartner endpoint protection analyst, notes that new detection and response solutions help infosec pros better investigate suspicious activity than traditional AV solutions by offering more granularity into what happens on endpoints. The data can be mined for anomalies or indicators of compromise (which can come from third party databases).
But he also cautions these tools aren’t set-and-forget: They require skilled security analysts.
Endpoint detection is still an early developing market, Firstbrook says, which makes the CISO’s job of picking a solution harder. It doesn’t help that there are no standardized public tests of detection capability yet. Still, he feels most organizations with the capability to handle these new solutions will benefit from any improvements in detection beyond their traditional endpoint protection tools.