Endpoint security is only one piece of the puzzle
Like many of you, I attended RSAC in February. Wading through the crowd of more than 43,000 people, I was interested to see how many new and improved endpoint security solutions were being touted by big-name vendors and newcomers alike.
Machine learning (or full AI) is in, and signature-based AV solutions are on their way out – at least in part. None of this really surprised me, but I do worry that the industry might end up focusing so much time and energy on endpoint security that it backfires. I believe that solid endpoint security isn’t enough on its own. More robust overall security comes from looking at data from both the endpoint and the network. This allows us to spot threats that can hide themselves or be mislabeled by looking at only one or the other.
Endpoint security has limits. Traditional AV software works by comparing unknown files it detects on the endpoint with signatures of known malware. Essentially, as it scans a new file, it looks for bits of code that are in common with code from previously discovered malware. But there are two drawbacks to this. First, this system is still vulnerable to zero day attacks that have never been seen before. Second, there are now over half a million viruses in the wild, so checking against a signature catalog that large can be impractical.
This is why many security companies now offer behavior-based anti-malware tools. These applications examine how unknown files behave to determine if they are malicious. Advanced Persistent Threat (APT) Blockers, another new security tool, run a file in a virtual sandbox to see if it turns out to be malware. These tools partially mitigate the signature overload problem with endpoint security, but most solutions are still vulnerable to completely new zero day attacks until testing is completed in a virtual sandbox. This process can take anywhere from seconds to minutes, which is a very long time in the world of computers.
Another problem with endpoint security solutions is that smart bad guys can write malware that will hide itself from them. Rootkits are a kind of virus installed at lower levels of the operating system that can change application settings, drivers, or even AV software to hide itself on the system. So, I have reservations about putting all our digital eggs in one basket with endpoint security.
But even if malware has hidden itself from the endpoint, it will still need to spread across a network, call back to command and control (C2) for instructions and (if its purpose is to steal data) exfiltrate stolen information. This activity can be detected by Intrusion Prevention Systems (IPS) that examine file and network behaviors to look for malicious actions. IPS solutions can work in several different ways, but most use a combination of traditional attack signatures and behavioral analysis to identify when a program is doing something that might be considered malicious.
To be fair, there are also ways for malware to hide itself from network security tools. Malware can use encryption to hide their communication and rapidly cycle through C2 server destinations to avoid reputation-based network defenses.
So, if malware can circumvent both network and endpoint security solutions, why not combine data from both sources for correlation? This practice can help security professionals see threats that are hiding from one or the other, and make more informed decisions about how to react to them. If an endpoint detects an unknown file that it flags with one or two suspicious behaviors, but it’s immediately followed by suspicious network traffic involving the same IP address, those two data points together indicate a higher risk of an attack than either one alone.
Examining both endpoint and network threat data also helps to solve the problem of information overload. By combining both sets of data for analysis, security pros can focus on the real threats and set up automated remediation policies to deal with them. This is especially important for SMBs and other organizations without a dedicated security team, where IT staff are already stretched thin.
To summarize, I agree with the RSAC hive-mind in general that endpoint security is important (it’s the first line of defense after all). That said, we shouldn’t kid ourselves that endpoint security on its own will solve the growing security challenges we’re facing today. Stronger overall security for any organization comes from combining data from both the endpoint and the network.