In this second part to 8 Endpoint Security Considerations For Your Next-Gen AV – Part 1, we look five more critical endpoint features to consider for your next-gen endpoint client.
7. EDR – Endpoint Detection and Response
EDR stands for ”Endpoint detection and response”. EDR is a detective tool, usually used as a post incident tool for proactive threat hunting. In a world where 100% prevention is impossible, EDR gives you the ability to detect and respond to incidents that inevitable go through other layers of protection.
Rather than block exploits and malware before execution, EDR focuses on monitoring endpoints to detect suspicious activities and capture data for forensic and security investigation. This may includes things like monitoring processes on the endpoint, check for unusual user activity, look for call backs to suspicious IPs.
Once a user has been infected, there’s usually tall tale signs and changes in behavior that raises some flags. And this is where an EDR solution would help detect and collect data for your investigation.
An example of this may be a zero day file that has already gone through your AV solution and infected the user. There’s usually tall tale signs of a compromised host like changing registries, opening sockets, connecting back to a C&C server, etc..
This is another feature that may not apply to everyone, in particular the small corporations where you don’t have an IR team or resources to do anything with the data your collecting. But if you’re looking for a post infection detective tool, EDR is for you.
According to 2018 VZ DBIR, “30% of Breaches involves insiders”. UBEA stands for “User or entity behavior analytics” and its primarily focused on the theft of data and the use of stolen information (like credentials).
The insiders we are concerned about here can be users with malicious intent or users who had their credentials stolen. Insiders could also mean entities such as IoT devices, cameras, printers and other network devices.
With UEBA, you’re basically asking the question “Can this user or entity be trusted?”. That trust is calculated by using a wide range of techniques on the endpoints, such as:
- Process monitoring
- User activity,
- Registry changes and more.
If this sounds somewhat familiar to EDR it’s because it is. In fact, EDR and UBA are mainly being consolidated because they have a lot of complimentary features. So if you’re concerned with Data exhilaration or the ‘zero trust security’ model (which we will cover in a another video). UBA is a critical component of that.
EDR and UBA are detective tools for post exploitation, but they can also be preventive tools in preventing the exfiltration of data if it’s detected in time.
3. Intrusion Prevention (IPS)
IPS features in an endpoint is a traditional approach that is still highly effective against fileless malware. While Vulnerability scanning and patch management is crucial, the reality is we are not always in a position to update applications as soon as a patch is available. And that’s where an IPS can help mitigate the risk by looking for attempts to exploit those known vulnerabilities on your endpoint.
IPS has signatures that are specifically looking for known vulnerabilities, such as those that fileless malware seeks to exploit. Even if you have an IDS/IPS appliance in your network, I would still look at an endpoint with IPS capabilities depending on where your IDS/IPS appliance sits in the network, there’s a chance it may never see traffic hitting the endpoint.
Also, having IPS capabilities on the endpoint means the user is protected anywhere they go, not just when they’re sitting behind your network. Some IPS appliances are not specialized in client side attacks, which is the very thing fileless malware is exploiting.
If your organization does not have an IPS appliance in place, circle this feature down as a “must have” in your next endpoint solution. If you already have an IPS appliance deployed, make sure its also configured to protect against client side attacks on all outbound traffic.
Sandbox is like have an entire security research team in your hands to inspect unknown files. A sandbox automates the entire malware analysis process by detonating the file inside a virtualized environment . This virtualized environment can be inside an appliance in your network or to the cloud.
The goal here is to catch zero days and other advanced threats that would typically slip through a conventional inspection process.
While this is a highly effective way of catching zero days, it can be both a really expensive process and very slow. Depending on the vendor and your configuration, a file can take between 5-15 minutes to be full inspected. This means you have to either wait for the verdict before executing the file, or allow the file to pass and later be alerted if the file is determined to be malicious. Of course, that means that a user could be infected by the time the Sandbox determines it’s a malicious file.
Some sandbox solutions allow you to submit the file to the cloud, which lowers the cost – however, with this method, if you’re offline you would not be protected.
This option wont be for everyone but if you’re organization is at risk of being targeted, there’s no better way to catch potential zero days.
- The Fundamentals
Fundamentals are what i consider the bare minimum that every endpoint solution should have included. This will be things like a traditional AV DB (which yes, we still need), Malicious IP and Domain blocking, and botnet protection.
The fact remains that a good portion of the day to day garbage your average user will run into is still prevented by these basics above. And while you still need to look beyond just these features, it’s still an important foundation to have. Secondly, a signature or IP DB is really fast and cost very little from a CPU and memory perspective. This is why almost every vendor will continue to have a traditional signature and IP DB as the first line of defense before it goes through advanced methods like AI and pattern recognition. Why spend computational resources on something that I may have already ran into in the past?
Anti-Exploit (Memory Protection)
Another critical feature every AV solution should have is some sort of Anti Exploit feature. Anti Exploit can be called different things from vendor to vendor but it should always be about memory protection. This feature should encompass different techniques that protect against process memory. This is yet another mechanism against fileless malware, which can use vulnerabilities in known applications to jump memory locations in the system.
When calculating risk, it’s important to not just consider the physical asset but the value of the data as well. Often times, the data is much more valuable then the cost of the physical asset. Loosing your $1300 laptop is one thing. Loosing your $1300 laptop that contains customer credit card or healthcare information could cost you thousands more in regulatory fees and public image.