Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The six pillars of Next Generation Endpoint Protection

Tomer Weingarten, CEO, SentinelOne | Aug. 17, 2015
Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional "evidence of compromise" process is needed.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Advancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional "evidence of compromise" process is needed.

This Next Generation Endpoint Protection (NGEPP) model needs to address six core pillars that, when taken together, can detect the most advanced attack methods at every stage of their lifecycle:

* Prevention. NGEPP must leverage proven techniques to stop known threats in-the-wild. A layer of preemptive protection can block existing threats before they can execute on endpoints. Instead of relying only on one vendor's intelligence, it's now possible to collectively tap more than 40 reputation services via cloud services to proactively block threats. This approach also uses a lightweight method to index files for passive scanning or selective scanning, instead of performing resource-intensive system scans.

* Dynamic Exploit Detection. Using exploits to take advantage of code level vulnerabilities is a sophisticated technique used by attackers to breach systems and execute malware. Drive-by downloads are a common threat vector for carrying out exploit attacks. NGEPP should provide anti-exploit capabilities to protect against both application and memory-based attacks. This should be achieved by detecting the actual techniques used by exploit attacks -- for example: heap spraying, stack pivots, ROP attacks and memory permission modifications -- not by using methods that are dependent on static measures, like shellcode scanning. This approach is much more reliable, since the exploitation techniques themselves are not as easy to change or modify as the shellcode, encoder, dropper and payload components used in malware.

* Dynamic Malware Detection. Detecting and blocking zero-day and targeted attacks is a core NGEPP requirement. This involves real-time monitoring and analysis of application and process behavior based on low-level instrumentation of OS activities and operations, including memory, disk, registry, network and more. Since many attacks hook into system processes and benign applications to mask their activity, the ability to inspect execution and assemble its true execution context is key. To protect against a variety of attacks and scenarios this detection capability is most effective when performed on the device. For example, even if an endpoint is offline, it can be protected against USB stick attacks.

While many vendors now offer endpoint visibility, which is a leap forward, it cannot detect zero day attacks which do not exhibit any static indicators of compromise. Dynamic behavioral analysis that does not rely on prior knowledge of a specific indicator to detect an attack, is required when dealing with true zero threats.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.