Style 3 Payload Analysis can use a sandbox technique (either on premises or in the cloud) to detect targeted attacks on a near-real-time basis, but they typically don't "enable a postcompromise ability to track endpoint behavior over a period of days, weeks and months," Gartner notes. (To do that, look to Gartner's Style 5 (Endpoint Forensics). Gartner adds Gartner clients currently often voice the opinion that Payload Analysis products have varying ability to accurately detect malware. The advantage they have, though, is that they can detect malware that successfully bypasses signature-based products. Some have optional blocking capability. The challenges in using Payload Analysis, though, is that behavioral analysis can take several seconds or minutes to complete, allowing the malware to pass through into the network to potentially compromise endpoints., especially when the malware uses evasion techniques such as sleep timers in which it executes on a delayed response. Some vendors are trying to thwart this, though, Gartner adds. Other drawbacks to this approach are that Style 3 doesn't "provide validation that the malware executed on endpoints."
And just because the malware behaved a certain way in a simulated environment, doesn't mean it will act the same way when it hits real targets. Some Payload Analysis products only support a limited range of payloads, such as executables only, according to Gartner. Most support Microsoft Windows, a few cloud approaches support Android, but Gartner sees none supporting Apple Mac OS X.
Examples of Style 3 would be AhlLab, Check Point with its Threat Emulation Software Blade, FireEye, Lastline, McAfee with its ValidEdge acquisition, Palo Alto Networks with Wildfire, ThreatGrid and Trend Micro with Deep Discovery, says Gartner.
Style 4 Endpoint Behavior Analysis is based on the idea of "application containment to protect endpoints by isolating applications and files in virtual containers. Other innovations in this style include system configuration, memory and process monitoring to block attacks, and techniques to assist with real-time incident response." This Style 4 approach requires an agent on every endpoint, Gartner says. It can "intercept kernel system calls and block malicious activity such as thread injection attacks," and "by isolating Web browsing sessions, protect users from malicious websites, including drive-by download sites and watering holes.'"
The strength of this approach is blocking zero-day attacks, provides some basis forensics, and protecting systems whether they are on or off the network, but the challenge is that deploying and managing the agent software is operationally intensive and particularly hard in bring-your-own-device (BYOD) environments. Examples of vendors here include Blue Ridge Networks, Bromium, Invincea, Sandoxie and Trustware. Vendors that support memory monitoring include Cyvera, ManTech/HBGary (Digital DNA) and RSA's Ecat.
Style 5 The last style in the Gartner style catalog is Endpoint Forensics, which involves tools for incident response teams. These endpoint agents collect data from hosts they monitor. They can help automate incident response and monitor hosts on and off corporate networks. The challenge in using them, though, is they can be operationally intensive to deploy and manage, and support for non-Windows endpoints is quite limited. Examples of Style 5 vendors with tools include Bit9, Carbon Black, Guidance Software with its EnCase Analytics, Mandiant and ManTech/HBGary's Responder Pro.
Sign up for CIO Asia eNewsletters.