Credit: Irina Tischenko/iStock/Thinkstock
The war for network security is increasingly coming down to skirmishes fought over endpoints. Most malware authors don’t care about an individual user’s laptop or desktop. It’s just a stepping stone to capture, mine for credentials, and leapfrog deeper into the heart of the network. But if threats can be stopped there, they won’t ever endanger core assets.
The traditional defense placed on almost every endpoint is antivirus. Even freshly-deployed machines running Windows 10 come equipped with Windows Defender as a free form of protection. And the good thing about antivirus is that, so long as the definitions are kept up to date, it can stop 90 percent or more of the most common threats, which are cataloged as signatures as soon as they are discovered anywhere in the world.
Running without antivirus on any endpoint today is practically cyber-suicide. But it’s not perfect. Most advanced and targeted threats are written to allow them to fly under the radar of antivirus, sometimes using previously unknown tactics that may not have been cataloged by antivirus programs.
In this cat and mouse game, which is so heated because endpoints are so important to both attackers and defenders, cybersecurity companies came up with ways to catch malware that tries to avoid traditional antivirus, or other signature-based protection. One of the most popular technologies is sandboxing, which forces suspected programs to run inside a virtualized environment so that their desired behaviors and patterns can be discovered. If malicious intent is found in a program, it can be analyzed, captured and ultimately killed.
But the battle rages on. Many malware programs these days have features that allow them to detect the presence of a sandbox or other protections beyond antivirus. Once any of these advanced defenses are detected, the malware can take steps to cloak itself, basically lying about its true intentions until it’s released back into a real environment, or simply destroying itself to prevent data collection about its creators, who will inevitably try again later.
It is this new breed of environmentally-aware threat that the Minerva Anti-Evasion Platform targets on endpoints. The idea is that most normal threats will be blocked by traditional antivirus and Minerva will stop anything that attempts to get around that protection. In fact, Minerva officials stress that their toolset won’t protect anything without some type of antivirus first installed. It’s designed to work with any antivirus program, including Windows Defender and any of the offerings from companies like Symantec, McAfee, AVG, TrendMicro and others.
The Minerva protection is installed as software, with the main interface and console running locally on a customer’s server or based within the cloud. Our test program was active on a physical server. Once installed, the program pushes agents out to every endpoint that needs to be protected. The agents are very lightweight, with each one taking up about 24 megabytes.
Sign up for CIO Asia eNewsletters.