Endpoint security used to be so simple: you purchase an anti-malware scanner, install across your endpoints, and you were protected. Not anymore. However, the days of simple endpoint protection are over. Scanning and screening for malware has become a very complex process, and most traditional anti-malware tools only find a small fraction of potential infections. The attackers have gotten more sophisticated, and so too must the endpoint detection and response (EDR) tools, which need to find more subtle exploits, even ones that don’t leave many fingerprints.
This week, I review of ten different endpoint detection and response (EDR) tools for Network World magazine. You can read the complete review package here.
I spent several months running Outlier Security, Cybereason, Sentinel One, Stormshield SES, ForeScout CounterAct, Promisec PEM, Countertack Sentinel, CrowdStrike Falcon Host, Guidance Software Encase, and Comodo Advanced Endpoint Protection. From this experience, I came up with a series of broad trends:
Virus signatures are passé. Creating a virus with a unique signature is child’s play, thanks to the nearly automated virus construction kits that have filled the Internet over the past several years. Instead, many of these products tap into security news feeds that report on the latest attacks such as VirusTotal.com and other reputation management services.
Second, tracking executable programs is also so last year. In the old days of malware, exploits typically had some kind of payload or residue that they left on an endpoint: a file, a registry key or whatnot. Then the bad guys graduated to run their business just in memory, leaving little trace of their activity, or hide inside PDFs or Word documents, or would force your Web browser to a phished site that contained Java-based exploits. Today’s hackers have become more sophisticated, using Windows Powershell commands to set up a remote command shell, pass a few text commands, and compromise a machine without leaving much of a trace on an endpoint.
Many products can track privilege escalation or other credential spoofing. Modern attackers try to penetrate your network with a legit user credential that uses a default setting when you installed SQL Server or some other product, and then escalate to a domain administrator or other more significant user with greater network rights.
Insider threats are more pernicious, and blocking them has become more compelling. One of the reasons why traditional anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.
In addition to insider threats, data exfiltration is more popular than ever. Moving private user data, or confidential customer information, out of your network is the name of the game today. Look no further than Sony or Target to see the harm of making public some of their data as examples of what the EDR tool has to deal with now.
Many tools are using big data and cloud-based analytics to track actual network behavior. One of the reasons why the sensors and agents are so compact is that most of the heavy lifting of these tools happens in the cloud, where they can bring to bear big data techniques and data visualization to identify and block a potential attack.
The variety of approaches is stunning, and worth a closer look at these tools, to see if you can leverage one or more of them to better protect your endpoints.