Modern field guide to security and privacy

Endpoint security is dead. Long live endpoint security!

A solution to countering enterprise threats and advanced attacks? Invincea believes the right strategy is Contain, Identify, and Control.

It’s easy to believe endpoint security is dead, given the failings of antivirus offerings to counter prevalent threats.

Today’s attacks are auto-created from malware factories, using exploit kits to churn out hundreds of thousands of variants of malware a day that are virtually guaranteed to defeat legacy defenses.  

In this swarm of kitted malware run by organized cyber miscreants, actual advanced threat actors slip by unnoticed.  Today, antivirus and legacy security products are being kept alive by outdated compliance mandates and a “nobody got fired for buying antivirus” mentality.  Eventually, they will get fired -- if that’s all they do.

We hear a lot of talk these days about “advanced attacks,” but the truth is everything seems advanced when you compare today’s attacks to the detection and prevention capabilities of legacy security tools! What can a modern enterprise security team do to protect their endpoints from conventional attacks as well as the real advanced stuff coming from motivated adversaries?

While it’s popular in security to point out problems, we believe it is equally important to talk about solutions, and more important to bring them to market. To this end, we believe the right strategy for countering enterprise threats is Contain, Identify, and Control.

Contain Threats That Target Users

Prevention technology as a category has been saddled with a legacy of failure for well over a decade. In contrast, pioneering approaches like containerization are working. In Invincea’s case, we record huge numbers of “saves” against our customer base every month using a strategy of Containment.  These are attacks detected and blocked by our container solution after they’ve evaded all other security controls.

The good news for security teams trying to make sense of lots and lots of market noise is that this claim is easily verifiable – through daily reports on Twitter and published findings of global cyber threats, such as the recent watering hole attack and Fessleak malvertising campaign.

Our philosophy has always been that containment is the most reliable strategy to protect endpoints from compromise.  This architectural approach recognizes that anticipating the unknown is impossible.  

Simply put: users will click on malicious links, software will be vulnerable to attack, and exploits will happen.  But when they do, a containment solution can isolate, detect and kill the attack, so the adversary can neither access sensitive data nor gain a foothold in the enterprise.

Identify Compromise by Fusing Endpoint Sensing and Cloud Analytics

In security, “detection is the new black.” But the detection approaches we see today and the companies that created them rose from the ashes of failed prevention.  As a result, most new detection solutions are post-breach tools used to aid incident response teams. Many simply “record everything” on the endpoint, including complete images of the file system and memory.

If this sounds impractical and unaffordable, it is.  This approach effectively re-allocates part of the security budget to storage, while requiring considerably more labor to sift through massive data looking for the proverbial “ghost in the machine”.

The enterprise security teams we speak with are less interested in parsing alerts and sifting through data farms after a breach has happened. Rather, these “hunt teams” are focused on identifying compromised machines within minutes.

That’s why we approached the problem in a fundamentally different way. Rather than sifting through endless alerts, we identify compromised machines using a combination of endpoint sensing and cloud-based analysis.  The Identify strategy starts with this credo: Trust no program and verify everything, but do so in a computationally efficient way such that the end user and network are not affected.  Any program not already known by the enterprise to be “good” is quickly evaluated in the cloud against comprehensive databases of known-good and known-bad programs.

Where Invincea’s Identify approach truly excels is in its use of a groundbreaking malware analysis technology called Cynomix, which entered the commercial market after four years of DARPA-backed development in Invincea Labs.  Cynomix uses machine learning and capability clustering algorithms to identify whether suspicious programs are related to malware families, based on their “genetic markers” and mapping them to the cyber genome of malware.

Enable Response in a Timely Fashion via Control

Response is a natural outcome from successful Identification of compromised machines. But today, response happens an average of 205 days after the adversary has already compromised its target!

Security teams today are hungry for something more proactive, tools that that help them regain control and stay in front of threats.  They need corrective capabilities that can be applied quickly, easily and in proportion to both the threat severity and value of the compromised assets.  While this might sound like a dream, the approach becomes feasible when it can leverage technology with a privileged position on the endpoint.

And while protecting their own enterprise is any CISO’s primary goal, many we talk with believe that security is a community effort. Therefore, threat discovery needs to be shareable in standard formats to trusted communities of interest.

So is endpoint prevention dead?  Not by a long shot.  It’s simply maturing into a new model where Contain, Identify and Control capabilities reign.  Come visit us at RSA Conference booth S427 to see how it works!

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to