Thinking Outside the Suite: Adding Anti-Evasive Strategies to Endpoint Security

Friday, November 03, 2017

Eddy Bobritsky


Despite ever-increasing investments in information security, endpoints are still the most vulnerable part of an organization’s technology infrastructure. In a 2016 report with Rapid7, IDC estimates that 70% of attacks start from the endpoint. Sophisticated ransomware exploded into a global epidemic this year, and other forms of malware exploits, including mobile malware and malvertising are also on the rise.


The only logical conclusion is that existing approaches to endpoint security are not working. As a result, security teams are exposed to mounting, multifaceted challenges due to the ineffectiveness of their current anti-malware solutions, large numbers of security incidents requiring costly and intensive response, and added pressure from the board to undergo risky and expensive “rip and replace” endpoint security procedures.


Current endpoint security solutions employ varying approaches. Some restrict the actions that legitimate applications can take on a system, others aim to prevent malicious software from running, and some monitor activity for incident investigations. The challenge for most IT department heads is finding the right balance of solutions that will work for their particular business.


Endpoint Protection Platforms (EPP), usually offered by established endpoint security vendors, promote the benefits of packaging endpoint control, anti-malware, and detection and response all in one agent, managed by from one console. While EPP suites can be useful and practical, it’s important to understand their limitations. For starters, a “suite” does not always mean the products are integrated — you may end up with one vendor but multiple agents and management consoles. Second, no single vendor offers the best-in-breed or best-for-your-business options for all the component solutions. If you adopt the EPP approach, be aware that you will be making trade-offs of some sort. Finally, it is likely that even after going through the painful process of deploying a full endpoint protection suite, it will still fail to prevent many attacks.


All these solutions, whether installed separately or as a suite, produce alerts. Many work by finding attacks that have already “landed” to some degree. This means your team will be busy (if not overwhelmed) sorting through the alerts for priority threats, investigating incidents, and remediating any intrusions. This can lead to inefficiencies and escalating staffing requirements, which will quickly wipe out any cost savings you hoped would come from installing bundled solutions.


In the end, it is imperative to understand the strengths and weaknesses within each suite and evaluate whether a best-of-breed or “suite-plus” approach offers better protection for your investment — this is often the case. EPP implementation can help companies consolidate vendors in order to reduce administrative overhead and licensing costs. It may also help minimize complexity and reduce the impact on operations, end-users, and business agility. But none of this matters much if the shortcomings of the platform end up introducing unacceptable levels of risk, draining staff resources, or constraining productivity and agility.


For example, it’s important to recognize that accepting the low detection rates of your conventional antivirus solution also means accepting the high likelihood of a breach. That’s because there is one critical factor most platforms don’t adequately address: unknown malware that has been designed specifically to evade existing defenses. Innovative endpoint defense strategies have emerged that allow you to block evasive malware, regardless of whether there is a known signature, behavior pattern, or machine learning model. This is achieved through the creative use of deceptive tricks that control how the malware perceives its environment.

Endpoint defense solutions that can neutralize evasive malware use three primary strategies: creating a hostile environment, preventing injection through deception, and restricting document executable capabilities. All three strategies contain and disarm the malware before it ever unpacks or puts down roots. 

To create a hostile environment, the malicious program is tricked into believing the environment is not safe for execution, resulting in the malware suspending or terminating its execution. To prevent malicious software from hiding in legitimate processes, the malware is deceived into registering that memory space is unavailable, so it never establishes a foothold on the device. To block malicious actions initiated by document files (via macros, PowerShell, and other scripts), the malware is tricked into registering that system resources like shell commands are not accessible.

These new strategies reduce risk without requiring increased overhead (nothing malicious installed, so nothing to investigate) or replacement of existing solutions. Anti-evasion solutions work alongside installed AV solutions to provide an added layer of protection against sophisticated malware and ransomware. The threat intelligence they produce (identifying previously unknown malware exploits) enhances your overall security program. In addition, because incident responders have fewer alerts and incidents to sort through, they can focus their expertise on high-priority threats and investigating attacks where the intruder has already gained access to the network.

Working smarter is key to managing the growing and ever-shifting challenges and responsibilities faced by security teams. Reducing workload and manual processes while reducing risk is a tough balancing act. Ongoing cyber security talent shortages combined with multiplying threat vectors make effective automated defenses a critical priority. Getting the most value out of your security budget and skilled experts requires neutralizing threats upfront, preventing as many attacks as possible, and developing automated threat management processes. It’s essential to cover gaps and shortcomings, augmenting existing endpoint security by layering on innovative, focused solutions. Given the recent surge of virulent, global malware and ransomware, anti-evasion defenses are a smart place to start.

About the author: Eddy Boritsky is the CEO and Co-Founder of Minerva Labs, an endpoint security and anti-evasion technology solution provider. He is a cyber and information security domain expert. Before founding Minerva, Eddy was a senior cyber security consultant for the defense and financial sectors.

Possibly Related Articles:
Viruses & Malware Enterprise Security Security Awareness
Endpoint Security Endpoint Protection Platform EPP malicious program
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.