Endpoint security is dead. Long live endpoint security!

It’s easy to believe endpoint security is dead, given the failings of antivirus offerings to counter prevalent threats.

Today’s attacks are auto-created from malware factories, using exploit kits to churn out hundreds of thousands of variants of malware a day that are virtually guaranteed to defeat legacy defenses.  

In this swarm of kitted malware run by organized cyber miscreants, actual advanced threat actors slip by unnoticed.  Today, antivirus and legacy security products are being kept alive by outdated compliance mandates and a “nobody got fired for buying antivirus” mentality.  Eventually, they will get fired -- if that’s all they do.

We hear a lot of talk these days about “advanced attacks,” but the truth is everything seems advanced when you compare today’s attacks to the detection and prevention capabilities of legacy security tools! What can a modern enterprise security team do to protect their endpoints from conventional attacks as well as the real advanced stuff coming from motivated adversaries?

While it’s popular in security to point out problems, we believe it is equally important to talk about solutions, and more important to bring them to market. To this end, we believe the right strategy for countering enterprise threats is Contain, Identify, and Control.

Contain Threats That Target Users

Prevention technology as a category has been saddled with a legacy of failure for well over a decade. In contrast, pioneering approaches like containerization are working. In Invincea’s case, we record huge numbers of “saves” against our customer base every month using a strategy of Containment.  These are attacks detected and blocked by our container solution after they’ve evaded all other security controls.

The good news for security teams trying to make sense of lots and lots of market noise is that this claim is easily verifiable – through daily reports on Twitter and published findings of global cyber threats, such as the recent Forbes.com watering hole attack and Fessleak malvertising campaign.

Our philosophy has always been that containment is the most reliable strategy to protect endpoints from compromise.  This architectural approach recognizes that anticipating the unknown is impossible.  

Simply put: users will click on malicious links, software will be vulnerable to attack, and exploits will happen.  But when they do, a containment solution can isolate, detect and kill the attack, so the adversary can neither access sensitive data nor gain a foothold in the enterprise.

Identify Compromise by Fusing Endpoint Sensing and Cloud Analytics

In security, “detection is the new black.” But the detection approaches we see today and the companies that created them rose from the ashes of failed prevention.  As a result, most new detection solutions are post-breach tools used to aid incident response teams. Many simply “record everything” on the endpoint, including complete images of the file system and memory.

If this sounds impractical and unaffordable, it is.  This approach effectively re-allocates part of the security budget to storage, while requiring considerably more labor to sift through massive data looking for the proverbial “ghost in the machine”.

The enterprise security teams we speak with are less interested in parsing alerts and sifting through data farms after a breach has happened. Rather, these “hunt teams” are focused on identifying compromised machines within minutes.

That’s why we approached the problem in a fundamentally different way. Rather than sifting through endless alerts, we identify compromised machines using a combination of endpoint sensing and cloud-based analysis.  The Identify strategy starts with this credo: Trust no program and verify everything, but do so in a computationally efficient way such that the end user and network are not affected.  Any program not already known by the enterprise to be “good” is quickly evaluated in the cloud against comprehensive databases of known-good and known-bad programs.

Where Invincea’s Identify approach truly excels is in its use of a groundbreaking malware analysis technology called Cynomix, which entered the commercial market after four years of DARPA-backed development in Invincea Labs.  Cynomix uses machine learning and capability clustering algorithms to identify whether suspicious programs are related to malware families, based on their “genetic markers” and mapping them to the cyber genome of malware.

Enable Response in a Timely Fashion via Control

Response is a natural outcome from successful Identification of compromised machines. But today, response happens an average of 205 days after the adversary has already compromised its target!

Security teams today are hungry for something more proactive, tools that that help them regain control and stay in front of threats.  They need corrective capabilities that can be applied quickly, easily and in proportion to both the threat severity and value of the compromised assets.  While this might sound like a dream, the approach becomes feasible when it can leverage technology with a privileged position on the endpoint.

And while protecting their own enterprise is any CISO’s primary goal, many we talk with believe that security is a community effort. Therefore, threat discovery needs to be shareable in standard formats to trusted communities of interest.

So is endpoint prevention dead?  Not by a long shot.  It’s simply maturing into a new model where Contain, Identify and Control capabilities reign.  Come visit us at RSA Conference booth S427 to see how it works!