451 and cylance - the roadmap to better endpoint security
TRANSCRIPT
Why is malware so difficult to defeat?
• We no longer have one perimeter: we have many
• Market currently unstable (still consolidating)
• Endpoint is a blind spot
• Blaming the user (aka “stop clicking links”)
• Discarding useful tech because it couldn’t solve
the problem by itself
• Many, many more...
1
Why is the endpoint important?
1. This is where work happens
2. One of the easiest paths into a company
3. BYOD and ShadowIT are unsolved problems
How I see the market
Prevention (pre-execution)
Detection and Data Collection (post-execution)
Platform Hardening
80+ Vendors
50/50 split
complementary/
primary
Buzzword Bingo: NGAV and EDR definitions
NGAV: The ability to stop threats without prior
knowledge of them
EDR: Endpoint Data Recorder (a slight acronym modification)
NGAV
NEED: a better malware
mousetrap
WHAT: Automated detection of
unknown threats
WHY: auto-generated
malware gets through
EDR
NEED: endpoint visibility; serious
blind spot otherwise
WHAT: Record detailed endpoint
data
WHY: detect attacks that defeat
1st layers of defense
Hardening
NEED: More permanent,
resilient solutions
WHAT: Wide variety of
approaches
WHY: Passive defenses reduce
pressure on frontline defenses
Remediation
NEED: Contain and clean up
threats
WHAT: Containment and
automated remediation
WHY: Reduce expense and labor
of dealing with threats
Endpoint categories: What’s driving them?
My roadmap for the industry
1.Build a better malware mousetrap
2.Threat-driven hardening
3.Detect/Stop Non-Malware attacks
4.Full-system visibility (EDR)
5.Data visibility
6.More resilient host
6
Ready for a Malware Relief Program?
Before we tackle the roadmap...
let’s explore how we got into this fix...
7
Where did we go wrong?
1.Not enough root cause
analysis
2.Not enough process
improvement (if any)
3.Even when we do succeed,
we force the attacker to
change tactics.
Are we ready for that?
MY definition for NGAV
The ability to detect and stop threats without prior
knowledge of them
15
What is prior knowledge?
• Signatures
• IoCs
• Malware analysis sandbox
• Blacklisting
Most common NGAV strategies
• Machine learning models
• Static behavior analysis
• Dynamic behavior analysis
Step2: Threat-driven hardeningMost infections occur due to vulnerabilities in a handful of apps, like:
1. The Java browser plugin
2. Flash
3. Browsers
4. Operating Systems
5. MS Office
The Point: You don’t have to fix EVERYTHING. Fix the things most likely to result in malware infections first.
Threat Intel*Root-cause
analysisProcess
Improvement
* - Not the “here’s 1 billion hashes and IP addresses, good luck” ‘threat intel’. We’re
talking high level, “
EDR: Endpoint Detection and Response
Many use cases:
• detection
• forensics
• incident response
• source for automation event triggers
Ultimately, EDR is a sensor that provides rich,
forensic data before you need it
23
Examples: Ransomware prevention
1. Kill any process attempting to stop the volume
shadow service (VSS)
2. If a powershell or CMD process is created
shortly after opening an office document,
inspect and/or quarantine the office document.
3. Create a folder sure to be the first in an
alphabetical list (__aardvarks). Trigger a
containment action (e.g. isolate machine).
24
Prevention: AV/NGAV versus Hardening
Think of AV/NGAV as active prevention,
whereas hardening is passive.
AV/NGAV knows it prevented something; a
more hardened system may not.
Example?
What about remediation and response?
• Remediation = cleaning up after the attack
• Containment = isolating the incident
• Automated Endpoint Remediation: can we stop
reimaging PCs yet???
30
Solving malware = solving endpoint security?
33
0%
5%
10%
15%
20%
25%
30%
35%
40%
2012 2013 2014
Error
Hacking
Malware
Misuse
Social
How big a part of the
breach problem is
malware?
15% in 2012
24% in 2013
33% in 2014
Source: Verizon Enterprise Solutions
What are your endpoint security pain points and goals?Pain Points
1. Cleaning up infections 24/7
2. Catch attacks that bypass preventative controls
3. Catch/prevent non-malware threats
4. Catch insider threats
5. Did a breach actually occur?
Goals
1. Better prevention; hardening
2. Better detective controls, better endpoint
visibility
3. Better endpoint visibility; hardening
4. Better endpoint visibility
5. Visibility into file movement, data exfiltration
34
Recommendations
1.Think through and act out worst-case scenarios
2.(Combined with #1) Test and fail repeatedly. Learn from
failures.
3.Don’t turn security products to 11 until they’ve been
thoroughly tested
4.Include security software/systems in your threat mapping
5.Don’t break the user.
6.Consider time-to-value and labor-to-value ratios
36