Why is malware so difficult to defeat?

• We no longer have one perimeter: we have many

• Market currently unstable (still consolidating)

• Endpoint is a blind spot

• Blaming the user (aka “stop clicking links”)

• Discarding useful tech because it couldn’t solve

the problem by itself

• Many, many more...

1

Why is the endpoint important?

1. This is where work happens

2. One of the easiest paths into a company

3. BYOD and ShadowIT are unsolved problems

How I see the market

Prevention (pre-execution)

Detection and Data Collection (post-execution)

Platform Hardening

80+ Vendors

50/50 split

complementary/

primary

Buzzword Bingo: NGAV and EDR definitions

NGAV: The ability to stop threats without prior

knowledge of them

EDR: Endpoint Data Recorder (a slight acronym modification)

NGAV

NEED: a better malware

mousetrap

WHAT: Automated detection of

unknown threats

WHY: auto-generated

malware gets through

EDR

NEED: endpoint visibility; serious

blind spot otherwise

WHAT: Record detailed endpoint

data

WHY: detect attacks that defeat

1st layers of defense

Hardening

NEED: More permanent,

resilient solutions

WHAT: Wide variety of

approaches

WHY: Passive defenses reduce

pressure on frontline defenses

Remediation

NEED: Contain and clean up

threats

WHAT: Containment and

automated remediation

WHY: Reduce expense and labor

of dealing with threats

Endpoint categories: What’s driving them?

My roadmap for the industry

1.Build a better malware mousetrap

2.Threat-driven hardening

3.Detect/Stop Non-Malware attacks

4.Full-system visibility (EDR)

5.Data visibility

6.More resilient host

6

Ready for a Malware Relief Program?

Before we tackle the roadmap...

let’s explore how we got into this fix...

7

Where did we go wrong?

8

Where did we go wrong?

Where did we go wrong?

$$$

Where did we go wrong?

12

Where did we go wrong?

1.Not enough root cause

analysis

2.Not enough process

improvement (if any)

3.Even when we do succeed,

we force the attacker to

change tactics.

Are we ready for that?

Step1: Build a better mousetrap

MY definition for NGAV

The ability to detect and stop threats without prior

knowledge of them

15

What is prior knowledge?

• Signatures

• IoCs

• Malware analysis sandbox

• Blacklisting

Most common NGAV strategies

• Machine learning models

• Static behavior analysis

• Dynamic behavior analysis

Step2: Threat-driven hardening

Step2: Threat-driven hardeningMost infections occur due to vulnerabilities in a handful of apps, like:

1. The Java browser plugin

2. Flash

3. Browsers

4. Operating Systems

5. MS Office

The Point: You don’t have to fix EVERYTHING. Fix the things most likely to result in malware infections first.

Threat Intel*Root-cause

analysisProcess

Improvement

* - Not the “here’s 1 billion hashes and IP addresses, good luck” ‘threat intel’. We’re

talking high level, “

Step3: Stop and detect non-

malware attacks

Step3: Stop and detect non-malware attacks

Step4: Full system visibility (EDR)

Why EDR? Blind spots.

22

EndpointEast-West

Traffic

Cloud/SaaS Data

EDR: Endpoint Detection and Response

Many use cases:

• detection

• forensics

• incident response

• source for automation event triggers

Ultimately, EDR is a sensor that provides rich,

forensic data before you need it

23

Examples: Ransomware prevention

1. Kill any process attempting to stop the volume

shadow service (VSS)

2. If a powershell or CMD process is created

shortly after opening an office document,

inspect and/or quarantine the office document.

3. Create a folder sure to be the first in an

alphabetical list (__aardvarks). Trigger a

containment action (e.g. isolate machine).

24

Step5: Data visibility

7 million records?

7000 records?

7 records?

Nothing?

No clue = assume the worst

What was breached?

Step6: A more resilient endpoint

Prevention: AV/NGAV versus Hardening

Think of AV/NGAV as active prevention,

whereas hardening is passive.

AV/NGAV knows it prevented something; a

more hardened system may not.

Example?

What about recovery???

What about remediation and response?

• Remediation = cleaning up after the attack

• Containment = isolating the incident

• Automated Endpoint Remediation: can we stop

reimaging PCs yet???

30

What about remediation and response?

31

Post-Roadmap: Malware is

solved! Right?

32

Solving malware = solving endpoint security?

33

0%

5%

10%

15%

20%

25%

30%

35%

40%

2012 2013 2014

Error

Hacking

Malware

Misuse

Social

How big a part of the

breach problem is

malware?

15% in 2012

24% in 2013

33% in 2014

Source: Verizon Enterprise Solutions

What are your endpoint security pain points and goals?Pain Points

1. Cleaning up infections 24/7

2. Catch attacks that bypass preventative controls

3. Catch/prevent non-malware threats

4. Catch insider threats

5. Did a breach actually occur?

Goals

1. Better prevention; hardening

2. Better detective controls, better endpoint

visibility

3. Better endpoint visibility; hardening

4. Better endpoint visibility

5. Visibility into file movement, data exfiltration

34

Recommendations

1.Think through and act out worst-case scenarios

2.(Combined with #1) Test and fail repeatedly. Learn from

failures.

3.Don’t turn security products to 11 until they’ve been

thoroughly tested

4.Include security software/systems in your threat mapping

5.Don’t break the user.

6.Consider time-to-value and labor-to-value ratios

36

Adrian Sanabria

@sawaba

37