by Jai Balasubramaniyan, Director of Product Management, ColorTokens Inc.
Traditional endpoint security control has always been about malware, threat analysis, and remediation. However, it is useless for an endpoint to be pristine and clear when it is unaware of the environment it is in as it will continue to get polluted even after cleanup. An endpoint protection solution myopically focused on files, sequences and malware residing on the endpoint without understanding the network it is part of, the user who sits behind the endpoint or the application they are trying to access from their endpoint, simply put, is missing the point.
The Endpoint security market is now at the cusp of a significant innovation and change. A next-generation endpoint security solution needs to be able to recognize the user behind the endpoint and what his/her behavior should be. Likewise, it would need to have a deep understanding of applications the user is trying to access, to ensure they have the right roles and access.
Traditionally some of these functions have been done by network security vendors. Unfortunately, they do not work well today’s scenario. The disappearing network perimeter and workloads migrating to the cloud has made perimeter security controls, like on-premise firewalls, limited in usefulness as they are simply not in the path of a lot of these communications. Similarly, the rising use of encryption will continue to make the network increasingly dark, as they cannot effectively decrypt traffic at high speeds.
Security vendors have tried to bridge this gap between the network, endpoint, user and application by bringing in a multitude of boxes in the network layer and a multitude of agents at the endpoint with the hope that they will talk to each other and solve the problem. But this has not happened till date.
Limitations of Current Endpoint Security Approaches
Endpoint security has traditionally been about comparing an endpoint with a signature in a database. The signature database was initially downloaded from a central server to a local server in the organization. Every endpoint would then check with this database to compare file-hashes on their system with signatures to determine if a file was malicious or not. As the signatures went into billions of hashes, databases started growing bigger and bigger and started moving to the cloud where a central database served as a repository to all known good and bad file hashes.
This did not solve the problem of zero-day malware which by-definition was a malicious file that has not been seen before, and hence does not have a hash in the cloud. To solve this problem, organizations started deploying machine learning and sandboxing solutions. Sandboxing solutions simply played or executed this zero-day-file that was not seen before in a safe environment where its behavior was analyzed to see if it displayed malicious behavior. Likewise, machine learning was used to look at files that have taken source code from a known exploit but changed the code a bit to create a new executable and hence a new hash. This form of attack, where you changed a known malware slightly to create a brand-new malware with a new hash value, but the source code was essentially the same, was called polymorphism.
The Birth of Endpoint Detection and Response (EDR)
The security industry changed with Operation Aurora, a series of cyber-attacks conducted against well-known technology companies by a nation state. Operation Aurora exploited a well-known vulnerability in Internet Explorer to spawn a PowerShell that could be used to execute commands on the target system. The earlier approach of checking file hashes would not have worked as Internet Explorer and PowerShell are legitimate commands; it is the sequence that is illegitimate. A browser could spawn another browser, it could spawn a music player but should not be spawning a power-shell under normal circumstances.
The rise of nation state attackers who kept infiltrating each other’s private enterprise and critical sectors such as finance and energy contributed to this trend.
Endpoint detection and response tools work by monitoring endpoint and network events and recording the information in a central database where further analysis, detection, investigation, reporting, and alerting take place. Endpoint Detection and Response solutions had four components:
- Detection
- Threat hunting
- Response & Remediation
- Managed Services
It all starts by recording everything at the endpoint – every file access, every registry call and every network connection was recorded from the endpoint and sent to the cloud. These actions were stitched together and scanned to see if there were malicious or suspicious sequences of activities, such as an internet browser spawning a PowerShell. Likewise, an attacker running port scans and scanning systems laterally using known windows utilities would evade signature defenses but be caught by an endpoint detection and response system as his behavior would trigger an alarm.
For effective detection, most EDR solutions provide threat hunting tools to scan all the endpoint data coming from millions of endpoints to see the spread of the infection or malicious intruder activity. They allow the administrator to then remediate the infected endpoint by providing tools such as a remote shell where the administrator can login to the infected endpoint and remove the malicious files.
However, EDR solutions also have certain limitations. Customers and solutions can get overwhelmed with the amount of data that needs to be recorded and analyzed to see malicious behavior. Remediation becomes increasingly hard. The volume of data will only increase as a company keeps adding headcount with more employees who generate more data. This is the reason why EDR solutions often package managed security services along with their product as regular customers are not able to handle the complexity of managing a Security Operations Center and personnel who can analyze this data.
Whitelisting, Blacklisting and Process Controls
A doctor rarely tells you to eat everything and then runs a series of tests to tell you what is wrong and prescribes medicines to control your ailment. Rather, (s)he asks you to avoid certain types of food which could make you sick. It is no different with security. Rather than allow the user to run every possible application and every possible sequence of commands and then check in the cloud whether a sequence was malicious or not, an alternate approach would be to simply stop the user from doing certain sequences of actions or running certain applications.
Whitelisting and Blacklisting techniques are extremely effective in fixed function devices and environments with limited change to the endpoints. Here, it would be much easier to simply analyze all the running processes, create a set of process controls and then lock the device down. With this approach, rather than scan the universe for all possible bad sequences, vendors prefer to lock down systems to known good behavior. In such an approach, any new process created outside the known list of allowed processes would trigger an alert or be blocked before execution. Likewise, any process which triggers a network connection other than the well-known utilities like a browser or a file transfer utility will trigger an alert or be stopped prior to execution.
Bringing It All Together – ColorTokens Approach to Security
At ColorTokens we want to bring the power back to endpoint and make it smarter. The endpoint is the start of any communication and therefore the best place to enforce security. We start by sitting at the endpoint, understanding the user who is at the endpoint, understanding his/her access permissions, understanding what applications (s)he uses, and of course all the files (s)he downloads as payload using these applications. The rest of the endpoint security is all about the last part where we focus on analyzing the files (s)he downloads into their endpoint and examining the malicious behavior of the payload.
ColorTokens RADAR360 performs the analysis of the files using traditional Endpoint Protection Controls. We record events to ensure that some malicious sequence is not skipped. However, we also add sophisticated whitelisting, blacklisting, and process controls. If a user is accessing a risky file-sharing application which ends up downloading malware into his system, we do not wait for it to happen and then try to recover like a traditional endpoint security solution. We bring in user and application context to the endpoint so it can quickly recognize this behavior as risky and stop it. We can always revert to the traditional endpoint security behavior of seeing the malware and cleaning it up or preventing its execution, but we first and foremost try to stop bad behavior from happening.
The ColorTokens platform can be deployed across any endpoint or workload in the cloud (Amazon, Azure and other vendors) and brings the complete network and endpoint context in one simple, easy to use solution.
About the Author
Jai Balasubramaniyan is the Director of Product Management at ColorTokens Inc. He has been instrumental in creating award winning Enterprise Security Products at Cisco, Trend Micro, Check Point, Zscaler, Gigamon, CrowdStrike and ColorTokens. Jai was the architect and developer of the Cisco Router Firewall and led the creation and launch of DMVPN solution winning the Pioneer Award, Cisco’s highest technology award. He has also led Product Management of Trend Micro Deep Discovery Solution which won the NSS Lab tests for highest efficacy and Gigamon Security Delivery Platform. Jai has several patents and publications in the security field. He has a Masters in Computer Science from Purdue University and an MBA from the Kellogg School of Management. Jai can be reached online at [email protected] and at our company website https://colortokens.com/