The least exciting and often ‘boring’ element in a cyber security strategy is endpoint protection, according to Greg Wyman, Bufferzone Security chief in Australia/New Zealand.
He says: “Who cares about another AV, NGAV (Next Gen AV), EDR (endpoint detection and response) or MDR (managed endpoint detection and response) product?
Let’s spend a minute or two to understand endpoint protection’s evolution as this is now critical to all organisations’ cyber defence strategy.”
For years, anti-virus has been the foundation of endpoint security. Basically, a virus was discovered in the wild and the AV companies frantically wrote signatures to prevent that specific malware from infecting their customers.
With the explosion of malware threats (over 230,000 per day) and malware’s ability to morph every fifteen seconds – writing definitions for every virus has become ineffective and the industry has evolved to NGAV.
Polymorphic malware – next gen anti-virus (NGAV)
This was arguably one of the biggest advances in endpoint protection. NGAV products could now move beyond detection to prevention. Often using highly complex mathematical algorithms, they could identify and predict virus-like activity.
If approximately 20 percent of a file looked ‘virus-like’ it blocked these files automatically from infecting an organisation, moving the goal post from detection to predication.
This strategy has proved to be exceptionally successful, and now NGAV products are typically very cost effective and critical to a cyber defensive strategy.
Metamorphic malware – the ‘undetectable’ malware
The latest evolution of malware threats change the rules again, unfortunately in favour of the malware writers. The previous generation of NGAV products, using their algorithms, could accurately detect that when approximately 20 percent of code in a file changed, it was malware.
Now with metamorphic malware – the changing code can be over 80 percent, making it almost impossible to detect, predict and defend against.
The difference is quite simple to visualise. The NGAV products were excellent at detecting a ‘leopard changing its spots’, but now, the leopard transforms into a lion, which if cyber protection is looking only for leopards, makes it very, very difficult to detect or predict.
EDR and MDR
In recent times we have seen explosive growth and adoption of EDR (endpoint detection and response) and MDR (managed detection and response) products. These often include NGAV, although vendors accept that they cannot detect or automatically defend against the latest (metamorphic) threats so they include monitoring, management and response in their technologies.
Depending on the product, the vendor base, their capability on monitoring and tracking a breach after it has occurred, and then trying to put in place a series of kill points where the organisation will be able to stop and roll back from an attack.
And they are very effective. The challenge is that as the attackers and hackers leverage more AI and machine learning technology to evade detection – will an EDR/MDR product be able to detect the breach in a timely manner, and then roll a business back with minimal to zero impact to the organisation?
Containment, isolation and sanitisation
The future of endpoint protection is surprising simple, powerful and affordable. According to Verizon last year (2019), 94% of all data breaches start with email.
Imagine if every time a user browses the Internet, clicks a web link, downloads a file, opens an email attachment or clicks a web link in an email – that session is opened in a secure, virtual container that is almost invisible to the user and malware simply cannot escape from the container to infect the organisation.
All files downloaded from the Internet and/or included as an email attachment are opened in the secure container and totally sanitised before being allowed to be saved to the corporate network – eliminating the risk of malware or a hacker breaching a company via any of its endpoints.
The challenge with many endpoint products is that users need to change what they do, how they work, or a product simply blocks access to the Internet unless the site has been classified as ‘allowed’.
In the real world, this simply doesn’t work. Users need to do their work with minimal to zero disruption – the containment, isolation and sanitisation solution needs to be near invisible to the user and not hinder, block or stop daily activities.
The ultimate goal of these containment, isolation and sanitisation solutions, especially when combined with a low cost NGAV product is to stop unknown, never-been-seen-before and zero-day attacks from infecting an organisation.
If malware or a hacker is contained in a secure virtual contain that cannot escape from or breach the company, confidence increases exponentially.
The ultimate goal of any cyber security strategy is for the attackers and hackers to move on to easier targets to breach. So reducing the attack surface at the endpoint delivers a very powerful and compelling solution to all sizes of organisations.