Endpoint Protection: Are We Fighting a Losing Battle?
Have you ever thought about how your immune system, with its remarkable collection of layered defenses, is able to protect you from infection-causing organisms? Not unlike the human body, enterprises, consumers and our society are engaged in a daily battle against sophisticated cyber criminals. We have seen high-profile data breaches in the headlines: The Heartbleed bug, the Microsoft Internet Explorer vulnerability and even Symantec’s admission that antivirus software is dead. Considering the fallout from large retail breaches, even CEOs have to take an interest in security or pay the price for inattention. All of you must be asking: Are we fighting a losing battle? Are there any new tools and tactics that can help?
The State of Endpoint Protection
The endpoint protection market has historically relied on antivirus products to protect endpoints. In recent years, however, the threat has shifted from viruses to highly sophisticated attacks that the market calls advanced persistent threats (APTs). These attacks are the work of cyber criminals who hope to extract value from stolen corporate assets such as intellectual property or customer data. Antivirus and first-generation anti-malware products have proven ineffective at stopping these threats since APTs are highly dynamic and most go undetected.
A whole new set of security products and approaches have emerged to prevent the new advanced threats and stop zero-day attacks. Customers are bombarded with market messages such as exploit prevention, isolation and whitelisting that describe these approaches. They all have some merit, typically with a narrow focus on a single threat vector, but none have proven effective at stopping dynamic threats, and most of these approaches come with a very high operational cost. Thus, customers are often forced to add yet another new, purpose-specific endpoint product in hopes of stopping these threats.
Redefining Endpoint Protection for the Advanced Threat Landscape
Let’s face the facts: There are too many single-use endpoint protection products out there that create more issues than they solve. These products burden the IT security team with more work rather than act as a force multiplier to make the security team more productive and effective. They also fail the end user usability test since the endpoint protector simply becomes an end user nuisance. Finally, these approaches lack deep security research and intelligence capabilities that provide enterprises with rapidly deployed protections to new threats.
3 Critical Requirements for Endpoint Protection Solutions
In redefining an endpoint defense solution for advanced threats, organizations need a new set of requirements in their battle against these threats. These critical requirements include:
- Multilayered endpoint defense
- Low operational impact
- Dynamic intelligence
Below we will quickly explore what we mean by each of these requirements and how we at IBM approach it.
1. Multilayered Endpoint Defense
The endpoint security approach must be both preemptive and multilayered. It should prevent both known and unknown vulnerabilities through multiple defenses and protections — it cannot rely on just one way to stop advanced threats.
Trusteer Apex protects endpoints throughout the threat life cycle by applying an integrated, multilayered defense to prevent endpoint compromise. This preemptive approach breaks the attack chain — the end-to-end process used by attackers to breach an organization — by halting attacks at strategic choke points. Through extensive research, Trusteer has identified specific stages of the attack chain where the attacker has relatively few execution options. Leveraging in-depth technical expertise and unique low-level visibility into application execution paths, this approach accurately and effectively controls these strategic choke points, providing powerful advanced threat protection against both unknown/zero-day threats and known malware. Apex is comprised of the following multilayered defenses:
2. Low Operational Impact
The endpoint protection approach should not be a burden, nor should it cause a management tax on the IT security team or the end user. It does not generate the false positives that force IT security teams to either wade through thousands of alerts or ignore them altogether.
Apex provides multilayered endpoint defense without adding additional burdens to your limited staff or impacting your end users. Apex keeps its impact low by:
- Eliminating the traditional security team approach (detect, notify and manually resolve);
- Minimizing impact to end users by blocking only the most sensitive actions;
- Providing an exceptional turnkey service that includes a centralized risk assessment service and direct support of your endpoint users.
Apex acts as a force-multiplier for your security team by automatically preventing attacks, reducing alerts and noise, and augmenting your security.
3. Dynamic Intelligence
The endpoint security approach should utilize intelligence gathered from multiple endpoints and research so that new protections can be incorporated rapidly as new threats emerge. Enterprises need to know that experts are battling the bad guys on their behalf.
Trusteer and IBM X-Force threat research and intelligence is based on dynamic security feeds provided by tens of millions of protected endpoints around the world — one of the largest vulnerability databases in the industry. Based on research and analysis findings, Trusteer provides security updates that are sent directly to the endpoints.This eliminates the need for costly signature deployments and lengthy wait periods for new protections.
Integration Is Still Key
Endpoint protection is an essential component of a broader defense-in-depth security strategy. Our goal with Trusteer Apex is to provide threat prevention as part of an integrated system, which brings together innovative security capabilities to prevent, detect and respond to advanced threats in a continuous and coordinated fashion.
I began this post with an analogy about how endpoint protection is similar to the human immune system in that they are both fighting against threats to the system. Trusteer Apex provides endpoint protection that acts as the essential inoculation to shutdown malware at the point of infection and prevent advanced threats. Organizations need a way to automatically and accurately determine if an application action is legitimate or malicious and, most importantly, be able to do this in real time. This allows you to block and therefore prevent the malicious actions attempted by advanced threats.
Product Marketing Director for Trusteer, an IBM company