Endpoint Protection: Are We Fighting a Losing Battle?

Have you ever thought about how your immune system, with its remarkable collection of layered defenses, is able to protect you from infection-causing organisms? Not unlike the human body, enterprises, consumers and our society are engaged in a daily battle against sophisticated cyber criminals. We have seen high-profile data breaches in the headlines: The Heartbleed bug, the Microsoft Internet Explorer vulnerability and even Symantec’s admission that antivirus software is dead. Considering the fallout from large retail breaches, even CEOs have to take an interest in security or pay the price for inattention. All of you must be asking: Are we fighting a losing battle? Are there any new tools and tactics that can help?

The State of Endpoint Protection

The endpoint protection market has historically relied on antivirus products to protect endpoints. In recent years, however, the threat has shifted from viruses to highly sophisticated attacks that the market calls advanced persistent threats (APTs). These attacks are the work of cyber criminals who hope to extract value from stolen corporate assets such as intellectual property or customer data. Antivirus and first-generation anti-malware products have proven ineffective at stopping these threats since APTs are highly dynamic and most go undetected.

A whole new set of security products and approaches have emerged to prevent the new advanced threats and stop zero-day attacks. Customers are bombarded with market messages such as exploit prevention, isolation and whitelisting that describe these approaches. They all have some merit, typically with a narrow focus on a single threat vector, but none have proven effective at stopping dynamic threats, and most of these approaches come with a very high operational cost. Thus, customers are often forced to add yet another new, purpose-specific endpoint product in hopes of stopping these threats.

Redefining Endpoint Protection for the Advanced Threat Landscape

Let’s face the facts: There are too many single-use endpoint protection products out there that create more issues than they solve. These products burden the IT security team with more work rather than act as a force multiplier to make the security team more productive and effective. They also fail the end user usability test since the endpoint protector simply becomes an end user nuisance. Finally, these approaches lack deep security research and intelligence capabilities that provide enterprises with rapidly deployed protections to new threats.

3 Critical Requirements for Endpoint Protection Solutions

In redefining an endpoint defense solution for advanced threats, organizations need a new set of requirements in their battle against these threats. These critical requirements include:

  1. Multilayered endpoint defense
  2. Low operational impact
  3. Dynamic intelligence

Below we will quickly explore what we mean by each of these requirements and how we at IBM approach it.

1. Multilayered Endpoint Defense

The endpoint security approach must be both preemptive and multilayered. It should prevent both known and unknown vulnerabilities through multiple defenses and protections — it cannot rely on just one way to stop advanced threats.

Trusteer Apex protects endpoints throughout the threat life cycle by applying an integrated, multilayered defense to prevent endpoint compromise. This preemptive approach breaks the attack chain — the end-to-end process used by attackers to breach an organization — by halting attacks at strategic choke points. Through extensive research, Trusteer has identified specific stages of the attack chain where the attacker has relatively few execution options. Leveraging in-depth technical expertise and unique low-level visibility into application execution paths, this approach accurately and effectively controls these strategic choke points, providing powerful advanced threat protection against both unknown/zero-day threats and known malware. Apex is comprised of the following multilayered defenses:

2. Low Operational Impact

The endpoint protection approach should not be a burden, nor should it cause a management tax on the IT security team or the end user. It does not generate the false positives that force IT security teams to either wade through thousands of alerts or ignore them altogether.

Apex provides multilayered endpoint defense without adding additional burdens to your limited staff or impacting your end users. Apex keeps its impact low by:

  1. Eliminating the traditional security team approach (detect, notify and manually resolve);
  2. Minimizing impact to end users by blocking only the most sensitive actions;
  3. Providing an exceptional turnkey service that includes a centralized risk assessment service and direct support of your endpoint users.

Apex acts as a force-multiplier for your security team by automatically preventing attacks, reducing alerts and noise, and augmenting your security.

3. Dynamic Intelligence

The endpoint security approach should utilize intelligence gathered from multiple endpoints and research so that new protections can be incorporated rapidly as new threats emerge. Enterprises need to know that experts are battling the bad guys on their behalf.

Trusteer and IBM X-Force threat research and intelligence is based on dynamic security feeds provided by tens of millions of protected endpoints around the world — one of the largest vulnerability databases in the industry. Based on research and analysis findings, Trusteer provides security updates that are sent directly to the endpoints.This eliminates the need for costly signature deployments and lengthy wait periods for new protections.

Integration Is Still Key

Endpoint protection is an essential component of a broader defense-in-depth security strategy. Our goal with Trusteer Apex is to provide threat prevention as part of an integrated system, which brings together innovative security capabilities to prevent, detect and respond to advanced threats in a continuous and coordinated fashion.

I began this post with an analogy about how endpoint protection is similar to the human immune system in that they are both fighting against threats to the system. Trusteer Apex provides endpoint protection that acts as the essential inoculation to shutdown malware at the point of infection and prevent advanced threats. Organizations need a way to automatically and accurately determine if an application action is legitimate or malicious and, most importantly, be able to do this in real time. This allows you to block and therefore prevent the malicious actions attempted by advanced threats.

More from Endpoint

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read