The Case for Endpoint Detection and Response Tools: Why Traditional Protection Fails

In light of recent cyberattacks, including the Bad Rabbit malware, most IT and security professionals are asking themselves, “What can be done to reduce our potential risk exposure?” and, “How can we deal with a breach after it has occurred?” Other questions linger, too, such as, “Why are traditional protections like antivirus software, firewalls or HIPS failing to identify or block such threats?” Endpoint detection and response tools can help lead organizations to better answers.

Legacy Solutions Can’t Keep Up

Legacy solutions, such as older antivirus software, struggle to identify or block the latest sophisticated threats. At the time these solutions were built, malware was installed when a payload was dropped into a file system to execute its actions. These legacy security solutions, such as signature-based antivirus software, use file creation or access events as primary triggers for file scans to check for well-known code patterns.

But a significant percentage of today’s malware is designed with a combination of techniques to avoid detection and analysis. Fileless malware infection is increasingly the primary attack vehicle. A fileless attack is one that takes advantage of legitimate process vulnerabilities, such as making a browser run malicious code, leveraging Microsoft Word macros or using Microsoft’s PowerShell utility. Fileless malware is uniquely capable of escaping traditional radars by writing directly in a computer’s RAM via carefully crafted PowerShell scripts.

How Today’s Malware Infiltrates

As many companies have discovered the hard way, legitimate operating system processes and applications have a number of vulnerabilities that attackers can exploit to infect a machine and then perform malicious activity, such as asking for a ransom or extracting sensitive information. Sadly, those gaps are evident only after the damage has been done.

An example of such a common malware infection mechanism is known as process impersonation, in which an attacker injects malicious code into a well-known application created by the operating system vendor or a third-party software company. This technique evades antiviruses and firewalls, which see a legitimate, white-listed application accessing the local file system or establishing an outbound connection.

In response to the recent malware evolution, modern endpoint protection technology should not rely on just one trigger event, but on sophisticated logic that detects patterns of related events. They may not appear malicious alone but can be indicative of malicious intent when occurring simultaneously.

The Benefits of Adding Endpoint Detection and Response Capabilities

A new technology stream that aims to tackle the fundamental legacy mechanism issue at its root has recently emerged. Instead of pretending to be able to spot any possible current and future exploit, endpoint detection and response tools assist before and after the breach.

Endpoint detection and response systems complement existing technology with mechanisms to detect, and in some cases prevent, malicious activity by monitoring techniques used by malware creators in recent attacks. They fill the gap using pattern-recognition technology powered by machine learning. Most importantly, they assume a breach can happen and provide robust forensics capability to help investigate attacks and their root causes.

Act Now!

The question on IT and security professionals’ minds is no longer if a breach will happen, but when. Some go to a more extreme conclusion: The unknown element is when you will discover that you have already been hacked. The latter opinion is based on lessons from recent breaches that were detected months after malware infiltrated a corporate network, essentially when most of the damage was already done.

Because the impact at the corporate and personal level can be very serious, IT leaders should strongly consider immediately adopting these technologies in their defense arsenals. These technologies assist in the detection, investigation and remediation phases of breaches. The remediation aspect is of extreme importance, since it allows for dealing immediately with a breach right after it is discovered, drastically reducing the possibility for further expansion of the malware and supporting continued business operations.

Share this Article:
Rosario Gangemi

Lead Architect, Endpoint Security, IBM

Rosario is the lead architect for the BigFix Detect offering in IBM with 25+ experience in software development and design of large applications. Since few years Rosario has lead project in the areas of security y compliance, vulnerability management and more recently leading the endpoint detection and response offering powered by the BigFix technology.