By Ron Temske, Vice President of Security Solutions, Logicalis US
Many enterprises do not focus on endpoint security solutions, preferring to focus on network and data center security instead. Unfortunately, endpoint security simply cannot be ignored due to the high volume of attacks that originate there. For clarity, when I speak about endpoint security I am discussing both end-user devices as well as servers – essentially anything that could run a traditional operating system and support multiple software applications.
Network based security solutions are critical, but they don’t provide visibility into things like CPU processes, files on local disks and registry activity. The bottom line is that endpoint must be part of your security strategy or you will have a significant gap in your visibility of threats.
The endpoint security segment of the market is ripe for disruption from newer, next generation solutions. Traditional endpoint protection (think solutions like Symantec or McAfee Anti-Virus) simply cannot keep up with the rapidly evolving threat landscape.
Making a Hash of Security
To really understand the difference between traditional endpoint solutions, compared with newer, next generation endpoint solutions, let’s take a bit of a technical tangent. A key concept in enterprise security, and specifically cryptography, is the idea of a “hash.” To create a hash, we take a source file, or piece of data, run it through an algorithm, and come up with a much shorter piece of data. A proper cryptographic hash has three properties.
- If I run the hash against the same source data, it will always produce the same hash.
- If I run the hash against a different set of data, it will never produce the same hash as my initial source data. Furthermore if I change even a single character in the source data, the resulting hash will be completely different (i.e. the hash won’t be one character off, but a completely different output).
- Once I produce the hash, I cannot reverse the process (i.e. if I gain access to the hash, there’s no way to reverse engineer the original source data).
Let’s look at a real-world example: I have an electronic copy of Dostoyevsky’s “War and Peace” and I want to verify that it is the actual novel and not some other piece of data. “War and Peace” has 587,287 words. I’m really not interested in taking the time required for a word for word comparison to make sure I have the original document. Instead, I could use some algorithm to create a hash of a known original of the novel that might be 256 characters in length. Next, I would use the same algorithm to create a hash of my electronic copy and then compare the two 256-character hashes. If they are the same, I have a proper copy of “War and Peace,” and if they differ then I do not.
This method is commonly used to compare files since it’s so much more efficient than trying to compare every word (or bit) of two files. As a side note, most systems do not store passwords directly, but rather a hash of the password. This means that if someone gained access to the system and stole the hash files, they wouldn’t have the actual passwords.
Back to the Endpoint
So let’s return to our original topic – how does this relate to endpoint security? Most traditional endpoint security solutions work by providing “signatures” of known malicious files that are actually hash files of the malicious code. Then the local endpoint solution creates a hash of any suspect file and compares it to the published signature. If the two match, the endpoint security system can take a prescribed action – removing or quarantining the infected file.
There are multiple reasons this presents a challenge from a security perspective. The first is that signature-based solutions can only protect against known threats, or threats where a signature exists, so there’s always a delay between a threat coming into existence and a signature being available for that threat.
The second challenge is 99 percent of malware hashes are seen for 58 seconds or less according to the Verizon Data Breach Investigation of 2016. Essentially, this means that traditional endpoint solution signature databases become obsolete before you even download them!
Additionally, many malware attacks are now polymorphic in nature, which means they can actually change their own code. Their malicious function remains the same, but they can elude traditional signature-based detection mechanisms.
To help differentiate between these traditional solutions and newer technologies, the analyst community has created two classifications of solutions. Endpoint Protection Platforms (EPP) for traditional solutions and Endpoint Detection and Response (EDR) for next generation solutions.
This new category (EDR) is typically cloud connected, inspects behavioral patterns and uses heuristics, or machine learning, to identify malware, making it much more effective at detecting and responding to malware. In fact, these newer EDR solutions are one of the most effective methods in protecting against Ransomware.
The real question emerging in the market is whether an EDR solution can replace traditional EPP, or if you need both. As is often the case, the answer is, “it depends.”
Many traditional EPP solutions include additional functions beyond basic malware detection, such as locking down USB ports, encrypting a hard drive, managing passwords, etc. You must understand your use case before you can determine if an EDR solution alone is sufficient or if you require both types of solutions.
Read a two-part article exploring what an umbrella approach to security can look like in your enterprise – Part One: Potential DNS Vulnerabilities (http://ow.ly/Gd7Q307SBUE) and Part Two: A Secure DNS (http://ow.ly/kSuT307SCnY). Then, download an infographic displaying the benefits of Taking an Umbrella Approach to Security and one displaying the benefits of Transforming Internet Security with Big Data.