Endpoint Buyer s Guide

Transcription

1 Endpoint Buyer s Guide GOING BEYOND NGAV

2 01 The Current State of Endpoint Security Today s attacks are sophisticated and don t stop at traditional malware. The attacker landscape has evolved: These attacks are targeted, wellfunded, and leverage multiple attack vectors. Over the years, advanced tactics and techniques have become commoditized to such an extent that Hacking-as-a-Service is accessible even to those with no technical background. With the release of the Shadow brokers NSA hacking toolkit last year, these exploits are easily available to criminal groups and hacktivists. In one instance, these advanced techniques were targeted at the SWIFT banking system leading to a theft of $81 million from the central bank of Bangladesh. Targeted attacks are able to bypass existing endpoint defenses, including signaturebased AV and next-generation AV (NGAV) ineffective tools which are focused on stopping malware and only a few other attack vectors. These technologies lack the scope to combat tools and technologies in the attacker s arsenal which are most commonly used in today s targeted attacks. As shown in Figure 1, the FIN7 group, a financially-motivated criminal group, has targeted retail, financial services, and government agencies to steal billions of dollars worth of data in This attack does not use any traditional file-based malware and is historically missed by most AV and NGAV providers. Enterprise security teams must revamp their attack models to address these new techniques. Developed by MITRE, the ATT&CK matrix provides a comprehensive landscape of techniques and technologies, including those obtained from nationstate intelligence organizations.

3 01 The Current State of Endpoint Security 3 Figure 1: Most security programs focus exclusively on malware. Fin7 uses non-malwarebased techniques that will be missed by most AV s. Today, prevention is harder than ever as attackers continue to exploit hidden channels and bypass security products altogether. Endpoint prevention technologies must include instant detection and rapid response to stop targeted attacks so that damage and loss can be prevented. Gartner has formalized in its endpoint protection requirements a need for built-in EDR features. According to Gartner, these features must include the detection and blocking of malicious activity, as well as providing investigation and remediation capabilities to dynamically respond to security incidents and alerts. In this guide we will outline a framework to evaluate endpoint protection platforms (EPP). The focus will be on the critical questions that security teams must ask when evaluating an endpoint protection platform.

4 CHAPTER 02 When Evaluating an Endpoint Solution There are over 60 vendors in the endpoint space. It is confusing and expensive for enterprises to investigate and understand product features that will fit their environment. The market is rife with buzz words like artificial intelligence, machine learning, big data, security analytics and more, making it difficult to see through the noise and arrive at the best solution. A diligent evaluation must include the scope and efficacy of protections, performance and impact to end users, and related management and compliance requirements. Combined with validations from independent third-party groups, enterprises can create a robust framework to evaluate the right endpoint protection platform that fits their organizational needs. PROTECTION BEYOND THE KNOWN MALWARE Legacy endpoint protection products are architected to respond to a threat by acting on a predefined signature type or blacklist of known attack vectors. Today s attackers are financially and politically motivated to elevate their strategies and poke holes in traditional defenses. As no solution is able to guarantee complete prevention, it is critical to evaluate how the solution responds when these defenses are compromised. Organizations need to adopt a comprehensive attack model like MITRE ATT&CK which can ensure sufficient scope, scale, and speed to protect assets from targeted attacks. By comparing their existing security program to the MITRE ATT&CK matrix, security teams can effectively identify gaps in program coverage while prioritizing the improvement of necessary skills, processes, and technologies to eliminate them. Innovative security leaders have developed tools to automate gap analysis to allow administrators to track these threats over time. The MITRE ATT&CK matrix, an open-source effort, produces a heat map that can be used to communicate the exposure of targeted attacks and outline the resources necessary to eliminate them.

5 When Evaluating an Endpoint Solution 5 01 PRE-EXECUTION PREVENTION Traditional antivirus protection relies on signature matching to identify malware. This approach can only block known files and applications, leaving enterprises vulnerable to unknown threats that aren t flagged by a traditional filter. Most endpoint vendors who claim protection from unknown attacks use AI or machine learning models to stop malware. Given the relative novelty of these approaches, it is crucial for enterprises to assess the efficacy of these models, including the rate of false positives that can quickly overwhelm a SOC team. Most legacy solutions lack coverage across vectors of attacks such as zeroday exploits and evolving code; those who do address these vectors require a separate module (often purchased separately), and will still allow files to execute to determine if they are malicious, which puts the endpoints at risk even in a sandbox environment. Enterprises must look for endpoint protection platforms that prevent execution of malware and exploits before hosts are compromised. Pre-execution prevention provides enterprises with true prevention, blocking malicious code before it can run on the endpoint. Note the difference between true prevention and simply reacting quickly: One approach stops the attack before it can take hold in the endpoint, and the other waits until a file has already executed, and damage has already been done. It merely takes three instructions for an attacker to exploit a weakness in your system and compromise your network. It is imperative for security teams to ask their vendors if their prevention happens before or after code execution. 02 POST-EXECUTION PROTECTION Attackers now have access to techniques and technologies that bypass traditional endpoint solutions. Once these defenses are thwarted, organizations lose visibility of targeted attacks, allowing scripts and malware to go undetected for months until the time is right to strike. To be effective against the sophistication of today s attacker, security programs must operate with a comprehensive model that not only covers the full scope of techniques used by adversaries but is also quick enough to stop attacks before they happen. The MITRE ATT&CK matrix is the highest-resolution map of post-compromise attacker techniques. Organizations should ensure their endpoint protection product can prevent attacks across the breadth and depth of the attack model. 03 AUTOMATED DETECTION AND RESPONSE Your security solution should be intuitive and easy to implement without in-depth technical engineering knowledge. It should also be easy to use and should give analysts the answers they need to make decisions in real time. Through automated data collection, investigation, and analysis, your endpoint protection program must provide analysts with the real-time data they need to make informed decisions and stop threats rapidly.

6 Prevention, Detection, Response 6 I. QUESTIONS TO ASK YOUR VENDOR ABOUT PREVENTION, DETECTION, & RESPONSE Does the solution prevent both known and unknown malware? How does it do it? (signature-based approach, machine learning, etc.) What if a malicious file bypasses prevention are there other detections available? Does the solution block known exploits? Is the solution effective at blocking unknown exploits? Does the endpoint solution block fileless or in-memory attacks? Does the solution prevent misuse of legitimate processes such as PowerShell attacks? Does the solution automatically enrich, collect, and display information to show the full extent of the attack? Is the solution simple and easy to use for junior analysts? Does it require robust training? Do you have one agent that can prevent, detect, and respond to targeted attacks with<2% CPU consumption? Can an analyst perform IOC queries or threat hunting? If so, what data is collected?

7 Prevention, Detection, Response 7 FEATURE EVALUATION CRITERIA FUNCTION 01 PRE-EXECUTION PREVENTION Blocks attacks before any code is executed. BLOCK KNOWN AND UNKNOWN MALWARE BLOCK KNOWN AND UNKNOWN MALICIOUS DOCUMENTS DELIVERED IN PHISHING ATTACKS At least 99.5% efficacy for known and unknown malware Is the model on VirusTotal? If so how is it performing? Is the technology developed and owned by the vendor, or obtained from a third party? OEM increases the risk that this protection may go away after the product is retired. At least 99.5% efficacy for known and unknown malware PREVENT EXPLOITS Prevention for known and unknown exploits 99% efficacy to block exploits MEMORY PROTECTION Memory protection against malicious process injection RANSOMWARE PROTECTION Block ransomware before full disk encryption Provide a second layer of behavioral ransomware protection FALSE POSITIVES Almost zero false positives for all pre-execution prevention for exploits, malware, ransomware, fileless attacks, and malicious macros.

8 Prevention, Detection, Response 8 FEATURE EVALUATION CRITERIA FUNCTION 02 POST-EXECUTION PREVENTION Stop attacks before damage and loss BEHAVIORAL PROTECTION DOES THE VENDOR FOCUS ON SECURITY FRAMEWORK? DOES IT PROVIDE COVERAGE ACROSS THE MITRE ATT&CK MATRIX? Over 99% coverage for unknown malwaret Ability to provide coverage across the MITRE ATT&CK matrix for techniques including: Persistence: Stop access, action, or configuration changes to a system that gives persistent presence Privilege escalation: Prevent heightened permissions from being obtained by unauthorized users or processes Defense Evasion: Stop techniques that evade detection Credential Access: Techniques that provide access to or control over system, domain, or service credentials Discovery: Techniques that allow the adversary to gain knowledge about the system Lateral Movement: Stop techniques that enable access and control remote systems Execution: Block remote code execution Collection: Stop techniques used to identify and gather sensitive information Exfiltration: Stop techniques that result in data transmission outside the network Command and Control: Stop techniques that allow communication with systems that have been compromised. POLICY MANAGEMENT Can the team manage policies at scale across your organization?

9 Prevention, Detection, Response 9 FEATURE EVALUATION CRITERIA FUNCTION 03 AUTOMATED EDR Stop attacks at the earliest point of the attack lifecycle, before damage and loss occurs. INTUITIVE ATTACK VISUALIZATION NATURAL LANGUAGE UNDERSTANDING OR SYNTAX-FREE AUTOMATION AUTOMATED MALWARE ANALYSIS A single-pane-of-glass representation of the origin and extent of the attack, allowing analysts to act sooner and more intelligently. Most EDR products are complex and difficult to use. Ask your vendor how a junior analyst can interact with the solution through a syntax-free by asking: Is anyone misusing PowerShell in the enterprise Integrates with a sandbox technology to explain what an attack would have done if executed. Integrates with reputation data to provide fast triage guidance. Reports the true execution of the malicious behavior and not just a trace of an entire OS or tainted process GUIDED RESPONSE CAPABILITIES Response capabilities should include upload, delete, quarantine, kill process, and suspension of a file. Provide analysts with a guided response to resolve alerts in seconds. ADVANCED THREAT HUNTING Apart from collecting data, the solution must have advanced analytics to detect anomalies and peer level analysis to discover suspicious activity in seconds.

10 Performance and Operational Efficiency 10 PERFORMANCE, SECURITY, & OPERATIONAL EFFICIENCY When performing a proof-of-concept with any endpoint vendor, you must learn firsthand how the product will work for your environment. An endpoint solution must have minimal performance impact on your end users and be easy to use. Understanding how the solution is deployed, updated, and maintained are all important aspects to consider. Today s best endpoint products will continually update their protection controls to provide coverage against the latest threats. Look for a solution that enables you to easily manage assets and protection from a central management console, and which sends automatic notifications to keep you up to date on any incidents that require attention. II. QUESTIONS TO ASK YOUR VENDOR ABOUT PERFORMANCE AND OPERATIONAL EFFICIENCY Is the agent tamper-resistant? Does the solution have the same identifying signatures across all customers? Does the agent require frequent updates and what impact does it have on your operations? What are the number of agents or modules needed to provide the full suite of protection? Does the agent install require a reboot? How does the solution impact the endpoints in terms of disk footprint, memory, CPU, and bandwidth?

11 Performance and Operational Efficiency 11 FEATURE EVALUATION CRITERIA 01 FUNCTION Performance LIGHTWEIGHT AGENT CPU usage Disk footprint Memory usage FUNCTION 02 Security TAMPER- RESISTANT AGENT Is the solution easy to disable or change? Is the agent easily discovered? FUNCTION 03 Operational Efficiency FALSE-POSITIVE RATE NUMBER AGENTS OR MODULES REQUIRED Get third-party validation: AV- Comparatives, SE Labs, NSS Labs VirusTotal: How are the models performing? Does it require multiple agents or modules to provide all of its features? REBOOTS AND UPDATES Does agent installation, uninstallation, and update require a reboot? How often does the agent need to be updated? POLICY MANAGEMENT Is it easy to configure, manage, and validate endpoint protections at scale? ANALYST EFFICIENCY Is your product easy for junior staff to use? Does the product empower an analyst to respond to an unknown attack faster? Does your product enable senior resources to be more efficient?

12 Management & Compliance 12 MANAGEMENT, COMPLIANCE, & SUPPORT Simple management of your endpoint solution is a must-have to obtain real-time endpoint compliance capabilities. A single console to check the health of the enterprise will reduce administrative burden and automate compliance efforts. In addition, organizations should look for a solution that ensures all endpoints are suitably secured via a centralized policy to mitigate threats and maintain regulatory compliance. III. QUESTIONS TO ASK YOUR VENDOR ABOUT MANAGEMENT AND COMPLIANCE Does the solution offer a centralized management console to protect from targeted attacks? Is the solution compliant with HIPAA and PCI? What tools does the solution integrate with: ticketing, orchestration, , etc.? What operating systems are supported? How does the solution operate at enterprise scale?

13 Management & Compliance 13 FEATURE EVALUATION CRITERIA 01 FUNCTION Management CENTRALIZED MANAGEMENT OPERATIONAL REPORTING A central management console offers both on premise and cloud-based hosting solutions. Standardized reporting to highlight endpoint health Validation of protections for a true compliance report DATA ENCRYPTION Are the communications encrypted between the endpoint and central system? Is it mutually authenticated with a unique PKI? INTEGRATIONS Standard specifications for interfacing the product with other enterprise security tools in your environment (IT ticketing, network tools, SIEM, etc.). EXTENSIBILITY Robust restful APIs to integrate across multiple security, orchestration, and ticketing tools. FUNCTION 02 Compliance CERTIFICATIONS GEOGRAPHICAL PRIVACY CONTROLS Is the product HIPAA and PCI compliant? Does the solution fit within growing privacy regulations like GDPR? FUNCTION 03 Support MULTIPLE DEVICES, OPERATING SYSTEMS Does it provide Windows, Mac, Linux, and Solaris support if needed?

14 Third-Party Validation 14 EXTERNAL AND INTERNAL TESTING AND VALIDATIONS Obtaining independent third-party validation is a key part of the software evaluation process. Organizations should look at assessments conducted by NSS Labs, AV-Comparatives, SE Labs, and other independent groups for testing against specific objectives. Most tests focus on malware and a few exploits and do not replicate the techniques that are actually used by attackers. For real world testing beyond malware MITRE s ATT&CK Matrix representation of real-world APT techniques and technologies enables a realistic understanding of protection against targeted attacks compared to other testing regimens. There is a growing community of organizations publishing continuous security validation testing frameworks, including Endgame s open-source Red Team Automations (link to RTA blog or Git), which enable systematic and continuous testing of defenses against evolving attacker techniques and technologies. IV. QUESTIONS TO ASK YOUR VENDOR ABOUT THIRD-PARTY VALIDATION Has the endpoint solution been tested or validated by an independent third party? If so, what are the scope and parameters of these tests? Has the endpoint vendor participated in real-world APT emulation tests? Is vendor transparent about the efficacy of their product? Is their product publicly tested, or is it in VirusTotal for public consumption? What is the efficacy and false-positive rates from these tests?

15 Management & Compliance 15 FUNCTION 01 INTERNAL VALIDATION Has the vendor tested their product internally (penetration testing, red/ blue team simulations)? Does the vendor use the product for their own internal security operations? Internal testing ATTACK EMULATION Looks for real-world testing that emulates advanced persistent threats. For e.g. MITRE EFFICACY TESTING Efficacy and false positives for tests like AV-comparatives, SE Labs testing TCO TESTED What is the total cost of ownership and security effectiveness of the endpoint solution?

16 CHAPTER 03 ENDGAME. The Only Agent You ll Ever Need Endgame is the only endpoint protection platform that stops targeted attacks before damage and loss can occur, without a need for additional staff or resources. When selecting an endpoint solution, organizations need to consider not only the fundamental capabilities of an endpoint protection solution, but also the scope, speed, and skills required to address targeted attacks. Endgame s centrally-managed platform will replace the numerous agents in your organization today, providing all the capabilities of AV, NGAV, EDR, exploit protection, and incident response into a single, easy-to-use solution. ENDGAME. REPLACES... PROTECTS AGAINST... ANTIVIRUS EXPLOITS NGAV MALWARE EXPLOIT PROTECTION IOC SEARCH MALWARELESS IR TOOLS PHISHING

17 03 Endgame The Only Agent You ll Ever Need 17 Exploit Prevention: Patent-pending Hardware Assisted Control Flow Integrity (HA-CFI ) blocks zero-day exploits with 99% efficacy before malicious code execution. SUPERIOR PROTECTION Endgame s endpoint protection platform provides autonomous pre- and post-execution protection in a single agent. In addition, attack visualization, and Natural Language Understanding (NLU)-assisted detection and response ensures junior analysts can defend enterprises from sophisticated attacks with minimal training. Malware Prevention: Machine learning-powered signature-less malware prevention, Endgame MalwareScore is certified by SE Labs and AV-Comparatives, and is listed on VirusTotal. It prevents execution of known and unknown malware with 99.5% efficacy. Endgame completely prevented ransomware attacks such as BadRabbit, Petya, WannaCry, and Locky on day one. Malicious Macro Prevention: Heuristics-based macro prevention blocks malicious macros embedded in commonly-targeted applications such as Outlook, Word, and Excel. Fileless Attack Prevention: Patent-pending process injection prevention blocks malicious module loads and dll and shellcode injection to stop fileless attacks. Behavioral Ransomware Prevention: Behavior-based ransomware prevention is our second layer of ransomware defense. It monitors all process activity to stop ransomware attacks before encryption takes place. Technique-Focused Prevention: Built from Endgame s knowledge of adversary tradecraft, this feature covers the breadth and depth of the MITRE ATT&CK matrix, stopping ongoing attacks at the technique level. This includes malicious persistence, credential dumping, malwareless attacks, and privilege escalation. Precision Response: Enable SOC teams to restore endpoint operations at enterprise scale and conduct advanced forensic analysis with zero business disruption. Endgame Resolver attack visualization instantly renders the origin, extent, and timeline of an attack. Automated memory analysis identifies fileless attacks across 50,000 endpoints in less than five minutes. Endgame ArtemisR, an NLU based chatbot elevates junior analysts and accelerates senior analysts with a simple English interface that automates data collection. Endgame Arbiter automates advanced attack analysis to determine file reputation, attack type, and other attributes, extracting IOCs to reveal previously unknown threats across the entire enterprise. EASE OF USE Endgame elevates junior analysts and accelerates senior analysts to stop targeted attacks before damage or loss.

18 03 Endgame The Only Agent You ll Ever Need 18 MINIMAL OPERATIONAL IMPACT Endgame s agent is a lightweight, autonomous with minimal impact to the end-user environment. The Endgame agent is easy to deploy and features both dissolvable and persistent modes. The autonomous agent provides both online and offline protection without any required connectivity to cloud services. No reboot is required for installation and updates, and the agent utilizes less than 1% of CPU utilization. The Endgame agent employs prevention of signature-less malware, meaning that there is no need for DAT files or continuous updates. Endgame s agent is tamper-resistant and cannot be disabled or reconfigured by the end user. The platform is available in both on premise and cloud-hosted versions. The biggest differentiator for Endgame is making security easy for analysts with Artemis, an NLU chatbot that empowers junior analysts and accelerates senior analysts. It boosts operational efficiency by allowing analysts to ask simple questions in English to stop threats in minutes. Endgame has also developed a manager of managers called the Multi-Client Manager (MCM) which provides customers and partners with a single interface to gain visibility across their protected endpoints at scale. This is especially valuable for customers in disperse geographies where multiple data privacy laws come into play. MCM enables analysts by providing a single console to manage, analyze, and interpret data. The Endgame platform has been independently validated to help organizations with PCI DSS and HIPAA compliance requirements. COMPLIANT & CENTRALLY MANAGED PLATFORM THE FIRST VISIONARY ENDPOINT VENDOR EVALUATED IN A REAL-WORLD SCENARIO In its first year, Endgame has been described as a visionary in the 2018 Gartner EPP Magic Quadrant. The Gartner team chose Endgame as a visionary for its scope of protections and testing, as well as its ease of use. Endgame is the only endpoint protection vendor that has been evaluated across the MITRE ATT&CK matrix in a real-world APT scenario. While testing for malware and exploits is important, it is crucial for endpoint vendors to test beyond malware and consider the tools and techniques the attackers actually use. Endgame tests its product internally with red/ blue exercises emulating the attacker landscape.

19 CHAPTER 04 Conclusion There is a lot of buzz in the industry around replacements for traditional AV with next-gen solutions. To make matters worse, there are dozens of vendors offering solutions with new and unproven technology. These options can be confusing and difficult to assess. To maximize value from your next AV solution, focus on how the platform impacts your security program and on its ease of use for all security teams. The Endgame platform addresses the requisite people, process, and technology by providing superior protection and a comprehensive scope, productive analysts with ease of use, and effective processes with automation. Endgame is trusted by the most attacked organizations in the world, including the U.S. Department of Defense along with global financial, energy, and technology companies. These companies partnered with Endgame due to its speed of response and low false-positive rate.

20 ABOUT ENDGAME. Endgame s endpoint protection platform brings certainty to security with the most powerful scope of protections and simplest user experience, ensuring that analysts of any skill level can stop targeted attacks before information theft. Endgame unifies prevention, detection, and threat hunting to stop known and unknown attacker behaviors at scale with a single agent. For more information, visit Endgame. com and follow us on EndgameInc Endgame