Carbon Black believes now is the time to move on from traditional antivirus (AV) software and embrace the next generation of endpoint security
With 2016 being plagued by high-profile data breaches at some of the world’s biggest companies, the realisation that cyber criminals have gained the upper hand has well and truly landed.
We are currently losing the cyber battle. Business networks are constantly becoming more complicated, new threat vectors are continuing to develop and employees are frequently using public, unsecured networks to go about their work.
It’s clear that something needs to change and US-based security software provider Carbon Black believes now is the time to move on from traditional antivirus (AV) software and embrace the next generation of endpoint security.
A broken system
“In the early days everyone thought they were in good shape on the endpoint,” said Carbon Black’s VP of product management Brian Hazzard, speaking to Silicon at RSA Conference 2017 in San Francisco.
“A decade ago, companies were reluctant to deploy new endpoint security products because it was much easier to deploy a perimeter defense. You plug in a network security appliance and you get security for everyone, as opposed to rolling out technology to every computer across your enterprise.
“So lots of innovation and lots of investment was made in network security, but everyone continued to be breached. The reason is, if you think about what’s going on today, we no longer have desktops, we don’t sit behind a firewall, everyone’s mobile, so the perimeter is becoming porous. The perimeter is dissolving and as a result of that it’s putting pressure on the endpoints and the cloud.”
The convergence of this dissolving network perimeter, the developing sophistication of attacks and a more mobile workforce means the traditional approach is simply no longer adequate.
Part of this is down to the growth of non-malware attacks, i.e attacks that have gone “fileless”. Whereas malware used to be predominantly file based and therefore detectable by AV software, there is now “no file associated with the attack” which has “completely rendered your traditional defenses useless”.
53 percent of breaches now don’t actually use malware at all, instead exploiting vulnerabilities in programmes such as Flash and invoking tools like Powershell to carry out malicious activity, all residing in the memory of the device, not the file system.
The solution, according to Hazzard and Carbon Black’s CTO Mike Viscuso, is to embrace the next generation of antivirus that “gives context and visibility” to attacks.
“I think right now we’re all realising that, given enough time and motivation, you can in fact break in to just about anything,” said Viscuso. “AV was not build for detection and response. It was built for prevention.
“We’ve seen over the past decade, that the next generation of endpoint security needs to have not just prevention, but detection and response. And not just prevention of file-based attacks, but prevention of all attacks.”
Carbon Black analyses malicious activity using a system it calls ‘Streaming Prevention,’ based on a technology called Event Stream Processing which was first pioneered to enable high-frequency stock trading in the financial services sector.
Streaming prevention works by focusing on the behavioural characteristics of an attack, essentially recording all the attackers’ activity and stopping them before the attack has an impact on the device. This information is then sent up to the cloud and analysed in real-time to identify patterns in behaviour.
“If you’re trying to get credentials off of an iPhone you’ll go about it in a different way than you would on a Windows machine,” Viscuso explained, “Because they’re stored in a different spot and your access to that is very different. However, the main intent of the attack is really the same.”
“So we focus more on how an attacker attacks rather than any one particular tool that they use or anything like that. Events are streaming all the time and we’re putting pieces together and saying ‘I’m not sure I should let this happen because look what happened before.’ We look at that full attack sequence.”
So, the future of endpoint security resides in, not just the prevention, but the detection and response of both malware and non-malware attacks.
“We’ve got a very concrete view of what that future of endpoint security looks like,” said Hazzard. “Our approach is that machine learning AV is a feature that should be one element of a larger endpoint security solution. And our view is that that’s a good capability for stopping file based malware, but if 53 percent of the breaches are fileless then you better stop all types of attacks and you can’t stop with prevention alone, you’ve got to go into detection and response.”
Viscuso added to this, emphasising the importance of the industry focusing more on contextual analysis to detect attacks: “It certainly has to go that way. We all make decisions on a contextually aware basis as humans so computing has to get much more contextually aware.
“The prevention story is easy, everybody wants to prevent. The reality is that detection is necessary, so you can’t put all your eggs in the prevention basket.”