goalieprotectionsave2100669355orig

7 trends in advanced endpoint protection

After extensive testing of 10 advanced endpoint protection products, we have identified a series of broad industry trends:

1. Virus signatures are passé. Creating a virus with a unique signature is child’s play, thanks to the nearly automated virus construction kits that have filled the internet over the past several years. Instead, many of today’s advanced endpoint protection products make use of security news feeds that report on the latest attacks such as VirusTotal.com and other reputation management services. Some, like CrowdStrike, have a long list of integrations with security and log management tools to make them more effective at spotting attack trends.

2. Tracking executable programs is so last year. In the old days of malware, exploits typically had some kind of payload or residue that they left on an endpoint: a file, a registry key or whatnot. Then the bad guys graduated to run their business just in memory, leaving little trace of their activity, or they would hide inside PDFs or Word documents, or would force your Web browser to a phished site that contained Java-based exploits.

+ ENDPOINT TEST: 10 cutting-edge tools that take endpoint security to a new level | How to buy endpoint security products +

Today’s hackers have become more sophisticated, using Windows Powershell commands to set up a remote command shell, pass a few text commands, and compromise a machine without leaving much of a trace on an endpoint. To be effective at fighting this new kind of behavior, today’s products look at what effect the attacker has on the endpoint: does it drop any files, including what may seem at first benign text files, or make any changes to the Windows Registry? Figuring this out isn’t easy and many of the products are focused in this area to prevent the bad guys from gaining control over your computers.

3. Can the product track privilege escalation or other credential spoofing? Modern attackers try to penetrate your network with a legit user credential that uses a default setting from when you installed SQL Server or some other product, and then escalates to a domain administrator or other more significant user with greater network rights.

4. Insider threats are more pernicious, and blocking them has become more compelling. One of the reasons why traditional anti-virus protection has failed is because attackers can gain access to your internal network and do damage from a formerly trusted endpoint. To block this kind of behavior, today’s tools need to map the internal or lateral network movement so you can track down what PCs were compromised and neutralize them before your entire network falls into the wrong hands.

5. Data exfiltration is more popular than ever. Moving private user data, or confidential customer information, out of your network is the name of the game today. Look no further than Sony or Target as examples of what the EDR tool has to deal with now. Tools that can track these exfiltrations are more useful.

6. Many tools are using big data and cloud-based analytics to track actual network behavior. One of the reasons why sensors and agents are so compact is that most of the heavy lifting happens in the cloud, where they can bring to bear big data techniques and data visualization to identify and block a potential attack. SentinelOne and Outlier Security use these techniques to correlate data across your network in real time.

7. Attack reporting standards like CEF, STIX, and OpenIOC are also being integrated into today’s endpoint products. SentinelOne is an example.This is a welcome development and hopefully more products will move in this direction.

IDG Insider

PREVIOUS ARTICLE

« How to make Google Drive apps look and work more like Microsoft Office

NEXT ARTICLE

Google sells stake in satellite Internet operator O3b Networks »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?