The threat landscape has been rapidly evolving over the past few years, largely driven by an expansive and mature cybercrime-as-a-service (CaaS) ecosystem.
Services range from rapid trojan development, access to infected PCs and C&C hosting, all the way to the liquidation of stolen information.
These services all play a contributing role to the year-over-year growth in both the volume and complexity of today’s modern threats, as well as the increasing ineffectiveness of traditional endpoint security solutions.
One of the key challenges endpoint security products face is that of awareness.
Traditional technology has placed an intense focus on blocking malware before it can execute on a system being protected.
This is largely achieved through being aware of a specific malware variant or family, or heuristics which detect malicious behaviors.
Unfortunately, tools designed by and for cybercriminals have made large scale rapid development of new malware variants trivial.
In combination with rapid variant development, variants are distributed in very low volume which decreases the chance of being discovered by security vendors.
The end result is that many infections are not blocked up front and end up going unnoticed indefinitely.
Collective intelligence and remediation
To combat cybercrime’s effective malware distribution tactics, endpoint security solutions are adding a number of new innovations.
One such advancement has been to enable endpoint security solutions to be more aware of the system being protected, as well as all systems being protected.
In what is known as a collective intelligence model, endpoint security products are able to collect information from every endpoint, specific to encounters with new applications, and correlate that data in the cloud where big data analytics assist researchers in identifying emerging threats.
By enabling endpoint security solutions to be sensory and discovery nodes, it ensures that encounters with very low volume and targeted attacks are observed and subsequently classified.
Additionally, this model has the added benefit of becoming smarter every day and more aware with every new endpoint deployment. Another key innovation in endpoint security is the method for handling remediation.
Traditionally, remediation is tied to the research process which identifies a threat.
Based on how that threat behaves during the classification process, a remediation routine is created to disinfect a system where that threat is detected. Unfortunately, and again largely due to a robust CaaS marketplace, tools and tactics are widely available which make remediation of today’s threats very difficult.
These tactics include randomised installation, geo specific payloads and automated virtual environment detection. Again, the end result is that infections are much more difficult to remove.
Innovation in this space again ties to enabling the endpoint security software itself to play a bigger role.
As each endpoint is aware of the system being protected, it can also monitor what changes occur when new applications execute. In this way, there is no longer a tie between the research process and remediation.
Each endpoint monitors the system being protected and records system changes by new and untrusted applications.
This greatly improves remediation and ensures all changes are reverted, whether they are file payloads, encryption or registry modifications.
As cybercriminal tactics continue to evolve, so must the technology we trust to defend our systems.
By Grayson Milbourne, security intelligence director, Webroot