BEYOND THE AV 2

ADVANCED THREAT PROTECTION BEYOND THE AV: THE SECURITY GAPS NO ONE WILL TELL YOU ABOUT IN EPP\EDR AND NETWORK ANALYTICS

WHITE PAPER

BEYOND THE AV 3

In 2019, it is common knowledge that the standard signature-based AV + Firewall security stack doesn’t provide sufficient protection from the rapidly evolving threat landscape that poses risk concerns to organizations of all sizes and verticals.

While large enterprises can cover their attack surfaces with various complementing products, aggregate and correlate them in a SIEM and employ a staff of skilled SOC analysts, mid-sized organizations have to address critical cyber risks with significantly less resources at their disposal.

In practice, the typical mid-sized organization would make to a single ‘advanced security’ investment, leading to the inevitable question – what choice can yield this investment the highest return.

In this paper, we have summarized the two main approaches security decision-makers in mid-sized organizations face (The Endpoint Approach and the Network Analytics approach),and challenge them with a new alternative that goes beyond them to provide the mid-sized organization with full advanced threat protection.

ENDPOINT PROTECTION (EPP) / ENDPOINT DETECTION AND RESPONSE (EDR)

Prominent vendors:AV vendors that enable EDR\EPP upgrade: Symantec, McAfee, Trend Micro, Kaspersky, Sophos, Microsoft

Native EDR\EPP: Crowdstrike, Cylance, SentinelOne, Cybereason, Palo Alto Networks

DescriptionThis approach enhances the existing endpoint protection from mere signature-based AV, to an Endpoint Protection Platform (EPP) that includes non-signature prevention capabilities, as well as Endpoint Detection and Response (EDR) to advanced threats that were able to bypass the prevention layer.

The logic of this approach is that in most to all attacks, both initial compromise and many post-compromise malicious activities involve running processes taking place on the endpoint. Therefore, monitoring process execution is the default route to prevent and detect threats.

FOREWORD

THE ENDPOINT APPROACH:

BEYOND THE AV 4

Strengths

Prevention:

• Zero-day malware

• Memory corruption exploits

• Documents weaponized with malicious Macros.

Detection:

• Post-compromise malicious activity that is reflected in anomalous process behavior.

• Detection of known hacking tools (Mimikatz, Powersploit, Empire, etc.)

• Alert Investigation Context: wide context for alert investigation – process tree, network connection, logged in users and threat intelligence enrichment.

• AV Replacement: EPP\EDR include AV core capabilities as a subset of their overall offering, eliminating the need to operate and maintain two separate products.

Weaknesses:

• Only Endpoint: No visibility into post-compromise activity that doesn’t involve process anomalies (i.e. internal threat, user anomalies and network-based attacks).

• Insufficient Context: Many attacks involve utilization of legitimate tools (Powershell, WMI, etc.). In many cases, process behavior doesn’t provide sufficient context to determine if such a process is malicious or benign, resulting in either a high rate of false positives or overlooked attacks.

• Limited Remediation: Remediation capabilities are limited to the endpoint and typically include only isolate\opening a remote shell and uploading a script.

• Operation: Making sense out of alerts requires a staffed and skilled security team beyond the reach of the common mid-sized organization.

• Deployment: In many cases, the endpoint agent can degrade performance or clash with existing software, slowing down deployment, which causes security gaps.

EPP\EDR provide significant value in enhancing prevention capabilities. However, detection of post-compromise activity is lacking because their detection mechanisms are narrowed to process anomalies on the endpoint, missing a large portion of attack vectors that can be detected only through monitoring network traffic or user behavior. Alert operation requires the manual effort of a skilled security team, and remediation is limited to endpoint/process only.

BEYOND THE AV 5

NETWORK ANALYTICS

Prominent vendorsDarktrace, Vectra Networks, Microsoft Azure Advanced Threat Protection, Palo Alto Network IDS, AlienVault

DescriptionNetwork analytic tools detect malicious presence or activity by dissecting network traffic. This makes network analytic tools reactive by nature. These tools have minimal to zero prevention capabilities and are oriented to discovering post-compromise activities.

Network analytic tools leverage the host and user metadata that is enclosed in network packets to form a behavioral baseline of users’ activities, hosts’ interaction and network communications. Additionally, these tools utilize known network traffic signatures of concrete malicious activity (such as exploits or identity attacks), to detect these as well.

Strengths• Malicious authentication through anomalous user behavior

• Identity attacks via analysis of DC authentication traffic

• Network-based reconnaissance activities

• Mass automated network propagation (WannaCry style)

• Login attempts that deviate from standard user and network behavior patterns

• Network-based identity attacks (SMB relays, DNS responder, ARP spoofing, etc.)

• Operational: non-intrusive, with no agent on the endpoint and no interference with actual network traffic

Weaknesses• Prevention: No prevention capabilities, meaning that multiple attacks

bypass the AV layer. This means zero protection from ransomware. Prevention of malicious activity on the host level.

• Remediation: As a pure detection tool, there are no remediation capabilities.

• Accurate Threat Detection, regardless of the applied AI algorithm, has high false-positive rate.

• Environment coverage: Network analytic tools rely on SPAN port as well as data feeds. As a result, any non-trivial network topology (geographically dispersed or multi-forest) creates difficulties in deployment and coverage.

• Operation: Making sense out of alerts requires a staffed and skilled security team beyond the reach of the common mid-sized organization.

THE NETWORK APPROACH:

Network analytics tools provide high value in detecting pure network-based threats such as various data exfiltration vectors and certain identity attacks. However, their lack of prevention capabilities makes them a risky gamble as a single advanced security solution.

Additionally, the lack of remediation capabilities would require vast manual effort to efficiently respond to live attacks.

BEYOND THE AV 6

We can say roughly that each approach has strengths and weaknesses in terms of both threat coverage and the provided route from detected threat to validated recovery.

To a certain degree these approaches complement each other. Full discussion on the pros and cons entailed in piecing together several products is beyond the scope of this paper, since we focus on organizations that typically choose to make a single advanced security investment only. Thus, it is easily seen that both EDR\EPP and network analytics approaches fail to deliver the advanced threat protection mid-sized organizations seek.

INTERIM SUMMARY

BEYOND THE AV 7

CYNET

Total Environment VisibilityAn organization’s attack surface is much wider than its endpoints. Cynet continuously monitors all users’ logging in and out, internal and external traffic, and process execution on hosts to provide real-time contextual visibility into the entire environment’s activities.

360° Prevention and DetectionCynet continuously builds and natively integrates the full-scope of technologies to prevent and detect attack vectors that target users, files, the network and hosts: AV, NGAV, EDR, network analytics, UEBA and deception, building a robust security protection stack across all attack stages.

DeceptionAdvanced attackers can evade detection. To confront this, Cynet enables its users to plant decoy files, credentials and network connections across their environment, luring such attackers to reveal their presence by attempting to use or access these decoys.

Automated RemediationCynet provides the widest set available of remediation actions for compromised hosts and users, malicious files and network communication. Cynet is shipped with pre-built remediations, making it the only solution with the ability to block attacks at multiple post-compromise stages such as privilege escalation, credential theft, lateral movement and others.

Context-based Alert OperationIn the case of malicious activity without a matching pre-built remediation, Cynet provides the full user, file, network and host context for rapid insight into the attack’s impact and scope. The resolving process concludes with manually applying a remediation action on the compromised entity that can be saved as policy to automate response in future occurrences.

CyOps 24X7 Security ExpertiseCynet complements its automated threat protection technology with integrated security services at no additional costs. CyOps is a 24/7 team of threat analysts and security researchers that proactively hunts for threats among Cynet’s customers, as well as responds to customer escalations, assisting with file analysis, incident response and deep investigations.

Easy Deployment & MaintenanceCynet is based on server-agent architecture. The server can be either on-prem, IaaS or hybrid, per customer preference, and either a dissolvable executable or a light-weight agent that rapidly deploys 50Ks hosts a single day.

A THIRD APPROACH:

Cynet is designed from the ground-up to address the needs of the mid-sized organization in a single platform. As such, Cynet maps its protected environments to host, file, user and network entities, and natively integrates prevention and detection technologies that cover attack vectors which target them, avoiding the partial threat coverage inherent to EDR\EPP and network analytic tools. To further enhance its threat protection capabilities, Cynet also provides a Deception layer to lure defense-evading attackers to reveal their presence.

BEYOND THE AV 8

COMPARISON TABLE

CYNET EDR\EPP

(e.g Crowdstrike)

NETWORK ANALYTICS(e.g DarkTrace)

IT HYGIENE Vulnerability assessment

Asset management

App blacklisting

PREVENTION AV replacement

Malware

Exploits

Macro

Powershell

DETECTION Hacking tools signatures

Process behavior

Network traffic behavior

User behavior

REMEDIATION Host Partial (isolate\run command)

File\process

User

Network

SECURITY SERVICES

Suspicious file analysis

Incident response

Attack investigation report

AUTOMATED THREAT DISCOVERY & MITIGATION

To learn more about Cynet’s approach, visit: www.cynet.com