the current state and future path of endpoint security · the evolution of endpoint security 6 2002...
TRANSCRIPT
The Current State and Future Path of Endpoint
Security
In conjunction with:
Adrian Sanabria
(@sawaba)
• Industry Analyst: 4 years
• Red Team: 5 years
• Blue Team: 5 years
• IT: 4 years
• Compulsive researcher
• ‘Big Picture’ focus
• Often find inspiration outside InfoSec
2
TL
;DL
The Big Picture
Indust
ry
Trends and Terms
Indust
ry The Market View
Anal
ysi
s
The Future
Technology has changed
Attacker tactics have changed
Defenses stayed the same...
Sorry, no, they got worse
• Endpoint Security is primarily a
Windows problem
• Microsoft is currently innovating
faster than the AV industry
• Most enterprises use 3 or more
endpoint solutions simultaneously
4
TL;DR, or before I lose you in my rant...
Yes, there is a “but”
Endpoint Security is already solved!
Security Usability
The evolution of endpoint security
6
• Endpoint Security = AV2002• Endpoint Security = AV, VPN client, NAC client,
host-based FW, HIPS, FDE, patching, device/port control, FIMaaaaaaa, this is so confusing!2005
• Heavy consolidation2006
• Endpoint Security = EPP (AV ‘suites’)2008
The evolution of endpoint security
7
• Rise of the advanced, sophisticated moderately competant adversary2010
• Endpoint Security = AV, NGAV, EDR, Threat Hunting, Isolation, Exploit Prevaaaaaaaaaaaaa, this is so confusing!2015
• Heavy consolidation2016+
• Endpoint Security = NGEPP? (please, no)2018
Why is the endpoint important?
1. This is where work happens
2. One of the easiest paths into a company
3. BYOD and ShadowIT are unsolved problems
4. Endpoints don’t stay at work anymore…
Why endpoint?
12
Blind Spot #3:
The Cloud
Most enterprise spending
is tied up in the perimeterBlind Spot #1:
The Endpoint
Blind Spot #2:
Internal network Communications
(East-West traffic)
Blind Spot #4:
Data
Where did we go wrong?
1.Not enough root cause analysis
2.Not enough process improvement (if any)
3.Even when we do succeed, we force the attacker to change tactics.
Are we ready for that?
Discarding useful tech because it wasn’t a silver bullet
2011: “By 2015, more than 50% of enterprises will have instituted 'default deny' policies that restrict the applications users
can install.”
14
TL
;DL
The Big Picture
Indust
ry
Trends and Terms
Indust
ry The Market View
Anal
ysi
s
The Future
Buzzwords explained: NGAV and EDR
NGAV: The ability to stop threats without prior knowledge of them
A variety of new techniques, significantly more effective at stopping unknown threats.
EDR: Endpoint Data Recorder (a slight acronym modification)
What makes a product NGAV?
17
Use of one or any of these new(ish) malware prevention techniques:
• Use of static machine learning models on the endpoint
• Examples: Cylance, Crowdstrike, Sophos (Invincea X), Symantec
• OS Level Behavioral Analysis (observing malware behavior)
• Examples: SentinelOne, Crowdstrike, Barkly, Cybereason
• Exploit prevention
• Examples: Palo Alto TRAPS, Endgame, Digital Immunity, Sophos (HitmanPro)
• A few other novel techniques
• Virtual patching in-memory (0Patch)
• Various kernel shims and anomaly detection (Abatis, Ceedo, ROMAD)
• Memory randomization (Morphisec)
Myth-busting time: ML/AI versus ‘Signatures’
1. AV hasn’t been ‘signature-based’ since the early 1990s.
2. ML is still effectively pattern-matching.
3. ML relies on the analysis of existing malware.
4. ML/AI is demonstrably better at detecting unknown malware, but is also more false-positive prone.
The only time I want to hear “Next Generation”
19
Our long-range
sensors suggest the
term ‘next-gen’ is
more harmful than
helpful!
I don’t think AI
means what they
think it means.
What comes after ‘next-gen’?
Nothing.
2013-2016Next-Gen AV describes a
variety of new approaches to
detecting and stopping binary
malware.
2017+Next-Gen AV techniques have
been absorbed into existing AV
suites, and NGAV startups have
become suites.
NGAV is now just ‘AV’.
EDR: Endpoint Detection and Response
Many use cases:
• detection
• forensics
• incident response
• source for automation event triggers
Ultimately, EDR is a sensor that provides rich, forensic data before you need it
21
What about remediation and response?
Who is cleaning this mess up?
Discuss: Remediation vs Containment
Explain: Automated Endpoint Remediation
22
What about remediation and response?
23
Silly marketing trend: using percentages
1. A percentage isn’t useful at large scale.
2. The raw number stopped isn’t important.
3. Percentages can’t measure threats that don’t exist yet.
4. Adversaries don’t give up when a single attack fails
Attacks simply don’t work this way.
99% coverage!
The dog is gone.
100% coverage!
TL
;DL
The Big Picture
Indust
ry
Trends and Terms
Indust
ry The Market View
Anal
ysi
s
The Future
Industry missteps
Products that only work on the corporate network
Products that break the user
Assuming any one layer must achieve 100% efficacy
Products that bury the customer in data
Making consumers a secondary priority
28
The endpoint security market, high level
Prevention (pre-execution)
Detection and Data Collection (post-execution)
Platform Hardening80+
Vendors
65/45 split
complementary/
primary
NGAV
NEED: a better malware
mousetrap
WHAT: Automated detection of
unknown threats
WHY: auto-generated
malware gets through
EDR
NEED: endpoint visibility; serious
blind spot otherwise
WHAT: Record detailed endpoint
data
WHY: detect attacks that defeat
1st layers of defense
Hardening
NEED: More permanent,
resilient solutions
WHAT: Wide variety of
approaches
WHY: Passive defenses reduce
pressure on frontline defenses
Remediation
NEED: Contain and clean up
threats
WHAT: Containment and
automated remediation
WHY: Reduce expense and labor
of dealing with threats
Endpoint categories: What’s driving them?
Prevention vs Detection: Pros and Cons
Prevention (e.g.
AV, NGAV)
Detection (e.g.
EDR)
Likelihood of user disruption Low to none Generally higher
False positives Lower Higher
False negatives Higher Potentially lower
Detect/prevent non-malware threats Generally, no Yes
Labor-to-value ratio Low High
The First Great Endpoint Security Consolidation
32
2003 2006 2010
~30 acquisitions
Events that helped kickstart the Second Great Endpoint
Security Consolidation
Before 2010
2003-2009
• Mostly adjacent endpoint security/management technologies
• Took our eyes ‘off the ball’
• Got waaaay too excited about whitelisting
• Laptops instead of Desktops
After 2010
2010: Stuxnet• State-sponsored malware
2013: APT1• More state-sponsored malware
2013: Snowden• Domestic malware, threats and attack
tools
2014: Ransomware
33
The Second Great Endpoint Security Consolidation
34
2010 2014 2017+
~30 acquisitions (so far)
TL
;DL
The Big Picture
Indust
ry
Trends and Terms
Indust
ry The Market View
Anal
ysi
s
The Future
In a word: Microsoft
• EMET
• AppLocker
• Device Control
• LAPS
• Windows 10 S
• Credential Guard
• Defender SmartScreen
• Defender AV
• Defender Application Guard
What’s the future of endpoint security?
• DEP
• ASLR
• SEHOP
• Controlled folder access
• Defender
• AMSI
• MSRT
• Sysmon
• Sysinternals Suite
Is antivirus dead?
“Nobody wants to say antivirus is
dead, but let’s just say they’re planning
ahead for the wake and eyeing the
stereo.”Wendy Nather, 451 Research (2013)
Adrian’s Endpoint Security Roadmap
1. Build a better malware mousetrap (NGAV)
2. Threat-driven hardening (kill Flash!)
3. Detect/Stop Non-Malware attacks
4. Full-system visibility (EDR)
5. Data visibility
6. More resilient host (less need for AV)
38
Do enterprises even need better AV?
Hardening Windows
• CIS benchmarks (hardening)
• Update to Windows 10!
• Ad-blocking
• Remove unnecessary software/features
• Least privilege:
• flash click-to-run,
• disable/restrict java plugin
• selective whitelisting
Free/OSS Tools
• Microsoft EMET
• Microsoft AppLocker
• Artillery (Binary Defense)
• OSSEC (Trend Micro)
• El Jefe (Immunity)
• Sandboxie (Invincea)
• AIDE (FIM)
• ROMAD
• 0Patch
• OSQuery
39
Adrian Sanabria - @sawaba
Ed Rojas
http://TacticalEdge.co