RSA Conference Guide 2014 Deep Dive: Endpoint SecurityBy Mike Rothman
We are in the home stretch, with only a few more deep dives to post.
EPP: Living on Borrowed Time?
Every year we take a step back and wonder if this is the year customers will finally revolt against endpoint protection suites and shift en masse to something free, or one of the new technologies focused on preventing advanced attacks. It is so easy to forget how important inertia is to security buying cycles. Combined with the continued (ridiculous) PCI mandate for ‘anti-malware’ (whatever that means), the AV vendors continue to print money.
Our friends at 451 Group illustrate this with a recent survey. A whopping 5% of respondents are reducing their antivirus budget, while 13% are actually increasing the budget. Uh, what?!?! Most are maintaining the status quo, so you will see the usual AV suspects with their big RSA Conference booths, paid for by inertia and the PCI Security Standards Council. Sometimes it would be great to have a neutron cluebat to show the mass market the futility of old-school AV…
Don’t Call It a Sandbox
The big AV vendors cannot afford to kill their golden goose, so innovation is unlikely to come from them. The good news is that there are plenty of companies taking different approaches to detection at the endpoint and server. Some look at file analysis, others have innovative heuristics, and you will also see isolation technologies on the floor. Don’t forget old-school application control, which is making a comeback on the back of Windows XP’s end of life, and the fact that servers and fixed function devices should be totally locked down.
We expect isolation vendors to make the most noise at the RSA Conference. Their approach is to isolate vulnerable programs (including Java, browsers, and/or Office suites) from the rest of the device so malware can’t access the file system or other resources to further compromise the device. Whether isolation is via virtualization, VDI, old-school terminal services, or newfangled endpoint isolation (either at the app or kernel level), it is all about accepting that you cannot stop infection, so you need to make sure malware can’t get to anything interesting on the device.
These technologies are promising but not yet mature. We have heard of very few large-scale implementations but we need to do something different, so we are watching these technologies closely, and you should too.
The Rise of the Endpoint Monitors
As we described in the introduction to our Advanced Endpoint and Server Protection series, we are seeing a shift in budget from predominately prevention to detection and investigation functions. This is a great thing in light of the fact that you cannot stop all attacks.
At the show we will see a lot of activity around endpoint forensics, driven by hype over the recent FireEye/Mandiant and Bit9/Carbon Black deals, bringing this technology into the spotlight. But there is a bigger theme – what we call “Endpoint Activity Monitoring”. It involves storing very detailed historical endpoint (and server) telemetry, and then searching for indicators of compromise in hopes of identifying new attacks that evade the preventative controls. This allows you to find compromised devices even if they are dormant.
Of course if isolation is immature technology, endpoint activity monitoring is embryonic. There are a bunch of different approaches to storing that data, so you will hear vendors poking each other about whether they store on-site or in the cloud. They also have different approaches to analyzing that massive amount of data. But all these technical things obscure the real issue: whether these technologies can scale. This is another technology to keep an eye on at the show.
Endpoints and Network: BFF
The other side of the coin discussed in our Network Security deep dive is that endpoint solutions to prevent and detect advanced malware need to work with network stuff. The sooner an attack can be either blocked or detected, the better, so being able to do some prevention/detection on the network is key.
This interoperability is also important because running a full-on malware analysis environment on every endpoint is inefficient. Being able to have an endpoint or server agent send a file either to an on-premise network-based sandbox or a cloud-based analysis engine provides a better means of determining how malicious the file really is.
Of course this malware analysis doesn’t happen in real time, and you usually cannot wait for a verdict from off-device analysis before allowing the file to execute on the device. So devices will still get popped but technology like endpoint activity monitoring, described above, gives you the ability to search for devices that have been pwned using a profile of the malware from analysis engines.
Most MDM vendors have been bought, so managing these devices is pretty much commodity technology now. Every endpoint protection vendor has a mobile offering they are bundling into their suite. But nobody seems to care. It’s not that these products aren’t selling. They are flying off the virtual shelves, but they are simply not exciting. And if it’s not exciting you won’t hear much about it at the conference.
Some new startups will be introducing technologies like mobile IPS, but it just seems like yesterday’s approach to a problem that requires thinking differently. Maybe these folks should check out Rich’s work on protecting iOS, which gets down to the real issue: the data. It seems like the year of mobile malware is coming – right behind the year of PKI. Not that mobile malware doesn’t exist, but it’s not having enough impact to fire the industry up. Which means it will be a no-show at the big show.