Life after antivirus: Reinventing endpoint security

Security professionals still talk about “antivirus defences,” but in the space of a handful of years what is meant by this term has undergone a dramatic shift.

On the surface, things look much as they have always done. Businesses still run what used to be called “AV protection,” reinvented some time ago as the all-purpose “anti-malware.” But underneath the surface, behind the remote management consoles, everything has changed.

With humble viruses long gone and even the term “malware” starting to morph, security clients now behave more like sensors for multi-layered, centralised security systems encompassing not only defence and remediation, but response, forensics, and even data security.

This change might seem like a natural development that parallels how many technologies have evolved since the turn of the millennium, but within cybersecurity it reflects deeper currents. The most important of these is the almost supernatural rise of the professional criminal developing malware at industrial scale. This has not only forced security companies to innovate at an uncomfortable pace, but to integrate the multiple layers of protection necessary to counter such dark innovations.

At the same time, what is being protected now extends way beyond the desktop Windows PC or server. Whether they are laptops or smartphones taken beyond the protection of the firewall perimeter or any one of a multitude of Internet of Things devices, the simpler age of PC security has given way to that of the modern “endpoint.”

Endpoints can be any type of device, and located almost anywhere, taking the perimeter of the network with them as they move. In addition to PCs and smartphones, endpoints now include printers, surveillance cameras, point-of-sale terminals, smart sensors, in-car interfaces, local network devices such as wireless access points, and cloud-emulated systems. BYOD means they can even be personal devices.

But as the old reactive model of anti-malware defence has proved inadequate, protection is now about anticipation, says Sophos senior VP and GM, enduser & network security group, Dan Schiappa.

“Old world anti-malware was based on some prior knowledge of malware, meaning that defences were created after malware had been analysed. This is a reactive way to do endpoint security.

“Next Gen technology is more proactive and can have defences for malware that have never been seen before, using more algorithmic and behaviour-based approaches.”

That doesn’t mean that anticipating malware isn’t incredibly difficult. How can security professionals preempt something their systems might never have seen before?

It follows from this that static AV signatures are now a much smaller part of anti-malware because it is a concept that depends on what is already known. The new emphasis is on spotting behaviours, an idea that stretches back to the early days of AV heuristics in the 1990s. Today, however, it is not simply about profiling broad behaviours but analysing and tracking often complex interactions and relating them to “anomalous” events.

Consider the range of threats that face endpoints. Some of these are mundane, such as the way attackers target unpatched vulnerabilities – including unknown ones such as “zero days” – across a vast array of software. That requires diligent and indefinite patching regimes, assuming a patch is always available. This imposes huge stresses on software companies and customers alike, who are forced to consciously balance security with the potential disruption caused by constantly updating software.

Others are more novel, such as the way ransomware has emerged to attack not systems but data itself. An interesting example offered by Sophos’ Schiappa is memory-resident or “fileless” malware that never saves a trace of itself to storage.

“The biggest trend we are seeing is malware running in memory exploiting vulnerabilities in legitimate software, such as browser, java, and office documents,” he says.

The challenge is that these look much the same as other programs, doing the same things such as accessing files and resources. They don’t stand out until it is too late.

According to Schiappa, this similarity to everyday software risks false positives, and management complexity of the sort that overloads admins. He describes the need for multi-layered detections that can risk-score behaviours in a number of ways.

“We actually use the various components to suppress false positives. We have many aggressive detections in our pre-execution scanning, but we can use reputation to suppress false positives. That is one of the advantages of having an ensemble of next-generation technologies.” In effect, protection must have a sense of what is “normal” for a given endpoint and network, and focus on deviations from that pattern.

Doing it differently

The expression of the Sophos philosophy is Intercept X, a neat summary of the state of-the-art protection that all companies are trying to develop atop their current and often more traditional anti-malware software.

Its design defends files against ransomware by watching which processes are interacting with them, running an anti-exploit layer that monitors for common techniques hitting zero days, and even coming up with what the company calls “root cause analysis,” a method for analysing what malware was doing before it was detected. The company is also looking at machine learning as part of the overall solution – although Schiappa rates it as “too immature and too false-positive prone to be an effective technology alone.”

When it matures, the key will be to integrate it into the protections that already exist rather than rely on it as a “magic bullet,” in his words. It is possible to imagine defenders assembling these diverse components from a collection of new endpoint protection companies that have sprung up on the back of the money pouring into cybersecurity. However, it’s obvious from even a cursory description of these layers that they require a huge amount of integration from the vendor to work effectively.

Schiappa points out that what security managers don’t want is a new generation of endpoint agents to manage, and more complexity to cope with. This is how security got itself into such a mess in the first place. As far as cornerstone endpoints such as Windows machines are concerned, this renders redundant the old “best of breed” versus single platform argument: without the integration that comes from a single platform, no matter how good it is at a single ability, protection will always be partial and potentially compromised. ®