What makes endpoints the gateway into enterprises for so many cyber-attacks? Reviewing key events from the history of endpoint security helps shed some light on what drives attackers to target systems and why safeguarding endpoints is a formidable challenge despite the advancements in security technologies.
According to a 2017 report by the Ponemon Institute, fileless attacks, which aim to avoid antivirus solutions by keeping malicious code primarily in memory of the compromised system, are on the rise. Such tactics are an example of the evolving cyberattack patterns that put enterprise endpoints at risk. Since endpoints reside at the intersection of human users and business applications, they are an attractive target for adversaries. Locking down the endpoint without interfering with legitimate activities is hard for even the most experienced of security professionals. Moreover, whenever people are involved, there are reasonable chances that adversaries will try to trick end-users to gain entry into the organization.
As a result, despite the seemingly never-ending investment in endpoint security, enterprises still struggle to stay ahead of the attackers. A brief review of the history of endpoint security sheds some light on the key developments which influenced the way defenders think about protecting systems.
The Early Antivirus Era
The late 90’s marked the rise of the Internet era and introduced the first global viruses, such as the Melissa worm, and the ILoveYou virus. During the first years of the new millennium, a slew of malware families were launched including the infamous Nimbda worm, which spread rapidly around the world.
The focus of endpoint security in the enterprises was antivirus software. Yet, IT departments all over the world were unprepared for a rapid spread of malware, such as Code Red and SQL Slammer, leading to increased demand for antivirus and personal firewall products. Such events not only highlighted the importance of securing endpoints, but also began shedding the light on the limitations of antivirus software.
Over time, the endpoint security toolkit of the 2000s expanded to include products and practices related to patch management, encryption, data-loss prevention, and access control measures.
The Decline of “Traditional” Antivirus
As the attack technique continued to evolve, the effectiveness of traditional signature-based antivirus techniques continued to decline. A backlash in some security circles against antivirus intensified to the point that by 2008 some technologies proclaimed that signature-based antivirus was dead altogether.
Due to the low efficacy of signature-based antivirus techniques, organizations struggled preventing infections while also having to deal with the operational challenges of keeping heavy signature files up-to-date across enterprise endpoints. Moreover, the slightest mistake in the AV agent’s code or signature database could cause endpoints to crash and leave the enterprise with frustrated users and extensive damage.
Faced with competitive pressure and end-user demands, the providers of antivirus software began employing other techniques for distinguishing between legitimate and malicious software, including the increased reliance of cloud-based analysis capabilities and artificial intelligence algorithms. In some cases, these methodologies were the primary method employed by the product to detect malware; in others, it supplemented signature-based approaches.
In addition, recognizing the difficulties of preventing infections, some security vendors began developing technologies that would assist in detecting and investigating compromised endpoints. Later, such technology would gain the name Endpoint Detection and Response (EDR).
A Renewed Focus on Multilayered Security Solutions
The 2013 cyber-attack against Target Corp, which resulted in the exposure of 70 million customer records, had a profound effect on many people’s perspectives on information security. The methodologies that allowed the attackers to compromise Target’s defenses reinforced the need for defense in depth both on the network and endpoint level, as cyber threats were becoming sophisticated and often multi-layered.
Even before that breach, enterprise defenders started to realize that some attacks simply could not be prevented by security solutions that employed a single security approach. This dynamic led to the increased interest in applying multiple approaches to safeguarding endpoints under the umbrella of a unified solution. This category of products came to be called Endpoint Protection Platform (EPP). According to Gartner, EPP is “a solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”
Though EPP solutions introduced a variety of approaches to combat malware, the adversaries didn’t stand still. They continued to adjust attack tactics to compensate for the new approaches, even if they involved machine-learning and artificial intelligence.
The Rise of Evasive Malware
As defense technologies progress, so do cyber attackers and the techniques they use to overcome existing defenses. As the sophistication of techniques for detecting malware increases, so does the use of tactics for evading antivirus and other anti-malware tools. The use of such methods by adversaries undermines defenders’ confidence in the ability of EPP solutions. In Minerva’s recent endpoint security survey, three-quarters of the respondents deemed their anti-malware solution effective at preventing no more than 70% of infections.
Minerva Labs’ Anti-Evasion Platform covers the gap inherent to antivirus-like products on the endpoint, providing an additional layer of prevention that co-exists with antivirus solutions without duplicating functionality. This approach takes into account the hard work needed to deploy, upgrade, and maintain systems. Minerva’s endpoint defense strategy is about fighting unknown malware designed to evade existing defenses, regardless of whether there is a known signature, behavior pattern or machine learning model.
To learn more about the evasion techniques used in successful attacks and how to evolve your endpoint protection strategy to cover the gap, download our whitepaper: How and Why Your Anti-Ransomware Strategy Needs to Evolve Beyond Antivirus.