Protecting Critical Assets on the Endpoint When Malware Prevention Might Not Work

How can you protect your critical assets and applications in a practical manner that is suited to real world deployments?

Preventative capabilities of endpoint security software generally focus on blocking malware, perhaps by quarantining suspicious files or terminating misbehaving or unexpected processes. Minerva’s core approach involves interfering with attempts to evade security tools. Other anti-malware techniques involve running legitimate apps in sandboxed, restricted environments to minimize damage. I’d like to discuss another method: one that focuses on the local assets that need to be protected, rather than malware itself. This new method is often more practical in real-world deployments than the alternatives, such as application isolation and whitelisting.

Consider an incident where a memory scraper finds a way to run on a point-of-sale (POS) system. Such malware is designed to examine memory of a POS application process to locate card data, so it can exfiltrate it from the environment. If a security tool could hide the sensitive process, such malware would be unable to achieve its objective. What would have otherwise been a data breach, turned into an incident of relatively low severity.

For another scenario where such an approach is useful, look no further than ATM jackpotting attacks. When malware is activated on an ATM, it typically attempts to initiate unauthorized cash withdrawals by communicating with Extensions for Financial Services (XFS) middleware. By concealing or otherwise restricting access to XFS files on the endpoint, ATM malware can be prevented from performing such actions to prevent the breach, protecting the financial institution from a logical attack that otherwise would have caused significant damage.

There are other situations where it’s valuable to focus on protecting targeted assets, be they files, memory contents or registry keys, instead of relying on the tool’s ability to prevent malware from running on the endpoint. This approach is useful for combating information stealers, for example. In addition, it’s effective on industrial control systems (ICS), in which case the technology can prevent malicious software from interacting with ICS peripherals.

What I’m describing isn’t a theoretical possibility. Minerva’s Anti-Evasion Platform now includes the ability to place controls around sensitive assets as outlined above, with Critical Asset Protection. Instead of attempting to identify and block malware, this component of our solution is designed to protect often-targeted processes, files and peripherals. We do this without affecting the system’s performance and without imposing operational burdens associated with methods such as application whitelisting.

Despite the boastful marketing slogans, no single solution can provide foolproof protection against all forms of malware. This is especially true of detection-based techniques, since attackers will always find a way to craft malicious files or implement malicious actions in a way that evades pattern recognition. Moreover, it’s often impractical to deploy antivirus on legacy endpoints, industrial control systems and special-purpose devices. A different approach is useful to augment baseline protection or to implement security measures where AV is especially weak. Minerva’s Anti-Evasion Platform accomplishes this in several ways, including:

• Deceiving malware in a way that causes it to disarm itself if it attempts to get around security tools.
• Vaccinating endpoints in a way that causes malware to “believe” it’s already present on the system.
• Concealing sensitive assets on the endpoint to prevent breaches even if malware finds a way to run on the system, as outlined above.

And we do this without overlapping with the protection offered by baseline antivirus tools you already have. To see these approaches in action and discuss how they might address your risks, contact us to request a demo.