By Robert Zamani, Nyotron
You may be familiar with the concept of taking a “Zero Trust” approach to security. It’s an extension of the Principle of Least Privilege that calls for restricting access to information, systems, and services to only those who require it for their job duties. This approach can be attributed to Google and its BeyondCorp concept. Zero Trust has traditionally been implemented at the perimeter and on the LAN. The limitations of whitelisting solutions did not allow for broader adoption of the Zero Trust model on the endpoint level.
Nyotron’s PARANOID solution brings Zero Trust to the endpoint by enforcing known-good operating system (OS) behavior without the limitations of application control and traditional whitelisting, and without the need for IT security professionals to be constantly on the hunt for threats.
Once a standard whitelist approves a process, it never again questions what that process can be used for, or by whom. This leaves you with little-to-no protection from scripting languages and typical administrative tools so commonly used in so-called fileless attacks nowadays. Whitelisting may not even protect an organization from a zero-day attack that exploits an unknown vulnerability within an approved application like a web browser, Java, Adobe and Microsoft Office. This creates a significant management burden on IT teams who end up spending too much time searching for indicators of compromise (IOCs), and there’s no guarantee of a satisfactory outcome.
The process of gathering and analyzing threat intelligence is so laborious because it requires two things: endless searches for zero-day vulnerabilities and known exploits of an identified vulnerability. This intel is then translated to IOCs that feed an Endpoint Detection and Response (EDR) solution to search for any compromises. However, knowing something is amiss means there has to be a patient-zero, and therein lies the conundrum of threat intel and EDR.
Best case: you have already been compromised, the perpetrators have left, and all you have is the intelligence to identify what’s already occurred.
Worst case: you are the patient-zero.
Conversely, OS-Centric Positive Security defines what is good and rejects everything else. PARANOID uses the threat intel feed for verification of prevention, not as the defining search parameter.
The industry needs to start thinking about extending the Zero Trust model beyond only access control or network security. You can apply it to all of your endpoints to ensure true defense in depth protection. This does not mean a return to yesterday’s application control or whitelisting technologies. Instead of following the Negative Security model of only looking for the infinite number of attacks, PARANOID embraces the Positive Security model by mapping known good operating system behavior – which is finite – to stop any threats (old or new).
This enables PARANOID to deliver three key capabilities that traditional whitelisting cannot: protection against fileless attacks, application vulnerabilities, and zero-days and significantly reduces management overhead.
Read our white paper “Endpoint Prevention and Response (EPR): Turning Detection into Prevention” to learn more about how the EPR approach succeeds where traditional EDR fails.