The Evolution of Endpoint Security

222

Malware is winning… “Sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness.”1 Endpoint security is constantly changing with the malware landscape, but has had a lot of challenges keeping up with unknown threats. Here’s a quick overview of how endpoint protection has evolved from traditional antivirus (AV) to endpoint detection and response (EDR) to next-generation antivirus (NGAV) and, now, to a promising new category called OS-Centric Positive Security.

The Ever-Evolving Endpoint Security Landscape

Traditional Antivirus
Traditional AV technology dates way back to the 1980s. It’s widely agreed that AV is no match for unknown malware since it relies on signatures for malware detection. To compensate for this shortcoming, vendors keep adding more technologies to their AV suites. As a result, agent bloat is becoming a huge issue for IT departments and user productivity. Plus, these additional technologies, just like traditional AV, tend to work like gates that attackers can eventually manage to bypass and gain free access to a system.

Endpoint Detection and Response
Gartner’s Anton Chuvakin first coined the term Endpoint Threat Detection and Response in 2013 to refer to “tools primarily focused on detecting and investigating suspicious activities (and traces of such) other problems on hosts/endpoints.” The term eventually morphed into just Endpoint Detection and Response (EDR). Some of the challenges with this category are that the damage is likely already done by the time EDR discovers that you are infected and that organizations struggle to find and afford security staff to hunt for threats.

Next-Generation Antivirus
Unlike traditional AV, NGAV attempts to stop threats without having any prior knowledge of them by using techniques such as machine learning and artificial intelligence. Early adopters began using NGAV sometime around 2014. Although this category of endpoint security has significantly improved detection efficacy, it falls short of 100% detection for these reasons:

  • Since it is trained on known malware samples, it isn’t always effective against truly new malware.
  • Its focus on static file analysis leaves it ineffective against many fileless attacks. This is a huge gap since fileless malware accounts for about 52% of all attacks in 2017.2
  • The bad guys are now using the same artificial intelligence and machine learning technologies as the good guys are to outsmart NGAV solutions.

OS-Centric Positive Security
OS-Centric Positive Security is a response to the shortcomings of using signatures or relying on highly unpredictable user behavior for unknown malware detection. By mapping legitimate operating system behavior, OS-Centric Positive Security knows all the normative ways that may lead to damage, such as file deletion, data exfiltration, encryption, sabotage and more. Focusing on these finite “good” actions, rather than trying to track down infinite “bad” actions, helps thwart attacks before damage is done.

Watch this Webinar featuring Nyotron’s Chief Technology Officer, Nir Gaist, to learn more about this relatively new category of endpoint security.


1 Ranum, Marcus, J. The Six Dumbest Ideas in Computer Security. 2005
2 Sheridan, Kelly (January 11, 2018) “Responding to the Rise of Fileless Attacks” https://www.darkreading.com/endpoint/responding-to-the-rise-of-fileless-attacks/d/d-id/1330810?print=yes Dark Reading. Retrieved 2018-03-30.