Endpoint threats have entered a new era, and the security industry has been rushing to catch up. The result is a highly fragmented and confusing market that has doubled in size to over 70 vendors in the last four years. We're in the midst of the second great endpoint security consolidation and will discuss precisely what that means. We'll discuss six progressive stages endpoint security will work through as this market continues to mature over the next five years or so.
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
2016 virus bulletin
1. The beginning of the end(point): where
we are now and where we’ll be in five
years
Adrian Sanabria, Senior Security Analyst, 451 Research
2. Adrian Sanabria (@sawaba)
Industry Analyst: 3 years
Red Team: 4 years
Blue Team: 5 years
IT: 4 years
Opinionated
Goofball
Compulsive researcher
Embraces awkwardness
2
4. Why are we here?
• Disruption in the endpoint security market
• Confused buyers
• Confused sellers
• Current and future opportunities
5. TL;DL, or before I lose you in my rant...
IT and consumer technology has changed
Attacker TTMs have changed
Defenses stayed the same...
Sorry, no, they got worse
5
6. Industry missteps
Products that only work at corporate HQ
Products that break the user
Assuming any one layer must achieve 100% efficacy
Products that bury the customer in data
Making consumers a secondary priority
6
12. Is antivirus dead?
“Nobody wants to say antivirus is
dead, but let’s just say they’re
planning ahead for the wake and
eyeing the stereo.”
Wendy Nather, 451 Research (2013)
14. Is antivirus dead?
What’s dead, if anything, then?
The traditional process of addressing
endpoint threats is fundamentally broken,
and is in the process of being replaced
24. NGAV? MY definition (not Gartner’s)
The ability to stop threats without prior
knowledge of them
24
What is prior knowledge?
• Signatures
• IoCs
• Malware analysis sandbox
• Blacklisting
25. Prevention: Detection
• Behavioral analysis: Software
• Behavioral analysis: Users
• Kernel shims
• Deception
• In-memory scanning
Prevention vs Detection: a question of cost
25
26. Endpoint Data Collection
• Many use cases:
• detection
• forensics
• incident response
• No more blind spot
26
27. What about remediation and response?
Who is gonna clean this up?
• Remediation vs Containment
• Automated Endpoint Remediation
27
28. Understanding the startup cycle
Idea
Founded
Seed
Funding
GA/MVP
Growth &
funding
Exit
Founders
leave
Acquisition?
Acquisition?
Acquisition?
Founders
leave?
3-5 year
cycle in
security
29. Adrian’s Endpoint Security Roadmap
1. Better malware mousetrap
2. AV Certification (newer vendors)
3. Non-malware attacks
4. EPP features (newer vendors)
5. Data visibility
6. More robust and resilient platforms
30. Do enterprises even need better AV?
Hardening Windows
• CIS benchmarks
(hardening)
• Ad-blocking
• Remove unnecessary
software/features
• Least privilege:
• flash click-to-run,
• disable/restrict java plugin
• selective whitelisting
Free/OSS Tools
• Microsoft EMET
• Microsoft AppLocker
• Artillery (Binary Defense)
• OSSEC (Trend Micro)
• El Jefe (Immunity)
• Cylance Detect
• Sandboxie (Invincea)
• AIDE (FIM)
• ROMAD
• 0Patch
30
32. I have data: Voice of the Enterprise
32
451 Research has a panel of highly accredited senior IT executives who
participate in surveys focused on enterprise IT trends. This proprietary
panel consists of 30,000+ IT decision-makers in North America and
Europe. Respondents of this Information Security survey are members of
the panel who were qualified based on their expertise in their
organization’s IT deployment.
The Voice of the Enterprise: Information Security survey wave was completed during the month of June
& July 2016. The survey represents more than 930 completes from pre-qualified IT decision-makers
primarily based in North America and Europe. In addition to regular quarterly topics, this survey focuses
on organizational dynamics around the information security function within enterprises.
33. What’s happening in the enterprise?
Endpoint sec is ubiquitous
Endpoint sec is mature
It is the #1 change Enterprises are planning to make in 2016
Why?
33
34. INFORMATION SECURITY:
ORGANIZATIONAL DYNAMICS 2016
INFORMATION SECURITY:
ORGANIZATIONAL DYNAMICS 2016
Source: 451 Research, Voice of the
Enterprise: Information Security,
Organizational Dynamics 2016
Q4. What do you consider
your top internal information
security pain point within
your organization for the
previous 90 days?
34
17.9%
9.0%
8.4%
7.6%
7.2%
5.7%
4.1%
6.3%
5.4%
3.1%
3.9%
3.5%
2.1%
3.9%
1.4%
3.7%
1.1%
3.1%
1.3%
1.1%
0.1%
17.1%
10.2%
9.4%
6.6%
6.4%
6.2%
5.8%
5.8%
5.2%
5.0%
3.4%
3.2%
2.8%
2.5%
2.3%
2.3%
1.8%
1.7%
1.3%
.8%
.2%
Malicious Software (Malware)
Data Loss/Theft
User Behavior
Staffing Information Security
Organizational Politics/Lack of Attention to Information Security
Application Security
Security Awareness Training
Accurate, Timely Monitoring of Security Events
Endpoint Security
Firewall/Edge Network Security
Mobile Device Security
Cloud Security
Third-Party/Supplier Security
Lack of Budget
Malicious Insider Activity
Vulnerability Management
New Traffic Patterns via Virtualization
Keeping Up with New Technology
Overwhelming Threat Information/Intelligence
Supply Chain Attacks
Counterfeit Parts
Q1 2016
(n=829)
Q2 2016
(n=843)
Top Security Pain Point
Malware
Endpoint Security
23.3%, collectively
35. “How would you rate your current suite of Endpoint Security
tools against...
35
Use Case % effective or very effective
Detecting Known Malware 75%
Preventing Known Malware 68%
Detecting Unknown Malware 29%
Preventing Unknown Malware 25%
Detecting and/or preventing non-
malware attacks
40%
36. What are your organization’s top three Infosec projects over
the next 12 months?
36
#1: Endpoint Security, 21.7%
#22: Network-based Anti-
Malware, 6.2%
38. What are the big problems?
• We no longer have one perimeter: we have many
• Sloppy defense in depth
• Information asymmetry
• Market currently unstable (still consolidating)
• Blind Spots
• Blaming the user (aka “stop clicking links”)
• Discarding useful tech because it wasn’t a silver
bullet
• Ending the leapfrogging and so much more! 38
39. Where else do we find IT?
Traditional Data
Center
Mobile
SaaS
Cloud
41. Why are we still investing so heavily in the perimeter?
41
90%+ of the security budget*
* - I made this number up. We have the number, I just didn’t look it up.
42. Why are we still investing so heavily in the perimeter?
43. Because this is where your employees actually work
43Conclusion? Security controls MUST travel with the asset.
47. DefenseExpense in depth has failed
Defence Attack
47
Phishing Email
Malware Link
C2 Comms
Pivoting
Exfiltration
Email Security
Security Awareness
URL/IP reputation;
Malware Sandbox
Endpoint
Security; IDS/IPS
East/West
Security Visibility
Data Loss
Prevention
Failures
User
clicks
Malicious link
not detected
AV misses malware,
Network Security misses C2
Enterprise
blind spot
Alert doesn’t
trigger, or is missed
Conclusion? Thorough testing and configuration of defenses.
48. Design for the real world
“Customers never enable the more effective
functionality in our product!”
--Engineer, at a large incumbent AV vendor
48
Conclusion? Products need to adapt to different users.
49. Information Asymmetry
AV isn’t just protecting
against ‘known threats’
It is a known threat.
To the bad guys!
49
Conclusion? A detection engine will never stop determined
adversaries.
50. Blind spots: the traditional enterprise has five
50
Endpoint
East-West
Traffic
Cloud/SaaS Data
54. Discarding useful tech because it wasn’t a silver bullet
2011: “By 2015, more than 50% of enterprises will have
instituted 'default deny' policies that restrict the applications
users can install.”
54
55. Myth: Solving the malware problem changes everything!
55
0%
5%
10%
15%
20%
25%
30%
35%
40%
2012 2013 2014
Error
Hacking
Malware
Misuse
Social
How big a part of the
breach problem is
malware?
15% in 2012
24% in 2013
33% in 2014
Source: Verizon Enterprise Solutions
57. The solution isn’t simple.
We can’t get rid of AV
1. R&D work done by AV
firms is irreplaceable
2. Signatures still necessary
to track and communicate
existing threats
3. Compliance
4. AV Certification
New entrants can’t yet
replace AV
1. Remediation isn’t there yet
2. Prevention isn’t complete
without detection
3. Malware isn’t the only issue
4. Curse of complementing
57
Conclusion? Customers will continue using multiple
products until consolidation completes.
2006
Heavy consolidation
2008
Endpoint Security = Endpoint Protection (EPP)
2010
Rise of the advanced, sophisticated moderately well-read adversary
Is anyone else tired of this term?
The “attacker landscape” changed - whether they’re after money, computing power or information, it is a business now. Attackers work 8 to 5 and take the weekends off. They check their code into repositories. They use off-the-shelf advanced components. They’re professionals working for a paycheck.
For a while now, many people have been content to think that the sophisticated or advanced attackers aren’t after them, that they’re not a target. For a while, that was probably true for most enterprises. No longer.
Kaspersky estimates Stuxnet cost $100M to develop. Just a few years later, IceFog was estimated to cost $10k or less to develop, and included a Mac trojan so that executives could be effectively targetted.
What we mean by that is that the traditional process of preventing malware is fundamentally broken.
Why? All these professional, highly-funded government-level malware tools found their way in the hands of criminals, and gave them head starts.
Most malware is unique and used once, then disposed.
We needed new strategies and tactics
Three Categories
Prevention
Detection
Data collection/analysis
Next-gen, to me, refers to the ability to detect and stop threats without requiring prior knowledge about the threat. Detecting ‘badness’ without .dat files, IoCs, signatures or having to run malware in a sandbox. This is an important point – this is STILL prior knowledge, as you have to analyze the sample first! It breaks all of the most common use cases except email, where a 5 minute delay is usually acceptable.
The difference is that most of the incumbents with suites haven’t deployed NGAV approaches yet, but they will soon. Also, the NGAV folks are missing most of the “suite” stuff that the incumbents have.
Why is pre-execution prevention important?
Why is this the most important category right now?
However, that doesn’t mean signatures, IoCs, analysis sandboxes aren’t important! They’re just not effective for frontline detection/prevention. We still need them for malware analysis and R&D.
Next-gen, to me, refers to the ability to detect and stop threats without requiring prior knowledge about the threat. Detecting ‘badness’ without .dat files, IoCs, signatures or having to run malware in a sandbox. This is an important point – this is STILL prior knowledge, as you have to analyze the sample first! It breaks all of the most common use cases except email, where a 5 minute delay is usually acceptable.
The difference is that most of the incumbents with suites haven’t deployed NGAV approaches yet, but they will soon. Also, the NGAV folks are missing most of the “suite” stuff that the incumbents have.
Why is pre-execution prevention important?
Why is this the most important category right now?
Remediation vs containment
A few notes here – these won’t be tackled in a linear fashion. Some vendors already help with #5 and #6
I came up with this order by looking at the enterprise’s needs and capabilities.
Existing controls are vastly under-utilized
Free stuff out there is useful and more ‘battle-tested’/proven than some very expensive commercial products
I’ve had TONS of defenders tell me that they haven’t depended on anti-malware for years. They simply analyze the most common sources of infection, and harden their systems accordingly
Perimeter gone.
Endpoints everywhere.
Security must travel with the endpoint and data!
The conclusion? Security MUST travel with the endpoint. The endpoint has been and will continue to be the battleground where we will see the majority of attacks.
Advanced malware detection was capable of detecting and blocking ‘advanced’ and ‘custom’ malware, but not when it was sent over in advanced or custom ways.
Advanced malware detection was capable of detecting and blocking ‘advanced’ and ‘custom’ malware, but not when it was sent over in advanced or custom ways.
Note: He’s not screaming because his PC is infected, he’s screaming because he just signed a 6 digit invoice for Advanced Anti-Malware protection, and his PC is infected.
We’re doing all this for one reason: Windows is soft and vulnerable.
So, why is all this failing to protect the endpoint?
Tell story of Symantec engineer complaining that customers never turn on the more effective functionality.
This product has knobs and dials and sliders galore – it is NO WONDER the customer fails to protect themselves with it!
We saw in the Microsoft presentation
It takes more than a detection engine to protect an endpoint. When an AV engine (be it NG or sig-based) is available to the bad guys, they WILL figure out how to evade.
Anyone know this acronym? Want to drop it in the comments for the others?
Have you ever used it in trouble ticket notes?
We’ve all poked fun at users because we needed to blow off some steam and frustration. Seriously though, you still have a problem to deal with, and blaming the user won’t get you any closer to solving it.
Blaming the user is missing the issue
It isn’t users’ fault the tools provided to them are vulnerable and fragile.
The user isn’t expected to be a security expert.
We can’t fix this problem by training the user.
Not entirely. The moment you get done training one batch of employees, some of them have left and you have new ones.
I believe training the user can help, but security awareness is just one imperfect layer of defense. You need more layers.
We’re driving users nuts.
Users are punished, and must suffer through our attempts to make the company “safer” by removing the “threat” they present.
Who really suffered through all these failed security trends?
How do we fix this?
Perhaps not as big as you’d think, but growing at an alarming rate!
This data comes courtesy of the team that puts Verizon’s DBIR together.
We need durable 5 year solutions, not 6 month solutions
Ransomware example
The first line of defense (Prevention in this case) will always fail
There can be many, many layers of detection AND prevention – each of these doesn’t represent a single attempt to block or discover an attack
Detecting is only half the battle. You found one infected PC – are the rest infected? Can you find out and shut them down before the damage is done? Can you automate all this?