by Bharat Mistry
Recent headlines have highlighted once again that many organisations are just a click away from a potentially catastrophic malware infection or data breach. The world-leading heart and lung Papworth Hospital in Cambridgeshire was lucky enough to have daily back-ups in place when it was recently hit by a ransomware attack. North Lincolnshire and Goole NHS Foundation Trust was less so, and ended up cancelling operations and moving patients elsewhere after IT systems were taken offline for several days.
Many endpoint security vendors trumpet their capabilities as a silver bullet to tackle these and other modern day threats. It’s a tempting prospect, but sadly with little substance to back up the claims. The truth is that the only way to effectively protect your organisation from the multiplicity of threats out there is with a multi-layered approach, which runs from traditional signature-based detection to advanced machine learning.
The rise of the grey
The security landscape used to be so much simpler. Traditional anti-virus signatures and web filtering protected against ‘known bad’ threats, while whitelists and application control, ensured users were exposed to only the ‘known good’ files. Unfortunately, things are no longer that black and white. In fact, it’s the unknown grey area where many of today’s threats can be found.
Points of weakness are everywhere: known vulnerabilities in unpatched apps, browsers, and operating systems; zero day bugs; spear phishing; drive-by-downloads; and stolen credentials, to name but a few. And obfuscation techniques such as disguising malware as macros, or ensuring it executes in memory only, make it even more difficult to detect with traditional tools.
Many vendors have responded by heralding exciting new features like sandboxing, behaviour monitoring and, most recently, machine learning. But as IT security buyers will understand, there’s no such thing as a silver bullet.
That’s why Trend Micro developed XGen – a new approach combining multiple layers of endpoint detection to ensure there are no more unknowns. Each layer has its advantages and disadvantages, so if a malicious file gets past one there are plenty more opportunities to block it.
These multiple layers include:
Signature-based detection: Combined with file and web reputation and C&C blocking can stop most known threats. But that won’t help with zero-days and more advanced malware.
Behavioural analysis: Examines an item as it is unpacked, looking for suspicious or unusual behavior in how it interacts with operating systems, applications and scripts — even if the item isn’t on a blacklist. Helps block crypto-ransomware in this way. Also includes techniques such as script protection; injection protection; memory inspection; suspicious action monitoring; browser exploit protection.
Exploit prevention: Prevents exploitation of app/OS flaws rather than blocking malicious files. Includes host-based firewalls; exploit protection; intrusion prevention; lateral movement detection.
Application control/whitelisting: Highly effective in blocking the installation and execution of any executables that aren’t approved applications or dynamic link libraries (DLLs).
Investigation and forensics/Endpoint detection and response (EDR): Records and reports on system-level activities in great detail in order to appraise nature and scale of an attack. But it is reactive in nature.
Machine learning: Despite being hailed by many ‘next-gen’ vendors of late, this isn’t a new concept. Trend Micro has been using it for over a decade. The idea is to continuously analyse the attributes and characteristics of known good and known bad files, so that algorithms can ‘train’ detection engines to adapt to the latest threats, especially new and unknown malware.
We have gone one step further by developing a “high fidelity” approach which can be used to extract and analyse a file’s characteristics both before and during its execution. This helps improve accuracy and – in combination with ‘noise cancellation’ techniques such as census and whitelist checking – reduces false positives.
XGen is all about combining these multiple layers for maximum effect. If a threat is not stopped by signature and behaviour-based detection, if will eventually be halted by advanced machine learning.