Is your aging endpoint security giving you gray hair?

  • 29 September 2012
  • 0 replies

Userlevel 7
  • Retired Webrooter
  • 1581 replies
Webroot's own Darren Niller posted this article over on our Spiceworks page:
Take a look and post your thoughts!

Is your aging endpoint security giving you gray hairs?

The signature-based approach to protecting endpoints from cyberthreats has served organizations well for many years—some say perhaps too many. The increasing rate of breaches and infections represents just one symptom of a solution whose time has passed. If you are an IT professional in charge of managing endpoints, you likely understand the pain.
No signatures available for “zero-day threats”
Developed almost two decades ago, legacy anti-virus/anti-malware technology uses large client applications to search for known “bad” patterns of data within executable files. It does this by comparing a signature — a definition of the bad pattern — with the contents of files stored on a PC. When it finds a match, the client then attempts to either remove the malicious code or prevent it from executing.
The trouble is, some of the most dangerous threats are the ones that have never been encountered previously. No signatures are available for these so-called “zero-day threats.” Security vendors have attempted to compensate for this weakness by employing heuristics, which typically involves using generic signatures to identify new viruses or variants of existing viruses by looking for known malicious code in the computer’s files. However, this often amounts to little more than guesswork.
So, by the time the threat is identified and your security technology is updated, it’s too late — the damage has been done. You are also up against transient Web-based threats that appear for only hours or days. Blacklisting becomes obsolete the moment it is deployed, and relying on whitelisting can be too restrictive.
New building, old foundation
Another problem with signature-based approaches is their antiquated architectures. These solutions were developed before the proliferation of mobile devices, BYOD (bring your own device), remote workforces, and virtualization. They lack essential performance and management capabilities to handle these new IT realities.
They were also not built to handle today’s huge volume of attacks and the increasing sophistication of malware. Legacy security vendors deserve praise for the enormous quantities of signatures that they develop to counter emerging threats, and the speed with which they churn them out. Unfortunately, the weight of all those signatures and the bloated clients that use them crushes computer performance. Scans can take more than 45 minutes and during that time the scanning process burns most of the CPU, rendering employees’ machines virtually unusable. Daily signature updates also slow network performance and cause system conflicts, leading to outages and crashes.
A new approach to counter new threats
How can a new approach overcome the performance issues and increasing rate of breaches and infections that legacy endpoint vendors have failed to address? One method involves doing away with signatures entirely.
It’s safer to stick with the group for collective prevention
The cloud offers the best way to bring endpoint security up-to-date. However, legacy vendors are touting cloud-based solutions when in fact they only use the cloud as a delivery mechanism for signatures.
True cloud security is also capable of gathering threat intelligence from endpoints around the world to instantly shield all other subscribers to the protected community. Combining this real-time collective threat intelligence with advanced behavioral heuristics, outbound firewall, and offline protection eliminates the need for signature updates.
This cloud-based prevention collectively leverages the intelligence seen from each individual endpoint; examines the actions of individual files, IPs or URLs; assesses the risks; and then takes action. And cloud-based intelligence means you’re not relying on the current threat protection on other endpoints. Prevention is now always up-to-date and all users are instantly protected as soon as new threats appear. In addition, this collective prevention minimizes IT workload by eliminating the need to worry about definition updates, or whether your remote workers’ protection is up-to-date.
Overcoming fear of the unknown
Journaling and rollback capabilities can also leapfrog signature-based approaches with the ability to counter unknown malware (e.g., zero day threats, highly targeted malware). In this approach, client software — a lightweight cloud-client agent — assumes a file is suspicious unless it is explicitly known as “good.” The agent allows the suspicious file to execute initially in an isolated sandbox environment. It compares the file’s behavior — other files it wants to touch, changes it wants to make, and network activities it needs to initiate — against behaviors of other known malware. If it sees a match with “bad” behavior, the agent immediately blocks the file from further execution.
If the file’s behavior does not immediately classify it as “bad,” it is allowed to execute on the endpoint. But every action is meticulously journaled so that, in the event the file is later classified as a threat, everything it has done can be rolled back to return the endpoint to its pre-infection state.
Shouldn’t technology get better, not worse?
All the failings of the old signature-based approach can be summed up in a comment I recently heard from an IT admin: “Why is endpoint security so difficult?” His organization was using one of the “big 3” signature-based endpoint security solutions.
“Scans are taking over two hours and end users’ productivity comes to a complete stop,” he said. “On top of that, the machines are still getting infected and I spend too much time cleaning them. I have better things to do and my end users are ready to throw their computers out the window. This is technology; it’s supposed to get better not worse.”
Are you satisfied with your endpoint security? Have you had any experience with the cloud-based approach?

0 replies

Be the first to reply!