Organizations cannot stop all malware with today’s endpoint security technologies, but they can mitigate the damage that malware intends to cause. To do so, they will need to implement a defense-in-depth strategy with an additional security layer that takes a fundamentally different approach from the others.
Malware is winning. A SANS survey shows that 53% of organizations have experienced an endpoint compromise within the last two years. According to Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview, organizations face a 27.7 percent likelihood of a recurring material breach over the next two years. Cybercriminals are successful since traditional antivirus and even next-generation antivirus solutions have trouble detecting increasingly evasive attacks. To avoid a breach, organizations need to realize that the bad guys are eventually going to bypass their current endpoint security layer and deploy an additional security control to stop the damage that the malware intends to cause.
Gartner analyst Mario de Boer defines a highly evasive attack as “an attack that uses novel, unique or previously unknown methods with the purpose of evading detection by most, if not all, commonly available technologies”. He believes that when evasive attacks do not reuse artifacts and use new techniques and tactics, threat intelligence, machine learning models or signatures alone will not catch them. This is exactly why malware is able to infect so many organizations even though they have deployed antivirus or next-generation antivirus solutions.
Traditional antivirus technology dates back to the 1980s. It is widely agreed that it is no matc h for unknown malware since it relies on signatures for malware detection. To compensate for this gap, next-generation antivirus emerged sometime around 2014 using technologies such as machine learning to discover malware. There is no doubt that this category of endpoint security has significantly improved detection efficacy. However, it falls short of 100% detection for many reasons:
- Since machine learning models are trained on known malware samples, they are not always effective against new unknown malware and fileless attacks.
- A machine learning model is just another signature, although a bit more generic than those used by traditional antivirus solutions are.
- Security solutions based on machine learning are focused on static file analysis. Hence, they aren’t necessarily effective against fileless attacks.
- These solutions tend to produce significant false positives, making it harder to identify true threats.
Endpoint security solutions such as antivirus, next-generation antivirus, host intrusion prevention systems and data loss prevention are all based on the very same negative security
model that attempts to hunt down what is “bad” and allows everything else. Layering these security controls will not keep systems safe. When malware evades one security control, it will most likely evade all others because of the redundancy in security approaches that deliver “shallow” defense in depth.
True defense in depth is possible by adding a preventative security control that does not depend on the detection of threats. Rather than evaluating threats based on known malware with a negative security model, OS-Centric Positive Security draws on a completely opposite security paradigm using a whitelist of legitimate operating system behavior. This includes all normative ways to interact with the file system, registry, partition information and network at the operating system call level. OS-Centric Positive Security flags all other actions (outside of the finite set of normative actions) as the malware attempts to cause damage and blocks its activity.
A major advantage of OS-Centric Positive Security is that it is threat agnostic. It does not care what kind of threat is trying to get in. It does not care about the method or technique of the attack. It does not even care if the threat is already inside a network. It simply stops the damage.
The malware landscape is evolving and so too are the security solutions to address attacks. Just as next-generation antivirus arose to address traditional antivirus weaknesses, OS-Centric Positive Security is gaining momentum as a way to boost endpoint protection solutions by stopping the execution of malware that evades them.