Real Time Matters in Endpoint Protection

Given the speed and potentially devastating impact of malware targeting your end users and devices (think ransomware these days), if your endpoint security isn’t able to react immediately, the fight is over – and you will have lost. Sodinbiki ransomware, for example, starts encrypting files in seconds and can complete its job on an entire disk in as little as 5 minutes (depending on disk volume). From there, it can easily spread to network drives as well as throughout the organization.

And the problem is pervasive. According to a report from IDC, 70% of all successful network breaches start on endpoint devices. The astonishing number of exploitable operating system and application vulnerabilities makes endpoints an irresistible target for cybercriminals. They are not just desirable because of the resources residing on those devices, but also because they are an effective entryway for taking down an entire network.

While most CISOs agree that prevention is important, they also understand that 100% effectiveness over time is simply not realistic. In even the most conscientious security hygiene practice, patching occurs in batches rather than as soon as a new patch is released. Security updates often trail behind threat outbreaks, especially those from malware campaigns as opposed to variants of existing threats. And there will always be that one person who can’t resist clicking on a malicious email attachment.

Rather than consigning themselves to defeat, however, security teams need to adjust their security paradigm. When an organization begins to operate under the assumption that every endpoint device may already be compromised, defense strategies become clearer, and things like zero trust network access and real time detection and defusing of suspicious processes become table stakes.

Lag Times in Detection and Response Keep Organizations at Risk

Most confirmed data breaches have a long dwell time. In fact, the average mean time to detect (MTTD) a breach for enterprises is 197 days, with an additional 69 days required for it to be contained. And for SMBs with fewer resources available, the average extends out to 798 days, or more than two years! In such an environment, many hackers are able to take their time to scan the network, establish multiple beachheads, and slowly exfiltrate data, move laterally to compromise more systems, and avoid being detected.

These extended dwell times were the bench mark that first-generation Endpoint Detection and Response (EDR) tools were designed to address. The assumption was that there was plenty of time to manually investigate and respond while still reducing MTTD.

But that has changed for organizations staring down the barrel of a high-speed ransomware attack. Add in that first generation EDR tools were also designed to be ultra sensitive, raising thousands of alerts that require experienced security operations to triage to separate legitimate threats from false positives, and you can see that it’s more than time for a new approach.

Upgrade Endpoint Security to a Solution that Includes Real-Time Detection and Response

The new generation of endpoint detection and response (EDR) solutions is not only able to detect threats, but also immediately defuse them to stop attackers from achieving their goals in real-time. These new automated systems not only detect anomalous, threatening process behavior, but can also disarm malicious actions post-execution, after an endpoint has already been infected.

Effectively, the system guards against live threats by examining outbound communications and file system activity – to prevent data exfiltration and file tampering – buying organizations additional time for investigation, remediation, and a return to a known good state of operation.  In our case,  FortiEDR does this through the use of OS-centric code-tracing technology, enabling the immediate detection of suspicious processes and behaviors, including those utilized by in-memory attacks. As soon as it detects something suspicious, it immediately moves to defuse a potential threat by blocking its communications to its external command and control server (C&C) and denying access to the file system. These steps immediately stop data exfiltration, lateral movement, and ransomware encryption or other malware execution, thereby preventing data loss and protecting critical resources.

Addressing False Positives

Now, cybercriminals have gotten savvy about leveraging legitimate runtime activity for their malicious purposes. So these activities often need to be examined in context in order to determine whether or not they are authorized. They also need to be blocked without terminating the underlying process or quarantining the endpoint so that aggressive protection does not impact user productivity or system availability. This buys the EDR solutions time to complete a more thorough analysis using additional threat intelligence, analysis, and research to further classify the event and then escalate it as a confirmed threat, or conversely, de-escalate a benign process.

If an alarm turns out to be a false positive, the block can be immediately released, often with no discernable impact on any related operation. However, if the event is confirmed as malicious, processes can be terminated while the device continues to run uninterrupted. Or if it is part of a zero trust network access framework, the device can be dynamically quarantined while malicious or infected files are removed and a Help Desk ticket is opened. A fine balance between aggressive detection and non-intrusive protection needs to be maintained.

Five Elements of Endpoint Protection

Today, any effective Endpoint Protection (or combined EPP + EDR system) must include the following five elements if it is going to protect an organization from today’s rapidly executed attacks.

1. Discover – By proactively discovering endpoints of all types – end user and IoT, corporate sanctioned, and BYOD, even those of guests – an effective solution must include identification of both authorized and rogue devices to understand the full endpoint attack surface.
2. Prevent – Once devices are identified, the solution needs to both harden the devices it can to reduce the attack surface, and prevent both known and unknown threats with signatureless blocking (often called next generation AV). The addition os Machine Learning ensures that the solution becomes smarter over time to keep pace with evolving threats. And ideally, it should operate at the kernel level for deepest visibility.
3. Detect & Defuse – As mentioned, 100% prevention is not sustainable. So an effective solution must include behavioral-based anomaly detection combined with the ability to block external communications and access to the file system to stop breaches and ransomware damage in real time, even after a device has been infected.
4. Respond & Remediate – And given then volume of threats and detections, the solution should include playbooks that enable security teams to selectively automate incident response operations, and streamline incident response and remediation processes, while still keeping affected machines online (safely) to prevent the interruption of users and the disruption of business without exposing the network to risk. Security staff will then have the time to remediate the device when taking it offline it won’t impact critical business processes.
5. Investigate & Update – Finally, it should provide detailed information about detected threats that can be used to support forensics investigations by security analysts, predict future attacks, and ultimately improve the overall security posture.

Elegant and Effective Protection of Devices and Productivity

A contemporary Endpoint Security solution, combining EPP and EDR, provides a much more elegant and effective security over traditional endpoint protection – or even first generation EDR. Extended or even short dwell time can be extremely costly, yet a blunt tool such as automatic endpoint isolation can have a serious impact on a user or organization – especially given the concern of false positives. The ability to simply defuse an event by cutting off communications and file access to files – preventing malware from touching files or phoning home – ensures that your users can stay productive even during an active attack is absolutely essential, while eliminating alert fatigue and breach anxiety from your security staff.

Learn more about Fortinet’s FortiEDR solution and how it has the unique ability to defuse and disarm a threat in real time, even after an endpoint is already infected.