海角大神

It鈥檚 easy to believe endpoint security is dead, given the failings of antivirus offerings to counter prevalent threats.

Today鈥檚 attacks are auto-created from malware factories, using exploit kits to churn out hundreds of thousands of variants of malware a day that are virtually guaranteed to defeat legacy defenses. 聽

In this swarm of kitted malware run by organized cyber miscreants, actual advanced threat actors slip by unnoticed. 聽Today, antivirus and legacy security products are being kept alive by outdated compliance mandates and a 鈥渘obody got fired for buying antivirus鈥� mentality. 聽Eventually, they will get fired -- if that鈥檚 all they do.

We hear a lot of talk these days about 鈥渁dvanced attacks,鈥� but the truth is everything seems advanced when you compare today鈥檚 attacks to the detection and prevention capabilities of legacy security tools! What can a modern enterprise security team do to protect their endpoints from conventional attacks as well as the real advanced stuff coming from motivated adversaries?

While it鈥檚 popular in security to point out problems, we believe it is equally important to talk about solutions, and more important to bring them to market. To this end, we believe the right strategy for countering enterprise threats is Contain, Identify, and Control.

Contain Threats That Target Users

Prevention technology as a category has been saddled with a legacy of failure for well over a decade. In contrast, pioneering approaches like containerization are working. In Invincea鈥檚 case, we record huge numbers of 鈥渟aves鈥� against our customer base every month using a strategy of Containment. 聽These are attacks detected and blocked by our container solution after they鈥檝e evaded all other security controls.

The good news for security teams trying to make sense of lots and lots of is that this claim is easily verifiable 鈥� through daily reports on and published findings of global cyber threats, such as the recent and .

Our philosophy has always been that containment is the most reliable strategy to protect endpoints from compromise. 聽This architectural approach recognizes that anticipating the unknown is impossible. 聽

Simply put: users will click on malicious links, software will be vulnerable to attack, and exploits will happen. 聽But when they do, a containment solution can isolate, detect and kill the attack, so the adversary can neither access sensitive data nor gain a foothold in the enterprise.

Identify Compromise by Fusing Endpoint Sensing and Cloud Analytics

In security, 鈥渄etection is the new black.鈥� But the detection approaches we see today and the companies that created them rose from the ashes of failed prevention. 聽As a result, most new detection solutions are post-breach tools used to aid incident response teams. Many simply 鈥渞ecord everything鈥� on the endpoint, including complete images of the file system and memory.

If this sounds impractical and unaffordable, it is. 聽This approach effectively re-allocates part of the security budget to storage, while requiring considerably more labor to sift through massive data looking for the proverbial 鈥済host in the machine鈥�.

The enterprise security teams we speak with are less interested in parsing alerts and sifting through data farms after a breach has happened. Rather, these 鈥渉unt teams鈥� are focused on identifying compromised machines within minutes.

That鈥檚 why we approached the problem in a fundamentally different way. Rather than sifting through endless alerts, we identify compromised machines using a combination of endpoint sensing and cloud-based analysis. 聽The Identify strategy starts with this credo: Trust no program and verify everything, but do so in a computationally efficient way such that the end user and network are not affected. 聽Any program not already known by the enterprise to be 鈥済ood鈥� is quickly evaluated in the cloud against comprehensive databases of known-good and known-bad programs.

Where Invincea鈥檚 Identify approach truly excels is in its use of a groundbreaking malware analysis technology called Cynomix, which entered the commercial market after four years of DARPA-backed development in Invincea Labs. 聽Cynomix uses machine learning and capability clustering algorithms to identify whether suspicious programs are related to malware families, based on their 鈥済enetic markers鈥� and mapping them to the cyber genome of malware.

Enable Response in a Timely Fashion via Control

Response is a natural outcome from successful Identification of compromised machines. But today, response happens an average of 205 days after the adversary has already compromised its target!

Security teams today are hungry for something more proactive, tools that that help them regain control and stay in front of threats. 聽They need corrective capabilities that can be applied quickly, easily and in proportion to both the threat severity and value of the compromised assets. 聽While this might sound like a dream, the approach becomes feasible when it can leverage technology with a privileged position on the endpoint.

And while protecting their own enterprise is any CISO鈥檚 primary goal, many we talk with believe that security is a community effort. Therefore, threat discovery needs to be shareable in standard formats to trusted communities of interest.

So is endpoint prevention dead? 聽Not by a long shot. 聽It鈥檚 simply maturing into a new model where Contain, Identify and Control capabilities reign. 聽Come visit us at !