Inadequate Malware Detection Drives-up IT/Sec-Ops Costs/Impact
Over reliance on detection technologies for mitigating malware risks negatively taxes enterprises in two ways: successful malware attacks and higher cyber operations costs. Previously, we looked at why detection alone is not enough. Now, we look qualitatively at cyber operations costs to help answer the question: what would be alleviated if far more malware attacks were neutralized at the endpoint in real-time by adding non-detection protection capabilities? Each section below represents an area of substantial savings. As you read them, know that various forms of attack surface reduction techniques can reduce them.
- But First, Trends Indicate Costs will Worsen; Detection Alone is Not Enough
- A Compromised Endpoint must be Remediated
- Compromised and Potentially Compromised Credentials must be Reset
- Lateral Movement: from Endpoint to many to Widespread
- Incident Response and Alerts Fatigue from Monitoring & Investigating Alerts from EDR, XDR, SIEM, IDS, UEBA
- Maximizing Personnel: Playbooks, Range Training, Incident Reviews, Process Improvement, and Threat Hunting
- Endpoints are the Root of Most Cyber Costs
- Add Non-Detection Endpoint Protection to Reduce your Cyber Costs
- Adding AppGuard to Endpoints Blocks Cyber Incidents at the Source that Detection Technologies cannot Recognize
But First, Trends Indicate Costs will Worsen; Detection Alone is Not Enough
Enterprise cyber costs are driven by the complexity of the defenses used as well as the volume of the attacks. A Ponemon 2020 study found:
68%: experienced “one or more endpoint attacks that have successfully compromised data assets and/or IT infrastructure over the past two years” (3rd consecutive year this increased)
68%: “the frequency of attacks has increased over the past 12 months”
The above statistics are based on cyber defenses that rely almost exclusively on detection-based tools. They also reflect a practice by sophisticated adversaries routinely testing their malware against an array of detection tools before launching them against targets.
A Compromised Endpoint must be Remediated
Malware attackers seldom send malicious objects that exactly match a hash. Machine learning (ML) detection technologies strive to statistically tell good from bad. Adversaries know this and intentionally do what they can to add uncertainty. Some attacks are identified with high statistical confidence and neutralized before any harm occurs. Some are not detected at all by endpoint tools. But for others, the statistical confidence is too low to automatically intervene. Such attacks make a mess to be cleaned. The longer they dwell the greater the mess.
In some cases, the EDR/EPP can clean up the host with auto-generated scripts or executables. Others require manual, human intervention, following the creation of a help ticket by Sec-Ops for IT-Ops. Most enterprises lack personnel sufficiently trained with clean-ups, which then demands completely reimaging compromised endpoints. Range training can help. Participants learn how to clean what is needed instead of just re-imaging.
Consider your organization’s experience: how many clean-ups occur and what does each cost on average?
Compromised and Potentially Compromised Credentials must be Reset
Credentials are the most sought after data type by adversaries. Once acquired, adversaries use them to steal other credentials, perform actions within the endpoint they otherwise cannot, and use them to compromise other endpoints. OS credentials are stolen via many different methods. The tools that do so have become so easy to use that credential theft techniques are no longer used only against large enterprises (i.e., hadn’t been worth the effort to use on small ones) but pretty much any enterprise.
Adversaries steal cloud passwords cached in web browsers and sometimes application passwords from the Windows registry. Few enterprises have these centrally administered. Resetting credentials can be very taxing. Two factor authentication significantly mitigates these risks.
Those without centralized administration for all credentials have higher reset costs. Unfortunately, credentials that ought to be reset are not. These costs are difficult to quantify.
Lateral Movement: from Endpoint to many to Widespread
From one compromised endpoint, today’s remotely controlled malware tools can compromise others in minutes. All potentially compromised endpoints might warrant remediation.
Intruders focus on finding and stealing privileged credentials, though they use other techniques also. Leading market analysts say human-controlled attacks are practically unstoppable because the adversaries’ tools are very difficult to detect and their users can adapt to what they encounter.
Lateral movement can be quiet but slow or fast but noisy. Sometimes cyber defenders can detect an incident but cannot move quickly enough to contain it. Other times, adversaries insert delays in between attack stages to evade detection entirely because one action does not get associated with others because they occur hours or days later. All these tactics and others drive up the number of expert analysts that must monitor and investigate alerts as well as hunt for undetected intrusions. Ideally, hunters know the idiosyncrasies of your ecosystem, else they chase many false positives and false negatives. Industry analysts agree: most threat hunters don’t have this knowledge.
To uncover and contain lateral movement, full-time analysts are required plus part-time help from various IT/Sec-Ops teams. Quantifying all these costs is complicated.
Incident Response and Alerts Fatigue from Monitoring & Investigating Alerts from EDR, XDR, SIEM, IDS, UEBA
The Ponemon survey referenced earlier found that 58% of endpoint alerts turned out to be false.
No one detection technology is adequate. There are sensors within endpoints (EDR), among the networks (IDS, Intrusion Detection System), and integrated with directories and cloud applications (UEBA, User Entity Behavior Analytics) designed to find anomalies. Seasoned practitioners know that ‘more data’ usually drives up labor costs. It can even diminish detection. These flow into SIEM and/or XDR systems where data from disparate sources are fused. SIEM and XDR are ineffective without the right people.
The reduction in the number of triage dashboards has not substantially decreased the volume of alerts. False positives and alerts fatigue abound. The skills gap to investigate the alerts is unchanged. Experienced SOC analysts “see all this as a time-sink” because they must “chase down many rabbit holes”. Worse, they will tell you that machine learning is not as good at data reduction as folk had hoped. “It’s overwhelming!”
Incident responders must determine the extent of each intrusion, contain it, and finally restore everything to their pre-attack states. Many different teams can be involved in any one incident. Coordination and post-mortem efforts can be considerable and costly.
Response is not limited to detection. Complex ecosystems have increased demand for more holistic orchestration of responses to alerts to substantially reduce labor. Security Orchestration Automation & Response (SOAR) Extended Detection & Response (XDR) are both promising help. Ideally, they would automate the work of many across many different tools. Skeptics worry that ecosystems are too heterogenous. Smart money is waiting to see if these can deliver, and without enabling one person to cripple the enterprise faster than ransomware.
Expect these costs to grow and remain indefinitely. Quantifying them and correlating cause-and-effect among them is extremely challenging. Whatever they are for you, they simply depend on the number of attacks missed by detection tools before endpoints are compromised.
Maximizing Personnel: Playbooks, Range Training, Incident Reviews, Process Improvement, and Threat Hunting
The bulk of cyber defense resources are dedicated to relatively familiar attack techniques. If your personnel are not well-trained and experienced, then you will need more of them. But the more people, the greater the need for efficient, well-understood workflows. Mature cybersecurity programs relentlessly prepare and improve the people and processes they operate via playbooks, range training, and incident reviews. Unfortunately for most, such efforts happen while they’re busy executing other tasks.
Threat hunting seeks undetected intrusions; no pattern-matching data yet exists. Mature cyber programs invest in threat hunting after large scale, repeatable detection Sec-Ops are fairly optimized. These continuously seek detection pattern-matches across most of the enterprise. Truly novel, sophisticated threats necessitate threat hunting where either detection patterns do not yet exist or cannot scale. However, few have threat hunting programs and many never will because skills and resources are limited. Preventative measures are more pragmatic investments.
Quantifying and optimizing all of the above is extremely difficult. Most organizations need incident volume relief to free resources and personnel before pursuing any of the above. Nothing would do this better than neutralizing malicious code in real-time at the endpoint where incidents begin.
Endpoints are the Root of Most Cyber Costs
We all know that the vast majority of incidents begin at an endpoint. The fact that there are few if any reputable statistics quantifying this speaks to the complexities of cyber programs. Intuitively we know, if fewer endpoints were compromised, IDS would generate fewer alerts and UEBA would detect fewer compromised credentials.
Add Non-Detection Endpoint Protection to Reduce your Cyber Costs
Pick your headlines or statistics, the outcome is the same. Enterprise cyber breaches are growing. The Verizon DBIR statistics show an average annual year-over-year increase of one third over the past four years. Most active enterprise endpoint protection is detection-based; it is not enough. Non-detection methods are mostly unused.
Forget all-or-nothing replacement options in endpoint protection software. Choose or stay with a good-enough detection-based endpoint protection and add a lightweight endpoint protection tool that doesn't have to recognize the malware or its effects. It doesn’t have to be perfect. It must be lightweight in terms of host performance and IT/Sec-Ops effort. If it only reduces what is missed at the endpoint, it alleviates the cyber defense costs characterized above, and more. The higher your above costs, the less perfect your non-detection protection addition needs to be to net value. There are very effective options. The key here is not to be distracted by a quest for perfection.
What you add should excel at what your detection-based endpoint protection does poorly, such as:
- Are you plagued with known or unknown unpatched application vulnerabilities? Then you need peri-execution application control or application containment that blocks harmful actions by hijacked applications.
- Are living off the land attacks evading detection? Then you need to prohibit high-risk OS utilities but in a contextual manner. In other words, adversaries cannot use dangerous Windows utilities but your IT/Sec-Ops people and tools can when needed. In some cases, outright prohibition is too disruptive. Containment is the next best option.
- Are code injection techniques wreaking havoc? Memory firewall capabilities can block memory reads and writes. (That same Ponemon survey mentioned earlier found that 73% of surveyed enterprises do not). Others controls can block loading of malicious or dangerous but legitimate DLL files.
- Are you observing suspicious activities on servers but hate to quarantine and/or shut them down because they run mission critical applications? Look at controls that isolate the application and its sensitive resources from the rest of the server.
- Are you suffering frequent Windows credential thefts? In these cases, isolation capabilities would restrict access to targeted processes and objects that possess credentials.
- Are user cloud credentials getting stolen from the password cache files of their web browsers? Then you need to isolate them such that ONLY the browser can access them.
- Are you finding that remote code execution attacks (e.g., Remote PowerShell, PsExec, etc) from one endpoint to others are making your IR demands unrealistic? Then you need controls that block them regardless of whether a privileged credential is stolen.
- Are malicious, highly obfuscated script files doing harm? Implement controls that restrict their use based on folder location, signature, and other factors.
Let's stop here or this blog post will become a book. The takeaway point is that there are non-detection endpoint protection tools that can complement whatever you have. Your selection should be guided by how it reduces the workloads of your Sec-Ops. It should generate some useful data that can fuse with all else, but do not allow ‘analyze more data’ and ‘integrate everything’ to distract you from what is most important. You need to reduce malware incident volume. The added data from the non-detection controls blocking attack will follow.
Adding AppGuard to Endpoints Blocks Cyber Incidents at the Source that Detection Technologies cannot Recognize
AppGuard is neither application control, sandboxing, process virtualization, nor HIPS. AppGuard’s similarities to these onerous non-detection protection methods of the past end with their shortcomings. They were difficult to configure, sometimes resource hungry, and most of all, they were extremely difficult to maintain through endpoint lifecycle changes (patches, updates, plugins, etc), which are constantly happening.
AppGuard consists of three basic controls.
- Launch controls for high-risk folders, limiting what can load or launch
- Application containment to protect its host from the application
- Isolation of high-value applications and objects to protect/lock them from the rest of the host
These application-centric controls are enhanced with a patented inheritance technology. This greatly simplifies policies to make deployment easy and operations even easier. It also means policies do not need to be explicit for all malware technique variations. For example, suppose a Windows software component for manipulating graphics has a terrible, exploitable vulnerability and all Office applications rely on it. AppGuard would require no policy adjustment because of inheritance. When an Office application spawns it, AppGuard ensures it inherits the controls of its parent.
How helpful would AppGuard be for you? In short, it has seen much success against the headlined attacks of the last year as well as others. Adding AppGuard to whatever detection-based endpoint protection software you have can provide great relief to your Sec-Ops and substantially improved risk mitigation.