Nov 06, 2015 By Andrey Zhuk In Blog

Endpoint Threat Detection & Response: The New Next of Cyber Security

How do you detect and respond to cyber incidents affecting your endpoint systems? (By endpoints, we are talking user laptops, application servers, tablets, handhelds, etc.) Your gut response is probably to think of your organization’s antivirus solution (e.g., Host Based Security System [HBSS]) and the protection it provides. But is that right?

An antivirus solution does provide a degree of protection, but mostly against known threats and those that are NOT dormant. However, in the case of an Advanced Persistent Threat (APT) actor, the malware may be custom written for your organization and be made inactive (or dormant) until triggered by a command and control (C&C) server. In this scenario, an antivirus solution will not be of help.

You need a different approach. You need your antivirus client to be able to submit suspicious samples to a cyber security intelligence engine that can make a threat determination using techniques such as:

  1. Static code analysis
  2. Dynamic code analysis
  3. Applying fuzzy hashing techniques to uncover polymorphic malware
  4. Querying external virus databases

The first two techniques can be performed by products like FireEye and McAfee Advanced Threat Defense (ATD). The last two can be done via an antivirus central management console (e.g., McAfee ePO) or via a local threat intelligence engine like McAfee TIE.

Okay, so now you’ve identified a piece of malware. How do you identify which machines are affected? This is especially difficult when malware is asymptomatic. Maybe it is an agent that exfiltrates data using low-and-slow methods. but where is it installed? Even when we find that it is installed on hundreds of machines, how do we clean it up quickly?

These are real challenges. The average time to close out a security incident takes upwards of 45 days and costs around $1.6 million dollars, according to a study conducted by Ponemon and HP. The high cost results from the disruption of business, detection time, data recovery and loss of information.

As Gartner notes, existing security tools—such as “set-and-forget” endpoint solutions—are no longer sufficient. Organizations need continuous protection against advanced threats, with better monitoring, threat detection, and incident response capabilities. Increasingly sophisticated, targeted, and damaging attacks are driving a growing need for endpoint threat detection and response (EDR) solutions.

One such EDR solution that SwishData has been working with is CloudHASH. CloudHASH is the fastest, most advanced, fully integrated incident response and APT hunting toolkit available for McAfee ePO. It has its genesis in the US Marine Corps and is purpose-built to protect highly targeted organizations.

Here’s an example of how CloudHASH resolves problems from start to finish:

  • You identify a piece of malware and would like to know which machines it is installed on. No problem. Run a query in CloudHASH on thousands of endpoints in your enterprise and within seconds get the answer.
  • Would you like to clean it up as well? No problem, again. Another minute to remove the dormant malware from identified machines and you are good.
  • How about patching so the malware doesn’t come back? Take a minute for CloudHASH to push the patch to all of the enterprise to stop the infection in its tracks.
  • You subsequently get a report that a variant malware appears to be the one you just cleaned up. CloudHASH supports fuzzy hashing to identify polymorphic malware. That means that even the morphed malware can be identified and destroyed.

To learn more about CloudHASH and how it can save you money and headache, click here.