Chuck Leaver – Continuous Endpoint Monitoring Efficiency Revealed In Carbanak Case Study Part Two

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Very Efficient


Capturing and blocking malicious software before it has the ability to compromise an endpoint is fine. However this approach is largely inadequate against cyber attacks that have actually been pre evaluated to avert this sort of method to security. The real problem is that these hidden attacks are conducted by experienced human hackers, while standard defense of the endpoint is an automatic procedure by endpoint security systems that rely mainly on basic antivirus innovation. The intelligence of humans is more creative and flexible than the intelligence of machines and will always be superior to automated defenses. This highlights the findings of the Turing test, where automated defenses are attempting to adapt to the intellectual level of a knowledgeable human hacker. At the current time, artificial intelligence and machine learning are not sophisticated enough to fully automate cyber defense, the human hacker is going to win, while those attacked are left counting their losses. We are not residing in a science fiction world where machines can out think people so you must not think that a security software application suite will automatically look after all of your issues and prevent all attacks and data loss.

The only real way to prevent a resolute human hacker is with a resolute human cyber defender. In order to engage your IT Security Operations Center (SOC) personnel to do this, they must have complete visibility of network and endpoint operations. This sort of visibility will not be achieved with traditional endpoint antivirus solutions, rather they are designed to remain quiet unless enabling a capture and quarantining malware. This traditional technique renders the endpoints opaque to security personnel, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security personnel have no idea what was running across your endpoint population in the past, or at this point in time, or what can be expected in the future. If diligent security personnel discover clues that need a forensic look back to reveal hacker characteristics, your anti-viruses suite will be unable to help. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is always working – offering real time visibility into endpoint operations, supplying forensic look back’s to take action against brand-new evidence of attacks that is emerging and identify indications earlier, and offering a standard for normal patterns of operation so that it understands what to expect and notify any abnormalities in the future. Offering not just visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to detect operations that appear abnormal. Abnormalities will be continually examined and aggregated by the analytics and reported to SOC personnel, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security personnel attention and action. Continuous endpoint monitoring will magnify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A kid can play this game. It is simplified due to the fact that the majority of items (known as high prevalence) resemble each other, however one or a small number (referred to as low prevalence) are not the same and stand out. These dissimilar actions taken by cyber crooks have been quite constant in hacking for decades. The Carbanak technical reports that listed the indications of compromise ready examples of this and will be discussed below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to acknowledge something suspicious or uncommon. Cyber security personnel will be able to perform fast triage on these unusual patterns, and rapidly identify a yes/no/maybe reaction that will differentiate unusual but known to be good activities from destructive activities or from activities that require extra tracking and more informative forensics investigations to verify.

There is no chance that a hacker can pre test their attacks when this defense application remains in place. Continuous endpoint monitoring security has a non-deterministic risk analytics part (that notifies suspect activity) as well as a non-deterministic human aspect (that carries out alert triage). Depending on the present activities, endpoint population mix and the experience of the cyber security workers, developing attack activity may or might not be discovered. This is the nature of cyber warfare and there are no warranties. However if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unjust advantage.