In The Second Part Of The Carbanak Case Study The Efficiency Of Continuous Endpoint Monitoring Is Demonstrated – Chuck Leaver

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Very Effective


Capturing and blocking malicious scripts before it is able to jeopardize an endpoint is fine. But this approach is mainly ineffective in the defense of cyber attacks that have actually been pre tested to evade this kind of method to security. The real issue is that these evasive attacks are carried out by knowledgeable human hackers, while conventional defense of the endpoint is an automated procedure by endpoint security systems that rely largely on standard anti-virus innovation. The intelligence of humans is more imaginative and flexible than the intelligence of machines and will always be superior to automatic machine defenses. This underlines the findings of the Turing test, where automated defenses are trying to adapt to the intellectual level of an experienced human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to totally automate cyber defense, the human hacker is going to win, while those attacked are left counting their losses. We are not residing in a science fiction world where machines can out think people so you should not think that a security software suite will automatically look after all your problems and avoid all attacks and data loss.

The only genuine way to prevent a resolute human hacker is with an undaunted human cyber protector. In order to engage your IT Security Operations Center (SOC) personnel to do this, they need to have full visibility of network and endpoint operations. This type of visibility will not be accomplished with conventional endpoint antivirus solutions, instead they are developed to remain quiet unless implementing a capture and quarantining malware. This traditional technique renders the endpoints opaque to security personnel, and the hackers utilize this endpoint opacity to hide their attacks. This opacity extends backwards and forwards in time – your security workers have no idea exactly what was running across your endpoint population in the past, or at this moment, or exactly what can be anticipated in the future. If persistent security personnel find hints that require a forensic look back to discover hacker characteristics, your anti-viruses suite will be unable to assist. It would not have acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is constantly working – supplying real time visibility into endpoint operations, providing forensic look back’s to act against brand-new proof of attacks that is emerging and spot signs earlier, and providing a standard for typical patterns of operation so that it understands exactly what to expect and notify any irregularities in the future. Supplying not just visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to detect operations that appear unusual. Abnormalities will be continuously examined and aggregated by the analytics and reported to SOC personnel, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious problems for security personnel attention and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simplistic due to the fact that the majority of items (called high prevalence) look like each other, but one or a small amount (called low prevalence) are different and stand apart. These different actions taken by cyber lawbreakers have actually been quite consistent in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be covered below. When continuous endpoint monitoring security analytics are enacted and reveal these patterns, it is basic to acknowledge something suspicious or unusual. Cyber security workers will have the ability to perform fast triage on these unusual patterns, and quickly determine a yes/no/maybe reaction that will differentiate uncommon but known to be good activities from malicious activities or from activities that need extra monitoring and more insightful forensics examinations to validate.

There is no way that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic threat analytics element (that signals suspect activity) in addition to a non-deterministic human component (that performs alert triage). Depending on the present activities, endpoint population mix and the experience of the cyber security personnel, cultivating attack activity may or might not be revealed. This is the nature of cyber warfare and there are no guarantees. But if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unreasonable advantage.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>