Daily Archives: March 12, 2015

Charles Leaver – Carbanak Case Study Part Two Explains Why Continuous Endpoint Monitoring Is SO Efficient

Published by:

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Extremely Efficient


Convicting and obstructing malicious scripts before it is able to jeopardize an endpoint is great. But this approach is mainly inefficient in the defense of cyber attacks that have been pre tested to evade this sort of approach to security. The genuine issue is that these hidden attacks are conducted by knowledgeable human hackers, while conventional defense of the endpoint is an automated procedure by endpoint security systems that rely mainly on standard antivirus innovation. The intelligence of human beings is more imaginative and versatile than the intelligence of machines and will constantly be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to adapt to the intellectual level of a skilled human hacker. At the current time, artificial intelligence and machine learning are not advanced enough to fully automate cyber defense, the human hacker is going to win, while those attacked are left counting their losses. We are not residing in a sci-fi world where machines can out think human beings so you must not think that a security software application suite will automatically take care of all of your issues and prevent all attacks and information loss.

The only genuine way to prevent an undaunted human hacker is with a resolute human cyber defender. In order to engage your IT Security Operations Center (SOC) personnel to do this, they must have complete visibility of network and endpoint operations. This type of visibility will not be accomplished with standard endpoint antivirus solutions, instead they are developed to remain silent unless implementing a capture and quarantining malware. This traditional method renders the endpoints opaque to security personnel, and the hackers use this endpoint opacity to hide their attacks. This opacity extends backwards and forwards in time – your security workers do not know exactly what was running across your endpoint population in the past, or at this moment, or exactly what can be expected in the future. If diligent security personnel discover clues that require a forensic look back to discover hacker traits, your antivirus suite will be unable to help. It would not have acted at the time so no events will have been recorded.

In contrast, continuous endpoint monitoring is always working – providing real time visibility into endpoint operations, offering forensic look back’s to take action against new evidence of attacks that is emerging and find indications earlier, and providing a standard for normal patterns of operation so that it understands exactly what to expect and notify any abnormalities in the future. Supplying not only visibility, continuous endpoint monitoring offers informed visibility, with the application of behavioral analytics to spot operations that appear irregular. Irregularities will be continually analyzed and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security personnel interest and action. Continuous endpoint monitoring will amplify and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A child can play this game. It is simplified due to the fact that a lot of items (referred to as high prevalence) look like each other, but one or a small amount (called low prevalence) are different and stand apart. These different actions taken by cyber bad guys have actually been quite consistent in hacking for decades. The Carbanak technical reports that noted the indicators of compromise ready examples of this and will be discussed below. When continuous endpoint monitoring security analytics are enacted and show these patterns, it is easy to acknowledge something suspicious or unusual. Cyber security personnel will be able to perform fast triage on these unusual patterns, and rapidly figure out a yes/no/maybe response that will identify uncommon but known to be good activities from malicious activities or from activities that require extra tracking and more insightful forensics examinations to confirm.

There is no way that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic risk analytics component (that notifies suspect activity) along with a non-deterministic human aspect (that performs alert triage). Depending on the present activities, endpoint population mix and the experience of the cyber security workers, developing attack activity might or may not be uncovered. This is the nature of cyber warfare and there are no warranties. However if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unreasonable advantage.