Welcome to the VB2021 conference!

Endpoint security checkbox: a stealthy approach to cyberdefence

Nathaniel Adewole (Esentry System)
partner message

Looking for performance validation for your product?

https://www.virusbulletin.com/testing/

Get an edge over your competitors with Virus Bulletin’s anti-malware & email security certification

programmes, supported by 30+ years of experience. Or take advantage of our bespoke testing service

offering valuable performance feedback for R&D. Email [email protected].

partner message

We don’t just talk about sharing. We do it every day.

https://www.cyberthreatalliance.org/about-cta

Learn how to collaborate with the Cyber Threat Alliance to improve your overall cyber resilience.

We are a greater team when we work together; our collective efforts magnifies our success and

ensures that we are and remain cyber resilient.

partner message

F5 helps find malware hiding in plain sight

https://www.f5.com/company/blog/half-the-world-s-malware-is-now-encrypted

Encrypted malware is becoming increasingly common, and daisy-chaining security devices is neither

cost-effective, nor efficient. Detecting and stopping malware doesn’t have to be overwhelming with

F5’s innovative products.

partner message

VirusTotal: Actionable crowdsourced threat intelligence

https://www.virustotal.com/

Comprehensive context and cutting-edge functionality to proactively protect from cybersecurity threats.

partner message

IoT security begins with your Smart TV

https://chomar.link/smarttv

CHOMAR Smart TV Security.

Protect your Android Smart TV against malicious activities and use your IoT devices without any worries.

partner message

Do you like doing work that matters to you… and really frustrates the bad guys?

https://talosintelligence.com/careers

At Talos, our mission is to make the internet a safer place and fight the good fight for our customers

and users. If you think you have the expertise and attitude to help lead the world in cutting-edge security,

we’d like to talk.

partner message

Amazon Information Security - come build the future with us!

https://www.amazon.jobs/en-gb/team/infosec

Do you want to work on privacy and security challenges at unprecedented scale?

We have Privacy and Information Security opportunities available now across

the United States, Dublin, Ireland, and Sydney, Australia.

partner message

Ransomware prevention starts with zero

https://www.zscaler.com/solutions/security-transformation/ransomware-protection

Ransomware attacks are increasing 500% year-over-year.

Learn how Zscaler's Zero Trust Exchange helps minimize exposure, damage, and risk

at every stage of a ransomware attack.

partner message

Farsight Security DNSDB® is the world's largest real-time and historical database of DNS resolutions

https://www.farsightsecurity.com/get-started-guide/

DNSDB 2.0 introduces Flexible Search support, unlocking both Regular Expressions and Globbing syntaxes for more granular and accurate search results. Get your free DNSDB API key and use it in our newly updated

web GUI, DNSDB Scout as well as your own existing environments. Contextualize everything that is DNS related with one API key - DNSDB.

partner message

Calling all Hackers!

https://www.ise.io/careers/#op-470256-hacker-midseniorprincipal

We are hiring mid-senior-principal level hackers!

Remote option • Flex schedule • Unlimited vacation • Opportunities for research and publication

partner message

Stay ahead of threats with VirusTotal

https://www.virustotal.com/

Stay ahead of the next generation of threats and get relevant insights to solve

the most critical security challenges.

partner message

Threat Intelligence and Cyber Resilience

https://vblocalhost.com/programme/#TIPS

Join the VB2021 Threat Intelligence Practitioners' Summit (TIPS), sponsored by the Cyber Threat Alliance,

and learn how investment in threat intelligence builds cyber resilience, allowing you to be more effective

when addressing today's dynamic threat landscape.

partner message

QI-ANXIN Technology Group Inc. Leader of New Generation Cybersecurity

https://ti.qianxin.com/marketing/vb2021/

QI-ANXIN Technology Group Inc. offers next generation enterprise-class cybersecurity products

and services to government and businesses. QI-ANXIN is the Official Cyber Security Services and

Anti-Virus Software Sponsor of the Olympic and Paralympic Winter Games Beijing 2022.

The use of workstations and servers has become an integral part of our day-to-day life, driving both personal and business objectives. They are very flexible, enhance productivity and overall deliverables. However, many critical vulnerabilities are associated with the endpoints; they are at the core of cybersecurity threats. It is obvious that most of the resources being targeted in cyber-attacks are either host-based, applications or databases which still point to the endpoints. This paper focuses on the security of endpoints.

Each day comes with a new threat; cyber-attacks are evolving in both sophistication and scale. According to IBM Ponemon Institute's May 28th, 2021 report, the global average cost of a data breach is $4.24 million, yet 78% of organizations are still breached: from SolarWinds, FireEye, to Microsoft exchange servers down to the colonial pipeline attacks and still counting. According to IBM, it took an average of 228 days to detect and 80 days to contain a breach in 2020. Another controversy is who should confirm successful attacks or breaches: the internal security teams, the attackers, or third parties. It is a sad fact that 64% of victims of cyber-attacks get to find out they have been breached from third parties. Statistics from Dataprot show that about 560,000 new malicious samples are created globally every 24 hours. Processing malware artifacts efficiently consumes remarkable system resources which affect the overall system performance. Defenders are either overwhelmed by too much noise from security solutions, bothered by incomplete visibility on the endpoints, or incapacitated in their response actions, as most tools practically provide little or no functionality beyond the detection phase.

In the quest for absolute safety, there has been an evolution from the native anti-virus, to endpoint detection and response (EDR), and now extended detection and response (XDR); customers put their faith in seemingly popular vendors’ solutions released yearly, only to be compromised again and again. It is obvious that traditional anti-virus blocks all malware with known signatures. However, the detection engine is circumvented by non-signature-based attacks, such as in-memory or fileless malware. EDRs are expected to enhance endpoint security by providing additional features like pattern matching and behavioural analytics, by assigning reputation (blacklist and whitelist), localizing policy and creating watchlists, by automated sandboxing using artificial intelligence, and the use of machine-learning algorithms among others. But on the contrary, most EDRs end up generating more false positives due to the heuristic detection mechanism, creating the need for security professionals to single out the true positives – a Herculean task of identifying a needle in a haystack.

From a survey, it was observed that customers' choice of EDR was based on the popularity of the vendor. This vendor-bias approach must be eliminated, hence the need for a baseline for endpoint security solutions. These should be the minimum features that EDR solutions should have, to level up with the evolving threat landscape. Some of these checkboxes are a simple interactive API design, with good documentation and excellent support, a robust threat-hunting capability that gives security practitioners control over unfiltered endpoint datasets. It should have a classification engine that separates observed samples into either malicious, suspicious or benign. APT groups sometimes use fileless malware to bypass traditional endpoint security controls, hence the need for memory forensic analysis capability in the EDR. It should also have easy-to-understand and interpretable frameworks integrated into the platform so that Security Operation Centre (SOC) analysts can build on the underlying decision logic in their day-to-day investigations. It should give a deep insight into attackers' motives, the nature of the threats from the result of the analysis, and integrated threat intelligence platforms. It should present a more enriching triage visualization interface and powerful remediation measures that will not end at the quarantine or isolation phase. More actionable steps like directly fetching logs from endpoints, terminating malicious processes and sub-processes, restoring system state to the last healthy snapshot, among others, should be incorporated to achieve maximum security of endpoints.

This checkbox aims to achieve a more precise detection, stealthier mitigation and complete recovery in the shortest possible time with little SOC analyst interaction, without trading off optimal productivity of the resources running on those endpoints.

Got a question about this presentation? To get in touch with the speaker, find Nathaniel on Discord under the nickname ZoomOnIt#1669 or contact him on Twitter at @zoom_on_IT or via his LinkedIn profile.
Nathaniel Adewole
Esentry System

Nathaniel is an independent threat researcher with three years' cybersecurity experience. Nathaniel's research interest revolves around malware intrusion detection and defence evasion techniques, threat intelligence and cyber-resilience. He is currently exploring a machine learning course offered by Stanford University. Nathaniel previously worked as the lead cyberdefence analyst For Esentry System Limited in Lagos, Nigeria. He holds a Bachelor's degree in electronics and electrical engineering from Ladoke Akintola University of Technology, Ogbomoso Nigeria.