Author: Nir Gaist, Co-Founder and CTO, Nyotron
It seems like a new crippling attack or data breach makes news headlines every week, if not every day. And those are just the cases that are made public. Clearly, the traditional approach of relegating endpoint security to a basic “antivirus checkbox”, while the majority of investment and innovation focuses on network layer defenses, is no longer effective. Malicious actors are using endpoints as an entry point into an organization for lateral movement, data staging and exfiltration, and the industry continues to rely too heavily on Negative Security models to track down the bad.
As malware authors continuously build up their arsenal of weapons, successful security strategies will need to embrace multi-layered defenses that include both Negative and Positive Security. A second generation approach to Positive Security model in a form of dynamic behavior whitelisting represents a substantial improvement over first generation models (e.g. application whitelisting) to help you win the war on malware.
Resurgence of Endpoint Security
Since 2015, venture capitalists have invested billions of dollars in next generation endpoint security technologies and these have gained significant market traction. Early adopters have been using these next-generation antivirus (NGAV) products over the last few years. While most vendors have promised that their solutions based on machine learning (ML)/artificial intelligence (AI) are a “silver bullet” against malware, overall effectiveness against malware has increased only marginally.
Why aren’t these new solutions delivering on their promise? Because the reality is that an organization is almost guaranteed to get infected due to the sheer number of new malware variants. For example, according to AV-TEST.org, there were almost 140 million new malware samples submitted in 2018 alone.
Event assuming an overly optimistic detection rate of 99.9%, 140,000 known malware variants would go undetected. Moreover, since ML models are trained on known malware samples by definition; claims regarding their ability to catch completely new unknown threats are often exaggerated.
“There has been little improvement in endpoint security detection metrics and ‘AI fatigue’ is setting in as public breaches and hacks grow despite the deployment of technologies such as NGAV, Endpoint Detection and Response (EDR) and User and Entity Behavior Analytics (UEBA),” said Nir Gaist, Founder and CTO, Nyotron. “Most organizations now assume that they have already been breached and are just trying to shorten discovery and limit impact.”
Winning the War on Malware
So, why almost three decades later are we still chasing the “badness” and applying only the Negative Security model in the vast majority of security products? What if we take another look at the Positive Security model in the war on malware?
As a refresher, the Negative Security model defines what is disallowed (aka “bad”) and allows everything else.
This model is commonly used in antivirus (AV), host intrusion prevention system (HIPS), next-generation antivirus (NGAV) and data loss prevention (DLP) products, among others. Whereas the Positive Security model is one that defines what is allowed (aka “good” or “known”) and rejects everything else.
First Generation Positive Security Model
Application Whitelisting (aka Application Control) is the first generation of the Positive Security model applied at the endpoint level. It has been primarily successful among a limited number of highly sophisticated and well-resourced Fortune 500 organizations. Why didn’t it work out for everyone else? Unless deployed on a fixed workload device such as an ATM or a POS, or a web server, the inflexibility of whitelisting to meet the needs of today’s dynamic application landscape can be crippling.
“The required maintenance overhead along with user dissatisfaction are pretty much unsustainable for a typical organization,” said Gaist. “Moreover, the threat landscape has evolved since the original development of application whitelisting technologies making them ineffective against most modern advanced attacks leveraging so called fileless malware.”
Second Generation Positive Security Model
To understand the second generation Positive Security Model, let’s first look at the typical attack kill-chain in its simplified form—from Attack to Payload to Infection and finally to Damage as shown in Figure 1. The ways to attack an endpoint are practically infinite: OS and application vulnerabilities, social engineering attacks, HID devices (e.g Rubber Ducky) and, most importantly, human ingenuity. Most security professionals agree that given enough time and resources, an attacker can breach any organization.
Unlike attack methods, intentions of the attacker in the damage stage remain a fairly static, finite set that is primarily focused on the following activities: data access and exfiltration (e.g. intellectual property theft, espionage), immediate monetary gain (e.g. ransomware) and data/system damage (e.g. wiper malware, hacktivism).
This new approach to Positive Security called OS-Centric Positive Security or dynamic behavior whitelisting focuses on the damage stage of the attack. Rather than looking at applications, this model looks at the actions that may cause system damage or data exfiltration. It also avoids focusing on highly unpredictable user behavior that requires learning/baselining. Instead, it is a deterministic model that “pre-learns” or maps OS behavior. OS-Centric Positive Security completely eliminates the massive management overhead that plagued the first generation approach (e.g. whitelisting) and, at the same time, ensures high levels of security, including protection against fileless malware and zero-day exploits.
Second Generation Positive Security Benefits
The benefits of the OS-Centric Positive Security approach include:
- No patient zero required: Whether the malware is last year’s or created just a minute ago – doesn’t matter. In fact, a solution based on this approach does not care about the malware or the attack vector at all. It blocks any damage attempt at runtime.
- No learning/baselining or AI/ML algorithms: Security solutions using learning/baselining or AI/ML algorithms often act only after detecting an unusual sequence of events—for example, the encryption of ten files within a short window of time. These solutions would prevent the encryption of additional files only after this point. In contrast, an OS-Centric Positive Security based product would prevent the encryption of the first file, resulting in zero damage. Although AI-based NGAV solutions are quite sophisticated and are trained on literally billions of known malware samples, training on the known does not necessarily protect you from the unknown.
- Persistent security: Traditional security solutions work like gates—if attackers manage to pass through the gate they have practically unrestricted access to the endpoint and its data. This type of security is transient. On the other hand, Positive Security is persistent, analyzing every action every time, forever.
- Support for air-gapped environments and disconnected endpoints: Full protection capabilities are maintained whether the endpoint is connected or offline. This type of a Positive Security-based solution does not rely on cloud-based threat intelligence to stop attacks and does need to send a previously unseen binary to a detonation sandbox somewhere in the cloud.
- Protection of already infected endpoints: A Positive Security-based solution is fully preventative; it will block any attempt to cause damage to a system or data even if an endpoint was compromised prior to the installation of the product. And by the way, even unpatched (e.g. out of support) systems will be protected.
- Fewer false positives: When you only operate on a few thousand state transitions of the operating system events, rather than on billions of files or millions of applications, false positives are greatly diminished.
- More lightweight: Compared to solutions applying the Negative Security model, a solution based on the Positive Security model does not need to scan files and folders, update AV definitions or perform other resource-draining activities. Instead, the solution watches state transitions and compares them to a relatively small, finite set of normative transition maps, resulting in no noticeable performance degradation.
“An OS-Centric Positive Security isn’t a silver bullet, but it can be a tremendously valuable and complementary defense mechanism—your last line of defense,” said Gaist. “The majority of endpoint security solutions deployed today are based on the Negative Security model; so, it’s time to consider adding a Positive Security solution to strengthen your endpoint protection.”