What is Next Generation Endpoint Protection?

What is Next Generation Endpoint Protection?
What is Next Generation
Endpoint Protection?
By now you have probably heard the term “Next Generation
Endpoint Protection”. A slew of companies, startups and
incumbents alike, which are using the term to describe
some of their offerings. But what does it actually mean?
What are the capabilities you should look for in a Next
Generation Endpoint Protection Platform? What makes it
“next generation”?
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
This whitepaper will lay out and define the critical core pillars of a next generation
endpoint protection platform (NGEPP), the role of each, and the challenge they address. In addition, it will provide recommendations and capabilities to look for when
deciding to implement NGEPP solutions in a modern enterprise environment.
The ineffectiveness of traditional endpoint protection has spurred the rise of
solutions seeking to fill the gap. A next generation endpoint protection solution requires certain capabilities to secure the next generation of endpoints
by stopping the next generation of threats. To avoid repeating mistakes of
the past, comprehensive protection needs to support multiple platforms
and integrate the following pillars into a single agent:
• Prevention
• Dynamic exploit protection
• Dynamic malware protection
• Mitigation
• Remediation
• Forensics
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Due to the immense amount of threats, high profile successful attacks, and the growing
ineffectiveness of traditional security solutions, a new model is needed to protect ever
evolving endpoints from a new age of malware.
Endpoints are no longer just desktop computers running a Windows operating system.
When we say “endpoint”, we mean any type of machine that can execute code, including: laptops, desktops, servers, mobile devices, embedded devices, SCADA systems,
and even IoT devices. It is obviously a very different world and as endpoints evolve the
difficulty to keep them protected from sophisticated attackers also increases.
As attackers evolve, they use different techniques to evade traditional security solutions
(such as endpoint antivirus, gateway antivirus, and even IPS, IDS and Firewalls) - which
are based on static form signatures to identify malicious files, URLs or IP addresses.
Common techniques include using polymorphic malware, packers and wrappers and
other methods that take a known binary and cause it to appear completely new,
unknown, and benign on the surface. Defenders needed a new way to identify
whether an unknown file was malicious or benign.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Network-based sandboxes
To address this need vendors created network-based sandboxes, also known as
“Breach Detection Systems” (BDS) or “Advanced Threat Detection” systems, that in
essence “emulate” the execution of unknown files inside a virtual machine residing on the
network and monitor file behavior throughout its execution inside the virtual, emulated
Attackers quickly realized while their current packing techniques and malware variations
could not evade these sandboxes as easily as they bypassed static signature-based
solutions, with various other techniques they could either:
• Detect they are running inside a sandbox and not on the real end device they want
to compromise
• Take advantage of inherent conceptual sandbox faults (limited emulation time,
lack of user interaction, and only a specific image of the OS).
Attackers use these techniques to help ensure their file and malicious code will not run
in the emulated environment, will be flagged as benign, and continue its route to the end
device and only run there (where the endpoint AV can do little to stop it).
Scene of the crime
It’s become clear that truly effective endpoint protection needs to be at the scene of the
crime, the endpoint – the place where malicious code has to run - and cannot evade.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Next Generation Endpoint Protection
In an era when attackers automatically generate and tailor files per target, using static
methods to try to determine whether a file is malicious or benign is futile. In addition,
analyzing a binary structure to identify similarities among different files or families of malware is only marginally more effective, since attackers can quickly adapt and create more
significant variations that will render statistical, mathematical models almost as useless as
a normal static signature. While this approach may be labeled “next generation”, it simply
returns us to the same cat and mouse game of catch up. A new, more robust, disruptive
approach that focuses on the actual core of malware, its behavior, that cannot change as
easily as its hash or other static indicators was needed.
The ability to see what was running on an endpoint, and how every application or process is behaving was the biggest missing piece in solving the malware problem.
A New Approach
A comprehensive next generation endpoint protection solution needs to profile, track, assemble a context and identify malicious patterns of behaviors across the entire malware
lifecycle of execution in real time, and on the end device. In essence, full, live system
monitoring, is one of the core pillars of a Next Generation Endpoint Protection Platform.
Effective protection against modern, sophisticated threats requires a disruptive innovation
in the way threats are detected, blocked, mitigated, remediated, and analyzed.
A next generation endpoint protection solution needs to stand on its own to secure
endpoints against both legacy and and advanced threats throughout various stages of
the malware lifecycle. Administrators must be confident they can completely replace the
protection capabilities of their existing legacy, static-based solution with one labelled as
“next generation endpoint protection”.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Next Generation Endpoint Protection
Platform Critical Pillars
Real-time analysis & root
cause forensic investigation
Rollback & Immunize Automatic remediation to
undo system changes
Automatic Mitigation
Quarantine files and endpoints
Dynamic Execution Inspection Full system monitoring to protect
from evasive, packed malware ,
social engineering/spearphising
Dynamic Exploit Detection Protect from app and memory
based exploits, drive
by downloads
Reputation-based preemptive
block & prevention
polices - Protect from
known threats
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
While next generation endpoint protection at its core needs a new approach to stop advanced malware and zero-day threats, it should also leverage proven techniques to stop
known threats that are in-the-wild. A layer of preemptive protection allows NGEPP to
block existing, known threats before they can execute on endpoints. But unlike the past,
when you could benefit from only one vendor’s reputation services and intelligence, you
can now leverage up to the minute cloud intelligence and and select reputation services
and enjoying wider coverage.
Recommendation: Choose an NGEPP solution that can not only leverage multiple ven-
dors’ reputation services to proactively block threats, but also uses a lightweight method
to index files (passive scanning or selective scanning) instead of resource-heavy system
Dynamic Exploit Detection
Leveraging exploits is a sophisticated technique used by attackers to breach systems
and execute malware. Drive-by downloads are a common threat vector for these exploit
attacks. An NGEPP solution needs anti-exploit capabilities to protect against attacks that
leverage both application and memory-based exploits.
Recommendation: An NGEPP solution must be able to demonstrate detection of
memory exploits using methods not dependent on static measures, like shellcode scanning, but detection of the actual techniques used by exploits attacks (for example heap
spraying, stack pivots, RPO attacks, and memory permission modifications). These prove
to be a much more robust method to detect exploitation attempts, as they are not as
easily changeable and modifiable as shellcodes or the droppers and payloads that are
typically involved.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Dynamic Malware Detection
At the core of an NGEPP solution is the ability to stop zero-day and targeted attacks.
This dynamic malware detection capability requires real-time monitoring and analysis of
application and process behavior based on low-level instrumentation of OS activities and
operations, including memory, disk, registry, network, and more. Since attackers have
learned to take advantage of hooking into system processes and benign applications
to mask their malicious bidding, the ability to inspect execution and assemble the true
execution context is key. The detection intelligence must be local to the agent to protect
against a variety of attacks and scenarios, for example: when the endpoint is offline, the
detection intelligence can protect against infected USB sticks.
Recommendation: Look beyond the indicator. While using low-level endpoint visibility
to seek indicators of compromise is a leap forward from the visiblity network products
deliver, it still stops short in dealing with attacks that have never been seen before and
therefore cannot be identifed with any static indicators of compromise. Dynamic behavioral analysis and an approach that does not rely on prior knowledge of a specific
indicator to detect an attack, will prove to be superior when dealing with true zero days
- which will rarely display any static indicator of compromise - even though its behavior
will remain the same and can be recognized. Ensure the NGEPP solution can dynamically
detect zero-day threats and advanced malware without the need for static measures.
Detecting threats is necessary, but insufficient and the ability to perform mitigation (either
manually or through automation) needs to be an integral part of an NGEPP solution’s
capabilities. The mitigation options should be policy-based and flexible enough to cover
a wide range of use cases; for example, quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down.
Recommendation: After confirming the NGEPP solution has mitigation capabilities,
make sure that automatic mitigation is possible, and is performed in a timely manner
(e.g., if the product needs to “phone home” to a central server to receive a mitigation
command it might be too late). Quick mitigation during inception stages of the malware
lifecycle will minimize damage and speed remediation.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
During execution malware often creates, modifies, or deletes system file, and registry settings as well as makes changes to configuration settings. These changes or remnants left
behind can cause system malfunction or instability. An NGEPP solution needs the ability
to restore an endpoint to the pre-malware execution state.
Recommendation: Similar to mitigation capabilities, confirm the presence of remedia-
tion functionality along with visibility regarding what changed and what was successfully
Since no solution is always 100% effective, the ability to provide real-time endpoint forensics is a must for an NGEPP solution. Clear visibility of malicious activities that have taken
place on endpoints across an organization in a timely manner is essential for security staff
to quickly identify the scope of the problem, report to others both vertically and horizontally across the organization, and make better decisions based on the provided data.
Recommendation: An NGEPP solution that can provide full visibility in a simple-to-un-
derstand display of what happened on an endpoint during an attack in real time and
provides the capability to search for IOC’s across endpoints.
A Ne w A p p ro a c h
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Beyond the Pillars - Additional Considerations
Consideration Description
What to look for:
Always On
With the cloud completely changing
where assets are located, and how
users are accessing them, the definition of a secure perimeter is changing.
This further illustrates the need of an
autonomous endpoint agent that can
monitor and protect against malware
attacks even when a user is outside
the workplace in a much less secure
environment, but can still access sensitive assets. Outside of the network,
roaming users are still connecting to
the Internet, swapping USB drives,
and working for periods offline.
Solutions that can protect endpoints both on and off the network as well as if they are on or
offline (in other words the ability
to detect attacks and take action is contained on the agent
and doesn’t require any type of
offloading of data for centralized
analysis or decision making).
The definition of endpoint has expanded as the enterprise is no longer just
a homogenous collection of machines
running Windows operating systems.
An NGEPP needs to support multiple
platforms to fit the needs of modern
enterprises which have become a
heterogeneous mix of endpoints.
Solutions that can be managed
from a single console and support
Windows, and non-Windows endpoints including OS X, and mobile
operating systems.
Endpoint security solutions must remain unobtrusive and cannot interfere
with the end-user’s productivity. This is
especially important for NGEPP solutions which must run on the end-user’s device to effectively protect and
provide the necessary visibility of the
endpoint’s health.
Stay away from solutions that
work in-line and can delay execution of applications (opt for asynchronous processing).
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
What to look for:
To be enterprise-ready a viable
NGEPP solution needs the capability to scale to thousands of endpoints in both centralized and highly
distributed environments. This requires the agent be lightweight, the
agent-to-server transport kept to a
minimum, and the server itself can
scale to support endpoint growth.
Stay away from big data type
solutions that need massive
storage and compute power on
the server side in order to crunch
a lot of data. These will typically
not scale well, and introduce a
lot of latency.
Tamper Proof
An NGEPP must have measures in
place to protect itself and prevent
malware from disabling or interfering
with the protection. As an NGEPP
solution becomes more effective
and harder to bypass, attackers will
look for ways to compromise protection to increase the probability of
a successful attack.
Solutions that are installed at a
low level in the operating system
(i.e., kernel level). Agents that are
active in both user space and
kernel space are less likely to
be circumvented, and solutions
that have visibility into system
events can in most cases detect
tampering attacks, unlike solutions that don’t monitor process
Enterprises use various solutions
to collect threat information and
indicators of compromise to monitor the health status of their organizations and perform timely mitigation. In addition, while protecting
endpoints is critical, an NGEPP
solution also needs to be a piece of
the overall security picture by easily
integrating into an organization’s
security infrastructure.
Solutions that can offload indicators to SIEMs or other tools
using industry standard formats
(CEF, STIX, openIOC), and can
integrate with leading network
security solutions.
False Positives
There is always a balance of monitoring for true zero-day attacks and
false positives. An NGEPP solution
should have mechanisms in place
to minimize false positives to maintain a high degree of confidence in
the solution
Solutions that can baseline an
environment and learn automatically what applications can and
cannot run.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
Gartner Adaptive
Security Architecture1
The adaptive security architecture
as defined by Gartner includes
four stages (Preventive, Detective,
Predictive, and Retrospective) along
with the assertion that continuous
monitoring and analytics must serve
as the core of the architecture. An
NGEPP solution should align with
this architecture and its four stages
“to deliver comprehensive, adaptive
protection from attacks.”
What to look for:
Compare the NGEPP solution to
the Gartner Adaptive Security Architecture to ensure the capabilities map to the four stages and
to identify any gaps.
Determines the threatʼs next action based on attack patterns,
malware techniques, and up-to-the-minute crowdsourced
threat intelligence
Predicts attack patterns, utilizing automated real-time
analysis and machine learning
Leverages the cloud intelligence of over 40 scan engines to
proactively block known threats
Hardens defenses through dynamic whitelisting
Diverts attackers utilizing anti-debugging and anti-analysis
Scans for application vulnerabilities, anticipates new threat
tactics, and shields vulnerabilities
Uses SentinelOneʼs Auto Immune to prevent newly detected
threats from spreading
Integrates with firewalls and IPS to send immune
data at the network level
Automatically mitigates threats to minimize
impact and reduce administrative overhead
Monitoring and
Real-time forensic data allows you to track threats
in real time or investigate post-attack
Dynamic, graphical forensic reports allow you to identify
where attacks originated and trace malicious actions
Detects incidents and tags anomalies using EDRʼs
real-time behavioral detection engine
Confirms and prioritizes risk by setting an aggres
siveness level and defensive action
Contains threats by automating mitigation actions including:
shutdown, network disconnect, halt system, kill process, and
Speeds incident response and automates threat removal to
accelerate cleanup
Remediates and adapts protection through Shadow Immune,
dynamic blacklisting, hash and IP filters
Ret rospective
Det ective
Next generation endpoint security mapped to the Adaptive Security Architecture
“Designing an Adaptive Security Architecture for Protection From Advanced Attacks”, Neil MacDonald, Peter Firstbrook, 12
February 2014, http://www.gartner.com/document/2665515.
Copyright © 2015 SentinelOne, Inc.
What is Next Generation Endpoint Protection?
In the era of the cloud, and data access from everywhere, endpoint protection becomes
more relevant than ever and the need to secure users wherever they are has never been
greater. However, without a clear definition of next generation endpoint protection, confusion
about which offerings in the market can effectively secure endpoints will continue.
To truly protect enterprise endpoints against continuously evolving sophisticated, advanced
threats an effective next generation endpoint protection must be installed on the endpoint itself,
support multiple platforms, and include the following critical pillars: preemptive protection,
dynamic exploit protection, dynamic malware protection, mitigation, remediation, and forensics.
About SentinelOne
SentinelOne is a startup formed by an elite team of cyber security engineers and defense
experts who joined forces to reinvent endpoint protection. With decades of collective
experience, SentinelOne founders honed their expertise while working for Intel, McAfee,
Checkpoint, IBM, and elite units in the Israel Defense Forces. They came together in
2013 to build a new security architecture that could defeat today’s advanced threats and
nation state malware.
SentinelOne was the first company to coin the term “next generation endpoint
protection”, and use it to describe its product offering, and vision.
2513 E. Charleston Rd
Mountain View, CA 94043
[email protected]
[email protected]
[email protected]
Copyright © 2015 SentinelOne, Inc.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF