Rather than looking for signatures of known malware as traditional anti-virus software does, next-generation endpoint protection platforms analyze processes, changes and connections in order to spot activity that indicates foul play and while that approach is better at catching zero-day exploits, issues remain.
For instance, intelligence about what devices are doing can be gathered with or without client software. So businesses are faced with the choice of either going without a client and gathering less detailed threat information or collecting a wealth of detail but facing the deployment, management and updating issues that comes with installing agents.
+更多关于网络世界:有个足球雷竞技app高:早期看看美联储的“爱因斯坦3”的安全性武器的发现挑战+
然后是如何梳理出证据表明,入侵的展开和不通过收集数据的洪水所淹没这样做的选择。一旦攻击被发现,企业必须弄清楚如何尽可能快地将其关闭。
供应商试图解决这些问题包括那些具有广泛的产品线,如思科和EMC,建立安全厂商如故障Bit9 +炭黑FireEye的,ForeScout的,指导软件和Trend Micro,和新公司专注于终端安全,如Cylance,光网络,离群安全和Tanium。这只是一分钟的采样;现场拥挤,和竞争对手都上来了不同的方式来处理这些问题。
端点保护平台的价值在于,它们能够识别特定的攻击,一旦被检测的速度给他们的响应。他们通过收集有关端点和其他设备之间是去网络到端点本身可能表明妥协进行的通信,以及变化的信息做到这一点。此端点遥测数据库就成为调查袭击事件,映射他们如何展开,发现什么设备需要补救,也许预测未来的威胁可能会出现什么取证工具。
Agent or not?
主要厌恶的总代理商是,他们多了一个的软件部署,管理和更新。在下一代端点保护的情况下,他们还是能提供大量有关端点否则无法收回的数据,但也可能是一个缺点。
Endpoint agents gather so much information that it may be difficult to sort out the attacks from the background noise, so it’s important that the agents are backed by an analysis engine that can handle the volume of data being thrown at it, says Gartner analyst Lawrence Pingree. The amount of data generated varies depending on the agent and the type of endpoint.
平格里和NSS研究员
没有代理,端点保护平台仍然会带来什么机器都通过接入交换机和路由器的数据和监视Windows网络服务和Windows管理规范做有价值的数据。这些信息包括谁是登录到机器,什么用户呢,补丁级别,是否有其他安全人员正在运行,USB设备是否连接,哪些进程正在运行,等等。
分析可以揭示设备是否创建外面什么,他们将有望设法受害其他机器和升级权限的攻击者进行,横向移动的可能迹象的连接。
代理可以意味着一个管理控制台,这means more complexity and potentially more cost, says Randy Abrams, a research director at NSS Labs who researches next-gen EPP platforms. “At some point that’s going to be a difference in head count,” he says, with more staff being required to handle all the consoles and that translates into more cost.
+更多关于网络世界有个足球雷竞技app:该做饭,打扫卫生的机器人,又唱又跳+
罗布·阿尤布,也是在NSS实验室研究主任说,这也是兼容性的问题。“你怎么保证任何两个代理 - McAfee和Bromium或Cylance的 - 工作在一起,你叫谁,如果他们不?”
安全of the management and administration of these platforms should be reviewed as well, Pingree says, to minimize insider threat to the platforms themselves. Businesses should look for EPP with tools that allow different levels of access for IT staff performing different roles. It would be useful, for example, if to authorize limited access for admins while incident-response engineers get greater access, he says.
Analysis engines
分析是必不可少的,但也是复杂的,以至于它可以是一个独立的服务,如由红金丝雀提供的一个。而不是与自己的代理收集端点数据,它采用由位9 +碳黑提供的传感器。红金丝雀补充剂与威胁情报来自各种其他商业保安公司收集的数据,分析了这一切,并产生约入侵它发现客户的网络警报。
The analysis engine flags potential trouble, but human analysts check out flagged events to verify they are real threats. This helps corporate security analysts by cutting down on the number of alerts they have to respond to.
Startup Barkly says it’s working on an endpoint agent that locally analyzes what each endpoint is up to and automatically blocks malicious activity. It also notifies admins about actions it takes.
这些发动机需要被捆绑到更大的威胁情报来源说,他们是怎样展开特征分析的攻击,揭示的活动,导致违反不使用,可以被标记为恶意软件代码,说艾布拉姆斯。
Most of what is known about endpoint detection and response tools is what the people who make them say they can do. So if possible businesses should run trials to determine first-hand features and effectiveness before buying. “The downside of emerging technologies is there’s very little on the testing side,” Pingree says.
Remediation
端点检测工具收集可用于战术停止攻击还支持法医调查入侵如何发展到成为攻击点数据的大量。这可以帮助确定哪些设备需要修复,而一些厂商正在寻求自动化这一进程。
For example Triumfant offers Resolution Manager that can restore endpoints to known good states after detecting malicious activity. Other vendors offer remediation features or say they are working on them, but the trend is toward using the same platforms to fix the problems they find.
The problem businesses face is that endpoints remain vulnerable despite the efforts of traditional endpoint security, which has evolved into security suites – anti-virus, anti-malware, intrusion detection, intrusion prevention, etc. While progressively working on the problem it leads to another problem.
“They have actually just added more products to the endpoint portfolio, thus taking us full circle back to bloated end points,” says Larry Whiteside, the CSO for the Lower Colorado River Authority. “Luckily, memory and disk speed (SSD) have kept that bulk from crippling endpoint performance.”
As a result he is looking at next-generation endpoint protection from SentinelOne. Security based on what endpoints are doing as opposed to seeking signatures of known malicious behavior is an improvement over traditional endpoint protection, he says. “Not saying signatures are totally bad, but that being a primary or only decision point is horrible. Therefore, adding behavior based detection capabilities adds value.”
So much value that he is more concerned about that than he is about whether there is a hard return on investment. “The reality is that I am more concerned about detection than I am ROI, so I may not even perform that analysis. I can say that getting into a next-gen at the right stage can be beneficial to an organization,” he says.
Anti-virus replacement?
So far vendors of next-generation endpoint protection have steered clear of claiming their products can replace anti-virus software, despite impressive test results. But that could be changing. Within a year, regulatory hurdles that these vendors face may disappear, says George Kurtz, CEO of CrowdStrike.
Within a year rules that require use of anti-virus in order to pass compliance tests will allow next-generation endpoint protection as well, he says. “That’s really our goal,” he says. “From the beginning we thought we could do that.”
He says everyone is focused on malware, but that represents just 40% of attacks. The rest he calls “malware-less intrusions” such as insider theft where attackers with credentials steal information without use of malware.
直到法规被重写,为监管企业,以满足防病毒要求,这一点很重要,艾布拉姆斯说,尽管其他平台可以提供更好的保护。“这有些情况下,这实际上不是保护,因为你不会从法律责任的保护能力更重要。”
与此同时有重叠的杀毒和next-gen endpoint protection means larger enterprises are likely customers for now vs. smaller businesses with fewer resources, he says. But even for smaller businesses the cost may be worth it.
“What do they have to lose and how much does it cost to lose this information vs how much does it cost to protect it?” Abrams says. “