New endpoint security tools target zero-day attacks

endpoint security tools 1

Differing approaches to endpoint security

Traditional anti-virus doesn’t work well enough to be the sole line of defense against endpoint exploits. And while the traditional AV vendors have learned some new tricks and offer some solid features, most enterprises need more. They want an endpoint product that can prevent zero-day exploits and they want to be more proactive. We looked at two relatively new products, Carbon Black (now owned by Bit9) and Cylance Protect. Both are designed to approach securing your endpoints from a different and more complete perspective. Read the full review.

Carbon Black

Carbon Black

If you have a mixed bag of endpoints, or if you have endpoints that use embedded OSs, Carbon Black makes sense because it offers a more network-centric view of your endpoints than Cylance Protect. The management console is accessed via a Web browser and has three main interfaces: a summary dashboard, a series of search tools to investigate an infection and a series of response and remediation tools. The dashboard is the least useful of the three and the one where you will spend very little time.

Cylance Protect

Cylance Protect

If you have a strong desktop management organization and infrastructure, then Protect may be more appealing. Cylance Protect is impressive in how much it can actually stop binary files from executing on your PCs. These two products approach endpoint protection from very different perspectives. Carbon Black focuses on fixing what is wrong, assuming your network will eventually be penetrated. Protect has the opposite approach: they try to block the bad stuff from entering in the first place. This is the Cylance Protect dashboard:

Carbon Black client status screen

Carbon Black client status screen

Carbon Black’s client status screen shows what is happening with a particular endpoint, and if it has any overall issues and when it last checked in with the central server. Carbon Black has agents that run on Linux and Mac OS endpoints as well as Windows clients.

Agents function in two capacities: first as data collectors, so you can see what happens when malware infects your PCs by “going to the videotape.” Second, as remote control connectors, so you can take over the PC during remediation.

Cylance Protect endpoint status screen

Cylance Protect endpoint status screen

Cylance Protect endpoint status screen shows each protected endpoint and what is running on it and when it last communicated with the central console. Cylance treats every binary that it comes in contact with as a zero-day, and operates on each file and process with a great deal of gusto. It has agents for Windows and Mac OS, with Android and Linux in the works.

Carbon Black’s Watchlist

Carbon Black’s Watchlist

At the core of Carbon Black is its Watchlist -- this is where you set up detection policies. You do this by first setting up a series of “watchlist” conditions that specify particular processes that have been found in the past to be threatening. These could include running an executable file from within a browser, accessing a binary from the AppData local directory, child processes spawned from unusual locations such as Notepad, or running something directly from a USB thumb drive. The only issue is that you add Watchlist items on another screen, when you are searching for binaries or processes.

Protect’s policy settings

Protect’s policy settings

Protect policy settings have lots of items to configure if you want that level of specificity. The workflow for Protect is as follows. If malware attempts to invade your PC, it is scanned to see how it behaves and if Protect has seen this before. If it is new code, a sample is sent to Cylance HQ where humans analyze it, assisted by a big repository that Cylance calls Infinity. There it gets classified and if new malware is found, it is so noted so that no one else runs afoul of its mischief. Infinity has a series of APIs that connect to several hundred security feeds to keep track of current malware trends. This is not accessible to users.

endpoint security tools 8

Isolation and freeze features

On the top is the Carbon Black isolation dialog box whereby PCs can be isolated from the network, but still under control by a security manager.

On the bottom, Protect’s Application control feature that allows you to freeze a state of a PC at a specific moment in time to prevent any modifications to files or running processes.

endpoint security tools 9

Carbon Black’s live command line

Once you have figured out you have been infected, you have several ways to remediate. With one click, you can prevent a particular hashed process or a binary from running on all PCs across your network. More importantly, you can put the PC on lockdown mode and limit its outside network communications. That still lets you interact with the PC via the Carbon Black agent, and here you can go to a remote command line and kill off processes or delete specific files or dump a file to see its hex code contents. That “live control” is the essence of this tool’s secret sauce and a valuable one for IT managers.

endpoint security tools 10

Protect’s threat details

One nice feature is that you can lock down the PC, once you are satisfied that it is free of infections, so that you can’t make any changes or add any executable programs that aren’t already there. Cylance calls this “application control” and it is also set as part of the protective policies. This is nice, and is a different perspective from Carbon Black’s procedure that isolates the PC from the overall network. Here we see a screen that shows threat details and how well Cylance performed.