Review: How Nyotron Paranoid puts endpoint security worries to rest

Adding an extra layer of endpoint protection isn't just for the overly cautious.

mobile connection endpoint protection laptop shield
Thinkstock

Being called paranoid is not normally meant as a good thing. The implication is that because a person has extra locks on their front door, checks their back seat before getting into a car and looks around for the exits before settling down to eat at a restaurant, that they are overly concerned about security. The negative connotation is that they are wasting their time, and that nothing bad could ever really happen. But the thing is, a paranoid person only needs to have their supposedly quirky habits pay off once to make a potentially life-saving difference. 

The Paranoid endpoint security platform from Nyotron is so named because it is, in fact, designed to be an extra layer of security, specifically to protect endpoints. As such, some may see the platform as an unnecessary addition, suitable only for those who are overly concerned, dare we say paranoid, about security. The platform could probably stop most attacks against endpoints on its own, but does not make that claim. Instead, it is designed to thwart advanced intrusions that get around or through every other network protection. It acts as a last line of defense and was very effective in that role during our testing.

Getting started

Paranoid is installed as two components. The first is the main user interface console, which acts as the brains of the operation. It is used to monitor intrusions on endpoints and can be a hardware based appliance or served through the cloud as a service. The second component is comprised of software agents that deploy on endpoints. Each is about 15 megabytes and generates almost no network traffic. In fact, because of the way Paranoid works, it can even be installed on air-gapped systems and still function normally, since each agent has all the intelligence it needs to operate right from deployment, with almost no updates ever needed. Pricing for Paranoid is based on an annual subscription fee that is dependent on the number of endpoints being protected.

The philosophy behind Paranoid is that there is an infinite number of ways that hackers can attack a computer and a network, with new techniques popping up all the time. But if an attacker gains access to a system, there are a limited number of things they can actually do based on what is allowed by the operating system. For example, to hurt a system, they might delete some files, steal data or encrypt information as part of a ransomware scheme. Almost every way they could accomplish any of those tasks is different from how a legitimate user or even a legitimate application would carry out those same functions.

As an example, we performed a simple process of deleting a file from the desktop of a test system. We put the mouse over the file, right clicked on it, selected delete, confirmed our action and watched it move to the recycle bin. We were finished in just a few steps. However, on the backend, that procedure equals hundreds of thousands of lines of code, system calls and active processes all working behind the scenes as part of the operating system. What Nyotron did for Paranoid was to map all of those legitimate actions for every possible event on a Windows desktop or server. If any non-legitimate process occurs, Paranoid will prevent it from executing and notify IT teams about the intrusion, either though its own dashboard or using any connected third-party Security Information Event and Management (SIEM) platform.

Paranoid Dashboard CSO

In addition to sharing information with any SIEM, Paranoid has its own detailed dashboard that collects information about any attacks that evaded other protections before getting halted by the endpoint security platform. (Click image to expand.)

Because Paranoid is only concerned about illegitimate processes happening on endpoints, it can work with any other cybersecurity defenses. If a firewall blocks an attacker, or a deception point tricks them into straying off course, or an intrusion detection system sees anomalous traffic and halts it, so much the better. Paranoid only cares about processes that fly though all of that and try to harm a protected endpoint. If Paranoid detects illegal activity, it probably means that a hacker has skirted around every other defense and is trying to interact directly with a protected endpoint. Paranoid, however, is ready to pull the rug out from them at the last second, because there is not a lot an attacker can do that would be identical to the same thing being conducted by a legitimate user or program on that system.

This also makes the Paranoid platform just about complete as soon as it’s installed. There is no wait time or learning period. Paranoid works right away. That is because while new attack techniques are developed every day, new legitimate processes and features available through the Windows operating system (currently the only OS that Paranoid works with) are rare. Nyotron updates Paranoid and all its agents about twice a year on average, if needed.

Testing Paranoid

In terms of user interface, Paranoid has all legitimate processes already mapped out and ready to go. But users can also create their own rules or exempt specific processes should their environment require it. Really, there is very little reason to want to do that, so most of the time spent with Paranoid will be looking at attacks that the platform stopped.

Paranoid Story CSO

Paranoid offers to show and tell a detailed story about how attacks move within a protected endpoint. However, this mostly only works when the platform is set to discovery-only mode, because Paranoid would stop an attack at the initial stages otherwise. When Paranoid is fully active, the attack stories are very short, almost like looking at the cover of a book. However, all of those short stories do have happy endings – attacks were halted by Paranoid’s last line of defense. (Click image to expand.)

We tested this with an attack that has the ability to get around a commercial antivirus (AV) program, which was loaded up and fully updated on a test system. With Paranoid in watch mode, meaning that it was restricted from taking any actions beyond recording things it observed, the attack went right through the AV and installed ransomware on the victim’s machine. Paranoid saw the attack and even mapped out the illegal processes used to encrypt files and demand a ransom. It was neat to see the attack mapped out, especially when the antivirus program didn’t know anything was wrong, even after the files were encrypted. But you would probably never run Paranoid in watch mode in real life. It was only done for testing purposes.

Resetting the virtual victim system, the attack was run again with Paranoid fully active. This time, Paranoid halted it from doing any damage at all. Even though it breezed through antivirus, the second the attack program stepped out of line compared to what would be considered legitimate use of OS functions, it was blocked. No files on the victim machine were harmed or stolen.

Paranoid War Room CSO

All events that make it to the Paranoid platform are recorded in the dashboard war room. Within the war room, which is designed to also work with a touch screen, users can see where attacks are coming from and where they are trying to go. (Click image to expand.)

Back in the Paranoid war room, what Nyotron calls its command center, the globe-looking icon representing the network recorded the attack attempt, including details about who initiated it and what it was trying to accomplish. There is also a much more normal, less flashy dashboard view, and it can also share its findings with a SIEM. Administrators who use Paranoid should probably pay attention to any alerts coming from it, since having attacks stopped by Paranoid means they were literally halted at the last possible instant, after a hacker got through every other defense. The first time that happens, the negative connotation to the Paranoid name will probably be forgotten.

The truth is that in today’s world, you really need to be highly concerned, or even paranoid, all the time about cybersecurity. The Paranoid platform can provide a solid last line of defense, and let network admins sleep a little bit easier.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!