Review: The new face of endpoint security

We know by now that traditional anti-virus doesn’t work, or at least doesn’t work well enough to be the sole line of defense against endpoint exploits. And while the traditional endpoint protection vendors have learned some new tricks and offer some solid features, most enterprises need more.

They want an endpoint product that can prevent zero-day infections from happening and they want to be more proactive.

We looked at two relatively new products, Carbon Black (now owned by Bit9) and Cylance Protect. Both are designed to approach securing your endpoints from a different and more complete perspective. We asked other vendors to participate, including CrowdStrike, Promisec, Forescout and Tanium. They either declined or ignored our inquiries.

Most traditional endpoint products with an antivirus heritage are what we would call gatherers: they gather up malware that they can identify, based on some known patterns. That worked well in the era when writing malware was a black art that had specialized skills and tools: now exploit kits have made it so easy to produce custom malware that the average teen can do it with a Web browser and little programming knowledge.

+ ALSO ON NETWORK WORLD +

To be effective, a modern endpoint security tool needs to be both a gatherer and a hunter: being able to find a needle in the proverbial haystack, when you don’t even know what the needle looks like. That’s where this new breed of tools comes into play. They are noteworthy because they should be able to do the following things:

• Track down malware based on a series of behavioral events and protection rules that may span several activities, such as making changes to the Windows registry, dropping a command line from within a browser session or by opening a PDF document, or connecting to a series of IP addresses within a short time span. All of these activities aren’t what “normal” apps do. But the hard part is finding them when you know you have been hacked but don’t know where or how. Both programs can do this, but they operate differently.
• Record what happens across your network so you can go to the playback and see when some exploit entered your network and what damage it did. As so many exploits are network-based, it can be difficult to track down what happened and how to prevent it. This is Carbon Black’s specialty; Protect doesn’t yet offer this.
• Isolate an infected computer or stop a particular errant process on a specific PC or collection of PCs based on this information — and to do so remotely in a timely fashion. Both programs do this, albeit in different ways.
• Incorporate a series of security event feeds from known researchers so you can leverage what has already been seen in the wild. Both programs do this, although Carbon Black allows for more customization than Protect.
• Work both online and offline. Both products can operate when not connected to the Internet for extended periods of time.

Overall recommendation

These two products approach endpoint protection from very different perspectives, although both can be effective. Carbon Black focuses on fixing what is wrong, assuming your network will eventually be penetrated. Protect has the opposite approach: they try to block the bad stuff from entering in the first place.

If you have a strong desktop management organization and infrastructure, then Protect is probably more appealing. Cylance Protect is impressive in how much it can actually stop binary files from executing on your PCs.

If you have a mixed bag of endpoints, or if you have endpoints that use embedded OSs, then Carbon Black makes more sense because it offers a more network-centric view of your endpoints.

Let’s get into the meat of what they both offer.

Bit9’s Carbon Black

We tested a Carbon Black v5.1.0 server running on a CentOS VM (it also can run on Red Hat) against Windows 7, 10 and 2012 Server endpoints. It also has agents for Linux and Mac OS endpoints. Once you load the agent, there is nothing to see on the client end – everything happens on the server. The agent is fairly lightweight, occupying about 4MB and using less than 1% of CPU load. Older versions of the agents work with any server versions, and they all self-update too.

Agents function in two capacities: first as data collectors, so you can see what happens when malware infects your PCs by “going to the videotape.” Second, as remote control connectors, so you can take over the PC during remediation. Our tests included loading different pieces of malware on our test network and seeing how long it took Carbon Black to recognize them (most within a few seconds), and what we had to do to find and rid our network from this pestilence.

Each agent can be set to search binary hashes using VirusTotal or to scan the full file, along with other settings that can make the agent tamper-resistant. The agent can collect a variety of events, including process and registry modifications, network connections and cross-process events, each of which can be selected or omitted per PC or groups of PCs.

The management console is accessed via a Web browser and has three main interfaces: a summary dashboard, a series of search tools to investigate an infection and a series of response and remediation tools. The dashboard is the least useful of the three and the one where you will spend very little time.

The goal of Carbon Black is to locate your Patient Zero across your network, when you first find something that doesn’t fit your existing virus scans or malware profiles. You do this by first setting up a series of “watchlist” conditions that specify particular processes that have been found in the past to be threatening. These could include running an executable file from within a browser, accessing a binary from the AppData local directory, child processes spawned from unusual locations such as Notepad, or running something directly from a USB thumb drive.

The only issue is that you add watchlist items on another screen, when you are searching for binaries or processes.

It seems counterintuitive that you find the unknown stuff by looking for these known bad actors, but that is actually how the modern-day malware hunter works. There aren’t all that many new ways to compromise a PC (even one running Windows), and by having this watchlist you can start seeing oddball events and determine if they are malicious or just some sloppy programming artifacts. We found both, even on our small lab network.

Bit9 has compiled a preset list of dozens of these watchlists that can be cut and pasted into the management console. When the software detects a violation it will send an alert for you to triage. That is summarized on another screen, where you can see the status of threats and a brief description of where the offending condition is located on the particular PC. You can drill down and find out more information, such as whether or not the code has been signed by anyone and if it resides on more than one PC across your network. You can also see a flowchart diagram of what processes are happening inside the malware code and the chain of events that it kicks off. That flowchart is useful and noteworthy.

Once you have figured out you have been infected, you have several ways to remediate. With one click, you can prevent a particular hashed process or a binary from running on all PCs across your network. Of course, that doesn’t do much since hashes change constantly, but it is a start. More importantly, you can put the PC on lockdown mode and limit its outside network communications. That still lets you interact with the PC via the Carbon Black agent, and here you can go to a remote command line on the endpoint and kill off processes or delete specific files or dump a file to see its hex code contents. That “live control” is the essence of this tool’s secret sauce and a valuable one for IT managers who need to control their devices.

Some of the watchlists tie into a series of automated threat feeds from seven vendors, including AlienVault, BrightPoint and ThreatConnect. You can incorporate other security feeds by just entering its URL on the main administrative console. When you get a hit on one of the feeds, you get an email notification or have it log an entry.

While Windows 10 is not officially supported, we found it worked well with Carbon Black. In fact, we immediately found a warning that the built-in Calculator desktop app was unsigned: apparently, Microsoft was too busy finishing its latest OS to sign all of its desktop apps.

Carbon Black found exploits quickly and once we understood its workflow, it was easy to eliminate them from our network. The reporting tools are very illuminating and useful for both incident response teams and security managers. Its search features are powerful and you can quickly focus on problems, even across busy networks.

The Carbon Black server comes in several versions: on-premise, in the cloud as a SaaS-based offering, and also as a managed service product resold by Red Canary and Dell’s SecureWorks. The on-premises version of Carbon Black has a list price of $30 per year per each monitored endpoint, and the SaaS version starts at $40 per year per endpoint. Volume discounts can reduce this price.

Cylance Protect

Cylance (pronounced like silence) sells Protect as its next-gen anti-malware offering and it is very impressive at catching zero day exploits. This is because it treats every binary that it comes into contact with as a zero-day, and operates on each file and process with a great deal of gusto. Cylance currently has an installation with 20,000 endpoints and can handle even larger networks, since their software is built on top of code that is running on AWS’ Elastic beanstalk.

It has agents for Windows (starting with XP running SP3 and Server 2003) and Mac OS. In the works are an Android and eventually a Linux agent. You download the agent and to get it installed if you have an older Windows version you’ll need .Net Framework v3.5 SP1. It currently doesn’t support Windows 10 although that should be available by the time this is published, so we tested it on XP and Windows 7 PCs. The agent can be password protected so it can’t be removed or disabled.

The workflow for Protect is as follows. If malware attempts to invade your PC, it is scanned to see how it behaves and if Protect has seen this before, even if the hash or file name is brand new. Like Carbon Black, the tool is looking at how the malware operates on the PC: if it is trying to run child processes or elevate its privileges. If it is some new code, a sample is sent to Cylance HQ where humans analyze it, assisted by a big repository that Cylance calls Infinity. There it gets classified and if new malware is found, it is so noted so that no one else runs afoul of its mischief. Infinity has a series of APIs that connect to several hundred security feeds to keep track of current malware trends. This is not accessible to users, unlike the way Carbon Black treats its feeds.

Protect will stop malware before it actually executes, so it is somewhat different from Carbon Black. It depends directly on the endpoint agents, so if you have endpoints that it can’t support, such as older OS versions or those running embedded OSs, you will have issues and they could be infected. The problem with very old PCs is that they haven’t been updated in several years, and Protect doesn’t like that. While that is probably not the situation in most companies, if you have been negligent about applying your Windows updates, this isn’t the product for you.

Once you get your endpoint agents installed, you next use the Web-based management console to configure them and set up your protection policies. Like Carbon Black there are a number of security procedures you can enforce on each endpoint, including memory protection, threats running as a background process, and new file creation from a process.

Protect has three discreet user roles: overall site administrator, a zone admin and a user. That isn’t granular enough and needs to be more flexible.

One nice feature is that you can lock down the PC, once you are satisfied that it is free of infections, so that you can’t make any changes or add any executable programs that aren’t already there. Cylance calls this “application control” and it is also set as part of the protective policies. This is nice, and is a different perspective from Carbon Black’s procedure that isolates the PC from the overall network.

Protect also can’t control the network stack as Carbon Black and other tools can. They are working on adding this next year. There is also no way to control false negatives, or have the ability to view scriptable conditions.

Like Carbon Black, its main dashboard is inadequate and will be quickly overwhelmed with a large network or with lots of activity. There aren’t many analysis reports beyond log files and some summaries of what each malware was designed to do that are listed in text form and somewhat hard to parse.

Cylance starts at $55 per year per endpoint, with quantity discounts available.

How we tested

We brought up both products on a network running both physical and virtual Windows machines of various vintages stretching from XP to Windows 10. We threw a variety of malware at these endpoints using exploits downloaded from VirusTotal.com and watched how both products responded and how they either prevented an attack or were able to quickly remediate the machines and return them to a clean state. With either product, we connected our endpoints to their cloud-based management servers that were accessed by Web browsers.

Strom is the founding editor-in-chief of Network Computing magazine and has written thousands of magazine articles and two books on various IT and networking topics. His blog can be found at strominator.com and you can follow him on Twitter @dstrom. He lives in St. Louis.