CDM-CYBER-DEFENSE-eMAGAZINE-March-2019
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
For effective detection, most EDR solutions provide threat hunting tools to scan all the endpoint<br />
data coming from millions of endpoints to see the spread of the infection or malicious intruder<br />
activity. They allow the administrator to then remediate the infected endpoint by providing tools<br />
such as a remote shell where the administrator can login to the infected endpoint and remove the<br />
malicious files.<br />
However, EDR solutions also have certain limitations. Customers and solutions can get<br />
overwhelmed with the amount of data that needs to be recorded and analyzed to see malicious<br />
behavior. Remediation becomes increasingly hard. The volume of data will only increase as a<br />
company keeps adding headcount with more employees who generate more data. This is the<br />
reason why EDR solutions often package managed security services along with their product as<br />
regular customers are not able to handle the complexity of managing a Security Operations<br />
Center and personnel who can analyze this data.<br />
Whitelisting, Blacklisting and Process Controls<br />
A doctor rarely tells you to eat everything and then runs a series of tests to tell you what is wrong<br />
and prescribes medicines to control your ailment. Rather, (s) he asks you to avoid certain types<br />
of food which could make you sick. It is no different with security. Rather than allow the user to<br />
run every possible application and every possible sequence of commands and then check in the<br />
cloud whether a sequence was malicious or not, an alternate approach would be to simply stop<br />
the user from doing certain sequences of actions or running certain applications.<br />
Whitelisting and Blacklisting techniques are extremely effective in fixed function devices and<br />
environments with limited change to the endpoints. Here, it would be much easier to simply<br />
analyze all the running processes, create a set of process controls and then lock the device down.<br />
With this approach, rather than scan the universe for all possible bad sequences, vendors prefer<br />
to lock down systems to known good behavior. In such an approach, any new process created<br />
outside the known list of allowed processes would trigger an alert or be blocked before execution.<br />
Likewise, any process which triggers a network connection other than the well-known utilities like<br />
a browser or a file transfer utility will trigger an alert or be stopped prior to execution.<br />
Bringing It All Together - ColorTokens Approach to Security<br />
At ColorTokens we want to bring the power back to endpoint and make it smarter. The endpoint<br />
is the start of any communication and therefore the best place to enforce security. We start by<br />
sitting at the endpoint, understanding the user who is at the endpoint, understanding his/her<br />
access permissions, understanding what applications (s) he uses, and of course all the files (s)<br />
he downloads as payload using these applications. The rest of the endpoint security is all about<br />
the last part where we focus on analyzing the files (s) he downloads into their endpoint and<br />
examining the malicious behavior of the payload.<br />
Color Tokens RADAR360 performs the analysis of the files using traditional Endpoint Protection<br />
Controls. We record events to ensure that some malicious sequence is not skipped. However, we