Chuck Leaver – Carbanak Case Study Part Two Continuous Endpoint Monitoring Is Very Effective

Presented By Charles Leaver And Written By Dr Al Hartmann


Part 2 in a 3 part series


Continuous Endpoint Monitoring Is Really Efficient

Capturing and blocking harmful software before it is able to jeopardize an endpoint is great. But this method is mostly ineffective against cyber attacks that have been pre evaluated to evade this kind of method to security. The real issue is that these evasive attacks are conducted by experienced human hackers, while traditional defense of the endpoint is an automatic process by endpoint security systems that rely mainly on standard antivirus innovation. The intelligence of humans is more imaginative and versatile than the intelligence of machines and will always be superior to automated defenses. This highlights the findings of the Turing test, where automated defenses are attempting to adapt to the intellectual level of an experienced human hacker. At present, artificial intelligence and machine learning are not sophisticated enough to totally automate cyber defense, the human hacker is going to win, while those infiltrated are left counting their losses. We are not residing in a sci-fi world where machines can out think people so you should not think that a security software application suite will automatically look after all of your problems and avoid all attacks and data loss.

The only real method to prevent a resolute human hacker is with an undaunted human cyber defender. In order to engage your IT Security Operations Center (SOC) personnel to do this, they need to have complete visibility of network and endpoint operations. This type of visibility will not be attained with traditional endpoint antivirus solutions, instead they are developed to remain silent unless enabling a capture and quarantining malware. This standard technique renders the endpoints opaque to security workers, and the hackers utilize this endpoint opacity to conceal their attacks. This opacity extends backwards and forwards in time – your security workers have no idea what was running across your endpoint population in the past, or at this moment, or exactly what can be expected in the future. If thorough security workers discover clues that require a forensic look back to discover hacker traits, your antivirus suite will be unable to help. It would not have actually acted at the time so no events will have been recorded.

In contrast, continuous endpoint monitoring is always working – offering real time visibility into endpoint operations, supplying forensic look back’s to take action against new proof of attacks that is emerging and spot indications earlier, and supplying a baseline for typical patterns of operation so that it understands exactly what to anticipate and alert any abnormalities in the future. Offering not just visibility, continuous endpoint monitoring supplies informed visibility, with the application of behavioral analytics to detect operations that appear irregular. Irregularities will be constantly evaluated and aggregated by the analytics and reported to SOC personnel, through the company’s security information event management (SIEM) network, and will flag the most worrying suspicious abnormalities for security workers attention and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A kid can play this game. It is simplified because most items (called high prevalence) resemble each other, but one or a small number (called low prevalence) are not the same and stand out. These different actions taken by cyber bad guys have been quite consistent in hacking for decades. The Carbanak technical reports that noted the signs of compromise are good examples of this and will be gone over below. When continuous endpoint monitoring security analytics are enacted and show these patterns, it is basic to recognize something suspicious or uncommon. Cyber security workers will be able to carry out fast triage on these unusual patterns, and rapidly determine a yes/no/maybe reaction that will differentiate unusual but known to be good activities from malicious activities or from activities that require extra tracking and more insightful forensics investigations to confirm.

There is no way that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic threat analytics component (that informs suspect activity) as well as a non-deterministic human aspect (that carries out alert triage). Depending on the current activities, endpoint population mix and the experience of the cyber security workers, developing attack activity might or may not be discovered. This is the nature of cyber warfare and there are no assurances. However if your cyber security fighters are geared up with continuous endpoint monitoring analytics and visibility they will have an unfair advantage.


No Responses Yet to “Chuck Leaver – Carbanak Case Study Part Two Continuous Endpoint Monitoring Is Very Effective”

Leave a Reply