Defending the Endpoint with AI

Traditional endpoint security isn't working, says Darktrace


Sponsored feature Remember the good old days, when the only devices a company had to worry about were the PCs on its own network? Today, security teams must yearn for those times as they struggle to protect endpoint devices everywhere.

Now, one vendor is pushing for a new approach to protect the endpoint: An AI-based mechanism that mirrors the human immune system. Darktrace is mirroring the approach it takes to security at the core of the network with an endpoint agent that uses machine learning to protect PCs.

"The way we operate our businesses has changed so drastically over the last few years," says Justin Fier, the company's Director of Cyber Intelligence & Analytics. "Our endpoints look very different. They're sitting in our houses, as opposed to in the brick and mortar buildings."

It's one thing to secure a PC on a network that you control. It's another thing when the PC is sitting in your employee's home, on the same LAN as their teenager's malware-infested gaming rig, an internet-connected kettle, and a smart TV with software last updated years ago.

Traditional endpoint security isn't working

Organizations grappling with these pandemic-borne challenges have been slow to adapt their endpoint security, Fier warns. They cling to traditional endpoint detection and response (EDR) tools, which vendors have tailored to serve endpoints that venture outside the company LAN.

The problem is that many EDR tools cling to yesterday's approaches, which rely heavily on threat intelligence and rules-based responses. This leaves them looking at where attackers have been rather than where they're going.

Online criminals are becoming more adept at evading these rules-based systems. They switch out their domains more quickly than they used to, test their malware against anti-virus systems' rules-based mechanisms, and use snowshoe attacks to minimize the visibility of their malicious domains to blacklists. This makes it harder to maintain a comprehensive threat intelligence database with the most up-to-date information.

The effectiveness of these old approaches is questionable. Researchers who tested the 18 most popular EDR and endpoint protection products found that only two had full coverage for all attack vectors.

Throwing away the rule book

Rather than spotting known indicators of compromise and using them to trigger mitigation rules, Darktrace approaches the problem from the opposite side, working out what's normal and spotting any traffic that deviates from known healthy patterns.

To do this, the company's AI-powered Enterprise Immune System collates and processes network traffic patterns and behaviors. It uses machine learning techniques to create a statistical model representing a picture of normal activity. It then monitors the network core in real time to spot any deviations from that expected behavior.

An anomaly could be a user accessing a server that no one has ever seen before and trying to upload files to it, or a local machine beaconing to numerous rare external destinations it wouldn't normally talk to. Or perhaps the product might detect an email to an employee from a domain that rarely if ever sends mail to the company.

When it finds suspicious activity, its Antigena product can alert administrators and can also go further in an optional active mode by taking its own measures to instantly mitigate the behavior. Its self-learning mechanism can adopt a proportional response based on how serious it thinks the behavior is, ranging from quarantining an email through to cutting an endpoint off from the entire network.

Taking care of remote endpoints

That's all well and good for endpoints that are on the corporate network, or at least connected by a VPN. But what about those endpoints that aren't or temporarily disconnect from the VPN?

Let's say an employee takes a device home to access the company network, which is something far more likely to happen in a post-pandemic world. Then they unwittingly forget to connect their computer to the VPN. Even worse, perhaps they maliciously pull the plug to hide some illicit activity.

Perhaps that client downloads data to the computer at home that they have legitimate access to for work.   And then wittingly or unwittingly uploads that same intellectual property to a local network attached storage device (NAS) or even a remote cloud resource.  With the new hybrid work environment, we all work in this out of band communications poses a serious blind spot.

"We have always looked for that perfect visibility into our networks," Fier says. "But now they're doing whatever they want to do."

An AI-powered agent

To fill that blind spot whether in the office, on business travel, or at home, the company wanted to extend that visibility to make sure perfect visibility was achieved for connected and disconnected endpoints, so it launched Darktrace for Endpoint. This endpoint detection and response product includes a lightweight agent called a cSensor that runs on Windows, Mac, or Linux and analyzes what's happening on that device.

The agent acts as a local chaperone for the endpoint. It conducts its own local anomaly detection, at the networking and communications level.

"The cSensor allows us to spot those very early precursors that something is amiss on a device, whether it's intentional or unintentional," Fier explains.

The agent looks for unusual connections or protocols outside of the standard pattern of life for the device. It could for example spot a newly installed application talking to unusual places, or notice if a user connected to another local device on the network while not on the VPN.

The cSensor provides extra telemetry that gives Darktrace's other products more context. It is useful even when the endpoint is connected to the VPN, because it helps Antigena spot real-time endpoint issues while updating its self-learning corpus of network traffic.

For example, the cSensor agent works with Darktrace's Antigena Email product to hone its autonomous response. It might spot an email from a new sender requesting a bank transaction, which might raise suspicions. Extra context from Antigena Email might reveal that the domain is new to the entire organization, not just that individual user. Darktrace for Endpoint would level up its autonomous response based on this context.

Monitoring disconnected devices

The agent also becomes useful when a device is disconnected from the network. It establishes a secure tunnel to the Darktrace instance running on the company's network, enabling it to immediately alert the back-end software and take informed action based on intelligence gleaned from the Enterprise Immune System's

The product offers protection against malicious activity by employees deliberately going off the reservation, but it's also a useful way for organizations to cover all their security bases, explains Fier.

"A good use case is for organizations that don't have 24x7 monitoring services but have internal regulatory requirements," he says, adding that the agent will help Antigena detect unsafe combinations of personal and work activity on the same device. "It ensures that company devices aren't being abused."

Darktrace Antigena continues to protect other endpoint devices that don't have agents by monitoring their network traffic. It also protects those devices that wouldn't have been considered endpoints before the rise of the IoT. This includes low-footprint devices ranging from sensors to smart light bulbs and connected IP cameras and even ICS and OT.

"These days, I look at anything with an IP address as an endpoint," says Fier. "We can use our Immune system platform to do anomaly detection with these systems too."

The future of endpoint security

As people settle into a new post-pandemic working model, Fier predicts bigger changes in endpoint security. One of his biggest predictions is a change to home networking setups.

"Over the next year or two you're going to see more companies asking to physically segregate company business from home personal use," he says. "That might mean shipping you out a separate wireless network so that they can physically segregate their data from employees' personal data and other devices on the home network."

The endpoint is a traditional ingress point for digital toxins from phishing emails to malicious attachments. Now that the network boundary has dissolved, this attack vector is more complex and comes in many forms. By melding traditional EDR with machine learning-based analysis of all company traffic, Darktrace hopes that companies will have a better chance of catching suspicious activity - on whatever endpoint device it may occur.

Sponsored by Darktrace.


Biting the hand that feeds IT © 1998–2022