Author: Kate Adam, E8 Security
VirusBulletin is hosting their annual conference this week in Denver, and among the three days of talks about threat research and product testing methodologies, many AV and endpoint protection companies will have a presence there — as sponsors or to present their own research.
The emphasis on AV and endpoints at the conference is because of two reasons:
- Endpoints are the targets for most cyber attacks because they hold the information that attackers are typically after.
- VirusBulletin has been testing AV products for years, and results are usually tied to the quality of the vendor’s threat research/intelligence, and their ability to incorporate that into their product – usually via signatures.
This first reason is why traditional AV products continue to make money, and why newer, “next-generation” endpoint protection products (EPP) are growing in popularity. It’s also why network visibility technologies must incorporate endpoint information into their field of vision, otherwise the view and data that they provide is incomplete.
Behavioral analytics is one of those network visibility technologies. The depth and quality of analytics depends on the different types of data analyzed, and endpoint data is a major omission if left out. The difference between behavioral analytics and EPP/AV, however (aside from the obvious), is that behavioral analytics uses behavioral indicators that a threat is present when it bypasses signatures and policies.
E8 Security’s Behavioral Intelligence Platform ingests log data from endpoints, the network, and from user activity, analyzes that data and ties it together to provide a new type of threat detection that points out positive signs of threats inside the network. The threat research that goes into the behavior detections behind the platform emphasizes a threat’s impact on the resources around it: network connections, endpoint functions, and user actions. Instead of searching for a specific component of a threat, such as how the threat is structured or how it behaves, E8’s platform searches for the reactions of various environmental components, as a response to a threat, through deviations from normal behavior.
An example of this would be the appearance of a brand new process running on an endpoint. A process that’s new to a specific endpoint might be interesting, unless the endpoint itself is new to the environment, possibly indicating a new employee. However, if that process is also new for similar endpoints associated to the same group, it may indicate that an exploit has been executed. Confidence that a threat is present increases when abnormal changes to the registry are detected on that same endpoint, potentially indicating that malware has been installed.
Confidence increases further when other aspects of the environment are correlated to that same endpoint, like connections and their frequency to specific domains. To deter detectability, threats will usually use domain generation algorithms (DGAs) in a “low and slow” fashion for their command-and-control actions. By understanding what normal request headers and connection rates look like, behavioral analytics can quickly point out requests indicative of a DGA and connections patterns indicating command-and-control activity, such as sudden spurts of connections in a short period, or sets of single connections over a long time period.
Threats always leave behind evidence, even insider threats. By understanding how threats disrupt an environment, E8’s machine learning algorithms can detect threats inside an organization and assemble their actions over time, creating an easily traceable path for security analysts to follow and respond to, and for researchers to study.
If you’re headed to VirusBulletin’s conference this week, come talk to our product and data science teams about our machine learning algorithms. We’ll be sharing our research, attending sessions, and hanging out at booth #13.
Whether or not you can make it, be sure to read our endpoint case study to learn how endpoint information is a major contributor to E8 Security’s Behavioral Intelligence Platform.