Last week’s Gartner Security & Risk Management Summit crammed several months’ worth of information, analyses, workshops and networking into 3 ½ short days. As expected, everything related to cyber security was particularly hot. Though many messages were familiar, a shift could be detected, a recognition that the landscape is transforming and innovation is called for.
Of the many subjects discussed, three took front and center stage:
- Balancing risk and security investment, recognizing that perfect is not possible.
- The Gartner security model, and how to orchestrate its various elements, analyzing the flood of information and produce actionable and automated processes.
- Defining the right security stack for companies, taking the above into consideration.
The emphasis on security at the speed of business – security that supports organizational growth and agility rather than hinders it – resonated particularly strongly with the Morphisec team. For us at Morphisec this is not just a goal; it is the basis of our business. The combination of powerful prevention, simplicity and cost efficiency is the main driving value behind our product.
While the Gartner summit discussions were highly relevant overall, two sessions in particular stand out.
What the Hacker Sees
The first was a thorough analysis by Gartner analyst Mario De Boer of the strengths and limitations of malware protection technologies from an attacker perspective. Endpoints are the main entrance for advanced attacks and attackers continue to develop ever more sophisticated methods to penetrate and execute their malicious intent. As a result, various types of protection technologies evolved around the endpoint and the network that surrounds it:
- Signature based malware prevention – Very good at what they do, but what they do is limited and trivial to evade.
- Exploit mitigation – Makes a vulnerability harder to exploit, but can be evaded by script-based malware.
- Network Sandboxing – An attacker will take advantage of the fact that if they can execute on the endpoint before being detected by the sandbox, then they are already in.
- Application Control –Exploits that use legitimate operations are not stopped, for example a malicious Word macro. Malware can also spoof a trusted application.
- Behavior Analysis –Attackers that understand the rules defining suspicious behavior can design exploits that get past them.
- Endpoint Detection and Response (EDR) –Speed is critical; an exploit can cause serious damage before detection kicks in.
- Containment – These are the most challenging from an attacker perspective but can impact business efficiency from the user perspective.
Ideally, the best defense would incorporate all the above techniques to ensure that the endpoint is covered from all possible vectors. In reality, this is a pie in the sky dream - configurations, CPU drain, collisions between products, maintenance, immense reporting (including high rates of false positives), and lack of expert security practitioners all contradict the drive toward manageability and cost efficiency. So how should security teams decide which products to deploy?
De Boer answered this question by examining several types of attacks, highlighting which combination of technologies creates the most difficulty for the attacker, to deduce the most efficient security approach.
His conclusion? “Choose endpoint technology stacks rather than individual technologies, avoiding agent bloat.”
We at Morphisec believe this sets the right tone for industry discussion: The “right stack” provides adequate protection alongside operational efficiency – low number of agents, lower level of compatibility issues, low CPU drain, low level of false alerts, and low remediation costs.
However, De Boer’s session had one glaring gap. He pointed out the limitations of each of these techniques, and the fact that, even in combination, attackers may slip through the cracks long enough to cause damage. Yet he offered no alternatives.
This is where the session about the Top 10 newest technologies comes in. Full disclosure - Morphisec is one of the vendors on the list.
The Newest and Coolest
Neil MacDonald, vice president, distinguished analyst and Gartner Fellow Emeritus examined the leading new approaches to information security; emerging technologies that help fill the gaps that still exist in De Boer’s stack. In the section on non-signature approaches for endpoint prevention, McDonald points out the dissatisfaction with the current state of endpoint prevention. As Gartner says in a post about the session, “Purely signature-based approaches for malware prevention are ineffective against advanced and targeted attacks. Multiple techniques are emerging that augment traditional signature-based approaches, including memory protection and exploit prevention that prevent the common ways that malware gets onto systems.”
MacDonald goes on to say that these solutions should be viewed as approaches to supplement the shortcomings of current prevention technologies.
Working Together Maximizes Protection
That is exactly the discussion we have with our customers. Knowing that no one product can do it all, we review Morphisec Advanced Threat Prevention alongside their current stack and in some case even recommend adding another security element.
This analysis will always start with an effective and efficient prevention stack which according to De Boer’s analysis, should include:
- Antivirus (which usually exist) for signature base malware prevention
- Exploitation prevention (this is where Morphisec comes in) and,
- Application Control
Such a stack will ensure the best and most efficient malware prevention. Organizations that are under frequent attack should also consider EDR and Sandboxing detection techniques.
Essentially these two sessions have a clear and important message for CISOs and SECOP teams: Look for the right stack rather than individual products; and leverage new technologies to do all you can on the prevention front.