Charles Leaver – The Second Part Of The Carbanak Case Study Explains The Efficiency Of Continuous Endpoint Monitoring

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 2 in a 3 part series

Continuous Endpoint Monitoring Is Very Effective


Convicting and blocking harmful software before it is able to jeopardize an endpoint is fine. However this technique is mainly ineffective against cyber attacks that have been pre checked to evade this type of approach to security. The genuine problem is that these evasive attacks are carried out by experienced human hackers, while traditional defense of the endpoint is an automated procedure by endpoint security systems that rely largely on standard anti-virus technology. The intelligence of people is more creative and flexible than the intelligence of machines and will always be superior to automatic machine defenses. This highlights the findings of the Turing test, where automated defenses are trying to adapt to the intellectual level of an experienced human hacker. At the current time, artificial intelligence and machine learning are not advanced enough to fully automate cyber defense, the human hacker is going to be victorious, while those infiltrated are left counting their losses. We are not residing in a sci-fi world where machines can out think people so you should not think that a security software suite will automatically take care of all of your issues and avoid all attacks and data loss.

The only genuine way to prevent a resolute human hacker is with an undaunted human cyber defender. In order to engage your IT Security Operations Center (SOC) personnel to do this, they must have complete visibility of network and endpoint operations. This sort of visibility will not be accomplished with conventional endpoint anti-viruses suites, instead they are created to remain quiet unless implementing a capture and quarantining malware. This standard technique renders the endpoints opaque to security personnel, and the hackers utilize this endpoint opacity to hide their attacks. This opacity extends backwards and forwards in time – your security workers do not know what was running across your endpoint population in the past, or at this point in time, or what can be anticipated in the future. If persistent security workers discover hints that need a forensic look back to discover attacker characteristics, your antivirus suite will be unable to help. It would not have actually acted at the time so no events will have been recorded.

On the other hand, continuous endpoint monitoring is always working – supplying real time visibility into endpoint operations, supplying forensic look back’s to take action against brand-new proof of attacks that is emerging and spot indications earlier, and providing a baseline for regular patterns of operation so that it understands exactly what to expect and notify any irregularities in the future. Offering not just visibility, continuous endpoint monitoring provides informed visibility, with the application of behavioral analytics to discover operations that appear irregular. Irregularities will be continuously evaluated and aggregated by the analytics and reported to SOC staff, through the organization’s security information event management (SIEM) network, and will flag the most worrying suspicious irregularities for security workers attention and action. Continuous endpoint monitoring will enhance and scale human intelligence and not replace it. It is a bit like the old game on Sesame Street “One of these things is not like the other.”

A kid can play this game. It is simplistic because most items (called high prevalence) resemble each other, but one or a small amount (known as low prevalence) are not the same and stand out. These dissimilar actions taken by cyber bad guys have been quite consistent in hacking for decades. The Carbanak technical reports that noted the signs of compromise are good examples of this and will be talked about below. When continuous endpoint monitoring security analytics are enacted and show these patterns, it is simple to acknowledge something suspicious or uncommon. Cyber security workers will have the ability to perform rapid triage on these unusual patterns, and quickly identify a yes/no/maybe reaction that will differentiate uncommon but known to be good activities from malicious activities or from activities that need extra tracking and more insightful forensics examinations to validate.

There is no way that a hacker can pre test their attacks when this defense application is in place. Continuous endpoint monitoring security has a non-deterministic threat analytics part (that alerts suspect activity) along with a non-deterministic human aspect (that performs alert triage). Depending on the existing activities, endpoint population mix and the experience of the cyber security workers, cultivating attack activity may or may not be discovered. This is the nature of cyber warfare and there are no assurances. But if your cyber security fighters are equipped with continuous endpoint monitoring analytics and visibility they will have an unreasonable advantage.