Avatar

For the myriad ways that an endpoint could be exploited, there’s just no way that a single technology will provide comprehensive protection. Without the visibility of your entire threat landscape and without the control to detect, block, and remediate an attack, you’re at an unfair disadvantage in protecting your organization.

Imagine that a legitimate user’s credentials are obtained by an attacker. Now posing as that trusted user, the attacker emails other users to visit a malicious web site. How would antivirus, for example, protect against that happening? It can’t. No one technology can. That’s why when we look at endpoint protection, we don’t apply a single technology, nor do we even approach the challenge on purely technical grounds. We first look at the ways an advanced attacker may exploit gaps left by technology silos and we those gaps. This is how we’ve put together our security architecture.

A case in point is the DNSMessenger fileless malware that I’d written about in a previous blog post. The attackers used email phishing to send messages to their intended victims. They tricked their victims into enabling macros in an email attachment, and that simple action started a cascade of malicious activity ending with data theft for its victims.

Attacks like this are successful because they behave like jigsaw puzzles. There’s a piece in email. There’s a piece in memory. There’s piece on the network and another in DNS traffic. Viewed through the lens of a single technology, nothing looks out of the ordinary. Only when the view becomes broader do all the pieces come together and the picture becomes clear. That’s what we do. We put all of these pieces together.

Starting with endpoint protection, every file we see is run through a battery of analysis techniques to determine whether or not any given file poses a threat. And after that file has moved on, the analysis continues. Always. The telemetry of these files is tracked, as well. Why? Because the bad guys change things up. Should our continuous analysis later discover that a file is malicious, we give you the visibility to see everywhere it’s gone and what it’s touched, and you have the control to automatically remediate the threat retrospectively everywhere in your organization.

The key is that the intelligence we glean from that file analysis is shared among our other technologies. Our DNS security intelligence? That’s shared. Our email security intelligence? Shared. Our network security intelligence? Our cloud security intelligence? The intelligence from our 250 Talos researchers? You guessed it. It’s all shared. This is why we are so effective.

Endpoints are the devices on which potential victims read phishing emails, click malicious links, visit dodgy web sites, and open dangerous attachments. They are the devices that are forgotten in airports, that communicate over insecure WiFi, or that may be unlocked with “password123.” And they have direct connectivity to financial data, trade secrets, customer information – all sorts of valuable stuff. Endpoints need advanced, comprehensive defense to protect against current threats.

Get hands-on with an Advanced Malware Protection (AMP) for Endpoints free trial to see our endpoint protection in action. If you’re already a customer, contact your account manager to sign up for a free Threat Hunting Workshops to advance your threat hunting skills.

 



Authors

Marc Blackmer

Product Manager, Engineering

IoT Product Mgmt Networking