For information security personnel, exploits represent a bit of a catch-22. On the one hand, you can basically guarantee endpoint security, and negate almost one hundred percent of all exploits, by keeping your systems up-to-date. On the other hand, that’s far easier said than done. Think of all the systems at play in a typical enterprise computing environment. This environment contains hundreds of desktops and laptops, and potentially thousands of servers and 10s of thousands of applications. Not to mention the fact that only the most fortunate enterprises have entirely homogenous environments. You might push updates to the 98 percent of your desktops that run Windows 2016, but what about the four employees who still insist on using MacBooks?
That’s not even the only problem with relying on patches to mitigate exploits. You may spend most of your time auditing your equipment and applying patches, but occasionally you’ll find that updating one system to eliminate a vulnerability… also breaks about half a dozen systems that were depending on it. Between the difficulty of patching vulnerable systems, and the potential difficulty of doing so, it’s more than worthwhile to have an endpoint protection platform that can also defend against exploits.
Traditional Endpoint Security Misses Exploit Warning Signs
For traditional endpoint security, catching exploits in the act is a difficult proposition, because these solutions tend to look for the wrong thing. Hackers take advantage of exploits using a three-step process: First, they select their target—a piece of software with an unpatched vulnerability. Second, they introduce malware to the targeted system. Third, the malware exploits the vulnerability using one of a small-number of predetermined tactics, such as buffer overflows, heap spraying, or stack pivots. For traditional endpoint protection, the second step is the pitfall.
As we’ve often said, traditional endpoint protection does a pretty poor job of protecting from malware that hasn’t been seen in the wild. Their version of exploit protection focuses on identifying and blocking the particular bits of code that malware uses to open up these exploits—the shellcode, dropper, payload, and so on. The problem with this, of course, is that there’s always more than one way to skin a cat, at least as far as code is concerned. It’s very easy for malware authors to rewrite their code in a way that causes signature-based endpoint protection to pass it by—while still breaking open vulnerabilities in the exact same way.
Finding the Unknown Unknowns with Next Generation Endpoint Protection
In order for next generation endpoint protection to pass muster for use in the enterprise, it must defend against both known and unknown exploits. SentinelOne does this by tapping a computer’s running processes for the nearly unmistakable pattern of an ongoing exploit-based attack. While it’s relatively easy for malware authors to disguise the fact that a malicious software component is designed to cause a buffer overflow, it’s extremely hard to disguise the fact that a buffer overflow is taking place. By looking for the latter, not the former, SentinelOne can mitigate most exploit-based attacks before they gain a foothold.
While best practice is clearly to patch all of your systems until there are no vulnerabilities left, this sometimes isn’t a practical reality. In order to protect the enterprise when patching isn’t practical, administrators must invest in functional next-generation endpoint protection solutions that can mitigate exploits before they occur. In order to learn more about SentinelOne, and how our behavioral detection platform can block these dangerous threats, check out our white paper, The Wicked Truth About Malware & Exploits.