Sophisticated Threat Landscape: Fileless Attacks Exploit Legitimate System Tools, Targeting PowerShell.exe and Cmd.exe in Common Malware Tactics
Can you explain the key features and capabilities of the Next-Gen Antivirus in the context of Endpoint Central?
Malware detection: Endpoint Central’s next-generation antivirus (NGAV) solution leverages a combination of a deep-learning-based antivirus (DeepAV) engine and behavioral detection, which is subjected to continuous updates to protect against both previously known and emerging malware.
Remediation: Upon detection of malware, security teams can roll back both file systems and registries to their pre-affected state with a single click. In addition, they can leverage Endpoint Central’s strong foundation of management policies to execute a wide range of remediation workflows.
Forensic analysis: Apart from triggering instant alerts upon detecting and preventing attacks, Endpoint Central offers detailed RCA for every incident, enabling security teams to understand the scope and impact of each. Endpoint Central’s built-in remote troubleshooting and system management capabilities offer instant, thorough incident investigation of quarantined devices.
Traditional antivirus solutions only detect malware after the first infection and require constant, day-to-day definition updates, since they use signature-based detection
Mathivanan Venkatachalam, Vice President at ManageEngine
How does Next-Gen Antivirus differ from traditional antivirus solutions, and what advantages does it bring to Endpoint Central?
Traditional antivirus solutions only detect malware after the first infection and require constant, day-to-day definition updates, since they use signature-based detection. Our solution, on the other hand, uses a combination of a DeepAV engine and behavior detection to enable proactive, advanced detection of malware. This enables us to offer proactive protection without relying on patient zero for detection.
Fileless attacks have become common malware attacks that often involve exploiting legitimate system tools and processes like PowerShell.exe and Cmd.exe. This technique allows attackers to evade traditional antivirus solutions that rely on signature-based methods of detection. The real-time behavior monitoring engine of Endpoint Central’s NGAV solution ensures the absolute detection of fileless attacks and offers exploit detection across internet-facing applications, thereby reducing the attack surface.
Traditional antivirus solutions focus on the detection and prevention of malware, so they do not offer recovery and remediation features. Endpoint Central offers a holistic solution by combining our NGAV engine’s detection with single-click recovery, remediation, and attack surface reduction policies. This layered approach reduces the likelihood of successful exploitation by threat actors, making it more challenging for them to compromise an organization’s security.
In what ways does the Next-Gen Antivirus contribute to strengthening endpoint security within your organization?
Going beyond traditional antivirus solutions is crucial for protecting an organization’s IT network, because their signature-based approach is only effective against already documented threats. They have become inadequate in today’s constantly evolving threat landscape. By combining an NGAV engine and threat prevention policies, Endpoint Central offers a more holistic solution that reduces an organization’s attack surface and safeguards the network against emerging threats.
Could you share any specific success stories or use cases where Next-Gen Antivirus in Endpoint Central has demonstrated its effectiveness?
Before our NGAV solution was made available to the public, we piloted it internally within Zoho Corporation. The early version of our NGAV solution detected and prevented a number of malware strains. One such incident that stood out was the detection of malware on a device within our network, which had bypassed detection by the third-party endpoint detection and response (EDR) solutions we were using. Our NGAV engine detected the malware’s presence when it started stealing browser secrets. Upon its detection, we immediately responded with the isolation of the device and began the restoration process.
Our solution enabled forensic analysis, from which we were able to perform RCA, starting with how the malware gained the initial foothold into the network, following with the series of events that subsequently unfolded, and ending with the malware’s discovery. After the device was restored, the misconfigurations leading to the breach were also remediated immediately, preventing similar incidents in the future. Our NGAV engine provided an added layer of security within our own environment.
With its official release, our NGAV engine was made available to all Endpoint Central customers, extending protection to over 21 million devices without any additional setup or licensing. Since most customers already used traditional antivirus solutions, our NGAV engine added an extra layer of protection, providing them with holistic security. Since then, our engine has detected and blocked various strains of malware.
One such customer experience that we heard about in the early days helped bolster our drive to work towards our vision. Despite using an antivirus solution, one of our customers got infected with the then-latest version of LockBit, LockBit 3.0. The signature of this new strain was not yet updated in the antivirus database, so it bypassed detection and caused a breach. At that point, the customer was using an older version of Endpoint Central that did not have the NGAV module.
At the start of the restoration process, our customer updated to the latest version of our solution which had early access to the NGAV module. During the restoration of the affected systems, the files responsible for the LockBit 3.0 infection were detected by our NGAV engine, preventing the customer from getting breached again. This was one of our first detections, and this experience reinforced our drive towards delivering our vision.
What considerations led to the decision to implement Next-Gen Antivirus in Endpoint Central, and how has it impacted the overall security posture?
In today’s dynamic threat landscape, organizations’ security stacks have become complex due to siloed tools. This burdens employees’ devices with numerous agents, consuming a huge portion of resources originally meant for employees’ productivity. Considering that a UEM solution handles the deployment and maintenance of these security solutions, the release of the NGAV engine within Endpoint Central improves operational efficiency while addressing the core problem of cybersecurity.
We ventured into the endpoint security market early in 2017 with the release of vulnerability management, detection, and response in Endpoint Central. Over the years, we have added application control, device control, browser security, endpoint privilege management, and endpoint DLP. With the release of the NGAV engine, we provide a holistic endpoint protection platform (EPP) that offers threat prevention, attack surface reduction, and malware detection and response.
Can you discuss any challenges or lessons learned during the deployment and integration of Next-Gen Antivirus within Endpoint Central?
We faced two major challenges with the deployment of the NGAV engine within Endpoint Central:
The first was with respect to the detection accuracy. It is crucial for security solutions to strike a balance between false positives and false negatives. If the engine were too strict, with too many false positives, customer productivity would be impacted. On the other hand, if the engine were too lenient, true incidents and malware could be missed, leading to catastrophic consequences. Striking the balance between the two was a true challenge. After multiple trial runs, we have achieved the highest accuracy rate for ransomware detection.
The second challenge was with respect to performance. Having been in the market for over 18 years, we understand the importance of consuming minimal resources yet delivering all the functions without compromise. Eating up the endpoints’ resources, like the CPU and RAM, impacts the productivity of organizations. We invested our extensively built R&D knowledge into solving this problem, improving the performance of our NGAV engine. Our real-time behavior engine and AI engine combined consume less than 1% of the CPU and less than 100MB of RAM on the endpoints.
How does Next-Gen Antivirus address emerging threats and adapt to evolving cybersecurity landscapes within the context of Endpoint Central?
Our NGAV engine leverages a multilayered defense strategy to tackle emerging threats, and each layer is backed by cutting-edge threat detection and mitigation techniques, including the following:
- Our DeepAV technology leverages deep learning algorithms that are trained to identify patterns associated with malware, enabling the detection of previously unseen or evolving threats without requiring constant, day-to-day definition updates. This layer is on the forefront, proactively preventing malware from being executed in the first place.
- Our behavior detection engine forms the next line of defense, identifying malicious operations or exploits with high accuracy. The engine can also detect fileless attacks and offers exploit detection across internet-facing applications, thereby reducing the attack surface.
- Considering the rising number of ransomware attacks, we also offer a dedicated anti-ransomware layer that leverages patented behavior detection technology to ensure the least number of false positives with a high detection rate.
By combining these with threat prevention policies, Endpoint Central offers a holistic approach to tackling the ever-evolving threat landscape.
What strategies or best practices do you recommend for organizations considering the adoption of Next-Gen Antivirus in their Endpoint Central solutions?
- Continuous monitoring is crucial to immediately detecting vulnerabilities and incidents, thereby preventing threats, and minimizing the impacts.
- By enforcing strict privilege limitations, organizations can reduce the attack surface and minimize the potential impacts of security incidents and unauthorized access.
- Strict access control policies ensure that employees have access to only those corporate resources (apps, data, devices, documents, and websites) that they actually need for work.
- Organizations should have data security and protection policies with DLP and encryption policies to safeguard data in storage and in transit.
- Running the NGAV engine in proactive mode ensures that threats are immediately avoided.
Looking ahead, how do you foresee the role of Next-Gen Antivirus evolving in the future, particularly within the broader context of Endpoint Central security?
- Powerful detection models: We will incorporate more powerful engines within our NGAV solution for accurate, dynamic threat detection capable of recognizing complex patterns and behaviors in response to the evolving threat landscape.
- Integrations with threat intelligence feeds: We will strengthen our detection capabilities by integrating with threat intelligence feeds. Real-time updates on the latest known threats, tactics, techniques, procedures, indicators of compromise, and global threat trends will enable the early detection of threats.
- Integrations with Zero Trust network access (ZTNA) systems: We plan to integrate security scores derived from the Endpoint Central EPP into ZTNA systems as a metric for determining trustworthiness, significantly improving the overall security posture of organizations.
- The convergence of NGAV, EDR, NDR, and XDR solutions: We plan to release EDR and network detection and response (NDR) solutions soon and will eventually launch an extended detection and response (XDR) solution.
We believe that the cross-layer correlation that can be obtained by sharing combined insights into SecOps-centered environments will substantially expedite incident detection and enhance the overall effectiveness of incident response and mitigation.
