FireEye Stories Blog

Addressing Endpoint Security Gap with FireEye Endpoint HX 3.0

Endpoint security protection just got a lot more effective. Conventional methods deploy anti-virus/anti-malware technology that utilizes stored threat identity to block known threats. Historically, these have worked pretty well, as long as the endpoints could be updated frequently with new threat identities. In the last couple years, these defenses were flooded with new threats far faster than systems were updated, and the threats were targeted to bypass their existing identity base. Consequently, the percentage of threats they could block rapidly diminished.

These systems traditionally stop a threat based on their ability to compare an item, such as an attachment or URL, to an internal database of threat identities. Generally a threat is identified and confirmed after it caused issues (because an organization has been hit by it already: the sacrificial lamb). A file is traced to a specific compromised site that is updated as a threat source, so it is blocked. Then an organization’s endpoints are updated with the threat signature. This can also be the case for a good site, which can be “whitelisted” or allowed based on its reputation. As necessary as it is, all of this takes a tremendous amount of time and resources. Sadly, as soon as a good “whitelisted” site is given a clean bill of health, it can be hacked and become a source of malware, indicating that static files are continually out of date.

This video offers a basic explanation of how HX Works and the processes it goes through so security analysts can utilize its deep endpoint visibility to rigorously inspect and analyze all endpoint activity and create adaptable security utilizing real-time threat information and analysis.

The speed of generating new signatures far outpaces these systems’ defenses. They still take the same amount of time and resources to identify and analyze each and every one. Any delay in getting a new signature delivered easily favors the race to penetrate over the race to protect. Advanced threats that take advantage of the time lag can initially test against known systems’ signatures before taking their first shot, so essentially the race is over before it even started. It’s not whether a site that relies on these traditional models will be penetrated; it’s whether anyone will discover it before it causes damage.

This situation is much like taking a conventional passenger van and putting it on a drag strip against a modern dragster. The van may hit an astounding speed in the quarter mile, for a van, but it’s obviously sorely outclassed against its competitor from start to finish. In effect, the dragster could run multiple quarter-miles before the van finished its first quarter-mile. This doesn’t mean the van has no value; it certainly does. But if it’s expected to play in this new field, it needs new capabilities. Unfortunately, even if we can make it faster, it still has a basic design that will always limit its top speed, no matter how much it is modified. We need to change the nature of the racetrack it’s running on to give it a decent shot.

Gaps in security must be addressed so current technology isn’t swamped by threat variety and speed, but visibility into the endpoints and the network is a fundamental problem. Obviously systems can’t block what they can’t see, and conversely, they can’t see that which hasn’t already been blocked. Closing this gap requires dynamically detection beyond stored files. This means using threat intelligence with criteria for understanding, not just cataloging, threats. This can be unusual internal or external communications or an incident that points to peculiar activity. Doing this requires analysts to use sophisticated tools to inspect and analyze all threats in real-time on an entire network, from its core to all its endpoints. FireEye Endpoint’s HX 3.0 plugs the gaps by delivering the visibility and intelligence traditional systems can’t provide.

Attackers who can bypass traditional protection are highly skilled with powerful tools that give them flexibility to adjust attacks based on a target’s defense. To counter this, HX 3.0 gives defenders visibility into all their endpoints to quickly detect a compromised system and isolate it. And, the analyst can use HX 3.0 capabilities to detect whether an Indicator of Compromise (IOC) is on any endpoint, and determine when and what that incident was doing, and what other endpoints may have been affected. And, it can then be contained to conduct detailed inspection and analysis of the compromise timeline, adding to its threat intelligence and abilities to defend against the initial threat and others.

In addition to enabling analysts to hunt for unknown threats on thousands of endpoints in minutes, the HX 3.0 enables security analysts to provide a more robust and adaptable defense across all their endpoints. The visibility into all endpoint activity, rapid inspection and analysis utilizing threat intelligence helps close the security gaps left by traditional solutions. Organizations can now apply the protection necessary to close the time gaps in detecting threats, allowing them to rapidly counteract the intelligence and persistence of their attackers.