Module 1 Endpoint Security
Endpoint Security Suite
1 Anti Virus 2 Data Loss Prevention (DLP) 3 Application Control/Allow Listing 4 Host Intrusion Prevention/Detection System (HIPS/HIDS) 5 Communications Encryption 6 Email and Phishing Protection 7 Logging and Monitoring 8 Encrypted Communication and Hardware
Zero-Day
A newly discovered flaw in a program Exploited before a vendor can patch it Zero-day flaws are highly sought after by both hackers (offense) and enterprise security teams (defense).
What Is an Endpoint Security Solution?
A suite of tools that helps protect workstations Secures end-user devices (desktops, laptops, etc.) Actively defends against risky activity and/or malicious attacks Operates as an enterprise security perimeter and is best suited for bring your own device (BYOD)
False Positives
A test result falsely indicates the presence of a condition.
False negative
A test result mistakenly negates a condition.
YARA Rules
A way of describing a pattern to identify files Rules are written to meet specific conditions. Mainly used to classify particular strains or entire malware families
Antivirus
AV signatures must always be updated. Designed to detect and remove viruses, trojans, worms, etc. Can quarantine or delete files
Allow Listing
AVs can mistakenly identify files as malicious. ClamAV includes an option to allow listing applications.
YARA Rules & Signatures Usage
AVs rely on signatures. Vendors have different signature formats. ClamAV supports signatures written in YARA format.
Endpoint Security Components - Internal Firewall
Blocks incoming/outgoing connections to/from the workstation
YARA Rule Signature
ClamAV accepts YARA rules with certain limitations. The extensions .yar and .yara are parsed as YARA rules. Maximum of 64 strings per rule
Logical Signature
Combines multiple signatures using logical operators Enables more specific and flexible pattern matching File extensions include *.ldb, *.ldu, and *.idb
YARA Rules & Signature Types - Body-Based Signature
Compares specific sequences of suspicious file bytes with malware models stored in a database
YARA Rules & Signature Types - Hash-Based Signature
Compares the file hash checksums of suspicious files with malware models stored in a database
Endpoint Security Components - HIDS/HIPS
Detects, protects, and alerts upon malicious activity
Device Control & BYOD (Bring Your Own Device)
Expand the enterprise security perimeter. Employees connect private devices to the company network. Potential of passing malware through company defenses
ClamAV Pros
Free Supports scheduled tasks Ease of use Regular virus database updates High virus detection rates Technical support
False Positive (F/P) Causes
Heuristics: AVs evolve and so do viruses. Behavioral Analysis: Legitimate apps behaving like malicious apps Machine Learning: Mistakes in training data fed to software
ClamAV Cons
Low processing speed Infrequent software updates 100% virus protection not guaranteed No host firewall No safe browsing capabilities GUI is outdated; inadequate features
Multi-Engine Antivirus Scanning
Only one AV should be installed on a workstation. Different AVs, different methodologies, and block lists Scanning with multiple engines simultaneously
ClamAV in a Nutshell
Open-source and cross-platform AV software Mainly a CLI tool, although a GUI is available Most features require initial configuration.
What Is EDR?
Originally known as ETDR Provides high visibility of endpoints Focuses on detecting and responding to malicious activity on the host Best use case: search manually for threats.
Endpoint Security Components - Sandbox
Restricted environment used to run suspicious programs and files
Visibility & Response
Securing endpoints requires real-time visibility of all activities on the endpoint. Pinpoint malicious behavior. Act swiftly to prevent an attack from becoming a breach.
AV has a single purpose:
detecting and removing malware.
