Milliseconds Matter: Prevention Architecture and Cloud Considerations

The rise of ransomware and other destructive attacks in the last year demonstrates that prevention is critical to stopping damage and loss in your enterprise. Attacks come in many shapes and sizes, requiring a broad range of prevention and detection capabilities. Attacks that directly lead to the destruction of IP, disclosure of sensitive information, and lateral movement are the most existential to enterprises because they represent tangible damage and loss. Attacks such as ransomware, credential theft, and pass-the-hash occur extremely quickly, and demand additional considerations when evaluating endpoint security effectiveness.

To counter this broad range of attacks, many in security are quick to highlight the role of cloud-based analytics to make security decisions. While the cloud is certainly one of the hottest buzzwords and does provide tangible value, the cloud cannot solve all problems. Early prevention is the most effective way to stop attacks. This entails a fast response, and low time-to-kill that cannot be achieved when solutions require an out-and-back trip to the cloud.

I’ll discuss how attacks are increasingly time sensitive, compare endpoint prevention versus those in the cloud, and demonstrate the limitations of cloud-based analytics for prevention.  At Endgame, our prevention capabilities focus on stopping both known and emerging threats, early in the attack cycle, and on the endpoint, without requiring the roundtrip to the cloud. Attacks happen fast, and when preventing them, milliseconds matter.


Time to Kill

When an attacker lands on a host they have multiple options, which are in turn determined by the motive. Frequently the motive boils down to a subset of extortion, theft, or entrenchment. By analyzing attacks driven by these motivations, we have determined that some of today’s most prominent and impactful threat vectors require prevention to react in milliseconds to be effective.

The quickness of these attacks should not be minimized. When not contained, organizations suffer greatly. To estimate just how quickly these attacks propagate, we measured the speed by which ransomware and several malware-less attacks occur. This analysis demonstrates that prevention is necessary and must be immediate. These following examples show that damage-and-loss containment isn’t an abstract concept. When organizations shut down due to attacks the reality is clear. You need to stop attackers early.

malware propagation analysis


Ransomware is the most obvious of these attacks. Organizations cannot afford to have critical assets encrypted for ransom money. These attacks instantly encrypt documents in common locations such as a user’s data directories. This can be especially difficult to remediate due to increasingly stronger encryption and backup solution disablement. Prevention is the best means for eliminating the cost associated with this attack. For instance, our analysis of the WannaCry ransomware determined that it encrypts files on disk within 1322 milliseconds of launch. Protecting against Wannacry, and other forms of ransomware, requires prevention technologies that act instantly.


Credential Theft and Lateral Movement

Additionally, we measured alternative damage-and-loss tactics such as credential theft. In credential theft attacks, the attacker scans memory for domain passwords and leverages common weaknesses to steal password hashes. This attack happens in less than 50 milliseconds creating an even smaller window for effectively stopping critical authentication compromise.

Similarly, entrenchment techniques like pass-the-hash are also time sensitive. It is well understood that once an adversary spreads across a network, evicting them becomes increasingly difficult. In our analysis, it only took 832 milliseconds to use stolen credentials to move to another endpoint. If you cannot contain this threat in less than a second, response costs escalate rapidly.


Cloud-based Prevention

The cloud is great. It is unmatched when considering scale, computing, storage, and redundancy. These make sense to web service providers. If you are Amazon, there is no other choice. In fact, we thoughtfully utilize these technologies to provide centralized management, instant updates, agile access to Endgame threat data and services such as Endgame Arbiter.  However, while a cloud architecture is excellent for these use cases, it does not provide comprehensive endpoint protection.

Endgame does provide detections which require visibility on data from many endpoints or require the vast compute capabilities of the cloud. These capabilities are additive and generally retrospective.  That is, they will tell you about an active attack.  This is extremely important, but it’s too late to achieve prevention.  When your endpoint is under attack, a cloud-prevention architecture alone is a tough sell.

Cloud solutions that rely on streaming event data through the cloud come with two costs. The first cost is generally understood. Providers such as Amazon’s AWS charge for every resource you use, such as network bandwidth, elastic storage and compute instances.

In addition to the financial costs of maintaining a cloud architecture, there is also an efficacy cost. Because milliseconds matter, we must consider if cloud-solutions are fast enough to achieve effective prevention, and even detection, during attacks such as those that contain lateral movement and credential theft. Let’s look at a typical request to a cloud service.

Delays in cloud prevention approaches

What Can Happen on the Way to the Cloud and Back

As the graphic above depicts, the time lag for the trip to the cloud and back impacts efficacy, which comes down to a few key elements. The network latency of a cloud lookup when attempting to prevent an intrusion could be many seconds, allowing an attacker to encrypt files or steal credentials. Additionally, to make relevant security decisions in real time, data filtering must occur. Given the hundreds of security relevant events available on each endpoint, multiplied by every endpoint in your enterprise, it is strikingly clear that data must be selectively filtered before sending it to the cloud due to bandwidth restrictions. Filtering by its very nature means you have less information when making a security decision. With more and more complex attacks you need more and more data. In a cloud-architecture, the round-trip time required for prevention and the speed of the attack are at odds with providing the best security.

The final cost to consider is the “offline” capabilities when endpoints aren’t connected to the corporate network, internet, or VPN. In a mobile world where users work from anywhere, your endpoint security solution should, too. That is why an autonomous agent that is always-on and always-preventing is the optimal solution to handle the speed of today’s attacks.


Autonomous Endpoints

Endgame’s security architecture puts the intelligence on each endpoint giving defenders the power to react instantly to threats. This contrasts with those relying on cloud-connected analytics to make security decisions. Our autonomous agent reads security event data in real-time, as it occurs, with prevention technologies such as machine-learning, pattern recognition, and domain expertise protecting the endpoint. Because we deploy our capabilities to each endpoint this protection works 24/7/365 whether the endpoint is connected to the Internet, VPN, in the corporate office, or traveling the globe.

Our smart endpoint agent has a three-phase approach to delivering strong prevention across all deployment options. The process starts with acquiring relevant event data. On every operating system we collect telemetry on dozens of sources including, but not limited to, processes, files, network traffic, user behavior, and logs. With each telemetry source, we have access to hundreds of data points that feed into our next phase.

The analysis phase of prevention consumes these sources and applies the best available analysis capability for each attack type. Security is not a one-size-fits-all approach. That’s why our analysis engines rely on multiple inputs to structure our prevention capabilities to make real-time prevention decisions in milliseconds. For instance, MalwareScore machine learning models live on the endpoint, and require no external connections.

Once a security decision is made by the analysis engine, our final phase determines the appropriate action to take against the attack. This action can include process termination, IOC collection, network termination, or soon endpoint isolation. Each action can be configured to happen autonomously with zero analyst interaction.

This acquire, analyze, and act process happens on each endpoint across your enterprise in real-time by watching each system for attacks. Because milliseconds matter, we do not have to “phone home” during a ransomware breakout. By strengthening the endpoint, we provide resilient and effective protection at all stages of the attack kill chain.


Prevention in Real-time

Your endpoint agent should be smart, autonomous, and have everything it needs to prevent attacks. This is becoming more important as detect-only strategies fail against attackers who extort organizations with the threat of data destruction and IP theft. Prevention is required given the high-stakes involved to maintain data security.

Endgame’s endpoint-first architecture ensures that we are encapsulating our security expertise into various preventions that provide fast and effective security across your enterprise. We are determined to analyze real-time data without needing cloud assistance, providing a better solution for our customers.

The cloud has revolutionized software as a service and the way content is delivered on the web. Endgame effectively uses cloud services when it makes sense, providing enhanced customer support, centralized management, hosted services, and some secondary detection capabilities. However, it is not appropriate for every security use case. When prevention is on the line, we utilize extensive capabilities on each endpoint to ensure the most comprehensive security effectiveness across your organization. Thanks to our expertise in vulnerabilities and attacker techniques, we know  which technologies are (and are not) right for the job. By taking an endpoint-first approach, the Endgame platform provides innovative and expedited prevention capabilities, protecting enterprise data from today’s attackers.