Lies, and Damn Lies: Getting Past the Hype of Endpoint Security Solutions

Presented at Black Hat USA 2017, July 27, 2017, 3:50 p.m. (50 minutes).

Signatures are dead! We need to focus on machine learning, artificial intelligence, math models, lions, tigers and bears, Oh My!! - STOP!! - How many times have we heard all these buzzwords at conferences, or our managers saying that solution X will solve all our problems. I don't know about you, but I was tired of listening to the hype and the over-use of these terms that really made no sense.

One thing is true, signatures are dead. Today's malware is created with obfuscation and deception and our opponents do not play fair. Do you blame them? They want to get in. Who needs to rob a bank anymore at gun point when the security door is left open and traps are easy to bypass. Thank you Powershell! So what's the answer? Is it Next Generation AV or EDR, or it is Security 101? Over the past 5 months, we have invested significant time building a business case for an Endpoint protection system - understand the problem, creating testing scenarios to evaluate 5 solutions in the market. Over 30,000 pieces of malware were put to the test from our internal private collection, as well as known and unknown samples freely available. With all of the marketing hype, brochureware and buzzwords, it's hard to know what's the real deal. As we talk to colleagues from other companies, one thing is clear, many still struggle with good testing methodologies, what malware to test and how to test their endpoint security.

We will discuss key considerations used in our decision-making process. Testing malware for our company was important, but it was not our only testing criteria. We looked at the ease of installation on the agent, use of their UI, SaaS, on-prem, hybrid, reporting, performance of agent using different system resources, how much the agent replied on their cloud intelligence compared to on-box performance, powershell scenarios, and a variety of other factors. Companies additionally need to take into consideration the cost of any potential new infrastructure, cost per seat, professional services, one off costs, 1, 2, 3 year terms and other factors. Ultimately, we want to extend our resources to help others in the industry and discuss key differences between the solutions that were evaluated.


Presenters:

  • Lidia Giuliano - Information Security Professional, Independent
    Lidia Giuliano is an Information Security Professional with 15 years' experience in the industry. She has strong interest in vulnerability management, data security and malware analysis with a focus on defensive security. She earnt a BAppSci in Computer Science and MAppSci Information Security from RMIT University in Melbourne Australia. In her personal time she enjoys mentoring and researching new areas of information security.
  • Mike Spaulding - CTO, Independent
    Mike Spaulding is an experienced information security professional and leader. With over 20 years of experience within information security his expertise includes the best of breed vendors in the SIEM and Next Generation Firewall markets. During his consulting years, Mike focused on configuring and deploying these technologies in large global environments. Within his most recent roles he has provided both technical expertise, along with vision, planning, and mentoring to staff within his organizations to ensure that current and future professionals are prepared to handle the changing infosec landscape ahead.

Links:

Similar Presentations: