IT Briefcase Exclusive Interview: Endpoint Security, Ransomware and the End of Evasive Malware
August 17, 2017 No CommentsRansomware comes in many forms. One strategy commonly used in ransomware attacks is to cloak malicious actions within legitimate looking programs. This combination allows the ransomware to bypass existing security defenses and avoid detection.
Unfortunately, unlike other types of malware that may take some time to execute, providing you a brief window to detect the breach before any damage is done, by the time you’ve detected ransomware – your data has already been encrypted.
So how can you ensure prevention before detection?
Lenny Zeltser, Vice President of Products at Minerva explains:
- Q. Tell me a little bit about Minerva. What makes the Anti-Evasion Platform stand out from the competition?
A. Minerva is the only company I know that’s focused squarely on protecting endpoints from attacks designed to evade the organization’s existing defenses. We do this without scanning files or processes to flag them as malicious or benign. Instead, our solution causes malware to self-convict as it attempts to get around baseline anti-malware products. We do this by employing elements of deception on the endpoint, lying to malware regarding its environment in a way that causes the malicious program to disarm itself before any damage is done.
- Q. What role does Minerva technology play in endpoint security?
A. For as long as there will be anti-malware tools, there will be malware designed to bypass them. Minerva’s technology blocks these attempts to evade detection, defending the endpoint against threats regardless of their infection mechanism. Minerva’s Anti-Evasion Platform not only ensures that baseline anti-virus works as intended, but also stops attacks that would have required costly investigations and remediation. We augment, rather than replace existing defenses. As a result, Minerva’s customers can prevent intrusions that otherwise would have required onerous investigations or post-incident cleanup.
- Q. Do you feel the time has come to reset how we think about traditional endpoint security?
A. It’s great to see anti-virus and other baseline anti-malware vendors investing into evolving their approaches to detecting malicious software and related endpoint threats. These tools continue to advance in response to the changing attack tactics; similarly, attackers continue to adapt to keep up with the anti-malware advancements. Unfortunately, this never-ending cycle ensures that there will always remain a gap between the threats that are blocked and those that penetrate defenses.
To close this gap, enterprises need to step outside the cycle by disrupting the methods that adversaries use to evade detection, cutting off the options available to malware authors to bypass baseline anti-malware protection. That’s what Minerva does—our Anti-Evasion Platform uses deception on the endpoint to turn the use of evasion tactics into a weakness. This is a novel and practical addition to the traditional endpoint security stack that hasn’t existed earlier.
- Q. Can you give us a specific example of a Minerva deployment and why it has been successful?
A. A leading worldwide shipping carrier deployed Minerva to significantly improve their endpoint defense strategy. They were able to rollout the solution within less than a week and saw immediate results. The number of ransomware attacks on them was reduced dramatically. This not only prevented the destruction of data, but also relieved the SOC team from having to investigate numerous alerts that would have resulted in days wasted on incident response.
- Q. Ransomware is all over the news these days. How does a ransomware attack work and why the sudden spike and how do we tackle this problem?
A. Criminals pursue opportunities that are likely to offer them financial gains. Unfortunately, holding the company’s data hostage provides these adversaries a reliable stream of payments with high return on investments. Some ransomware is implemented in a straightforward manner that allows AV and similar anti-malware tools to block it. However, a lot of ransomware families are created and maintained by professional, talented and motivated software engineers who know how to implement techniques for getting around such baseline protection.
Evasive tactics employed by ransomware include avoiding systems that resemble analysis sandboxes or forensic environments and employing memory injection to hide inside trusted and otherwise legitimate processes. In addition, ransomware often employs malicious documents, such as Microsoft Office files that contain macros, to stay in the blind spot of many AV solutions.
Baseline anti-malware products play an important role in mitigating the risk of ransomware infections. However, as we’ve seen by the wild success of ransomware campaigns they aren’t enough. Instead of relying solely on such tools to block destructive malware, enterprises should consider how they might cut off attempts by ransomware to evade existing anti-malware tools. This is where Minerva steps in.
- Q. How does a solution, like Minerva’s Anti-Evasion Platform, protect against new ransomware we haven’t seen yet?
A. Minerva’s approach to blocking ransomware and preventing files from being destroyed doesn’t involve trying to determine whether a file or process resembles malware. Instead, we create an environment on the endpoint that causes ransomware to terminate itself, crash, or otherwise stop working properly. Our technology “attacks” attempts by evasive ransomware to get around AV tools, leaving attackers no opportunity to cause damage even when they use previously-unseen malicious software. When deployed with a baseline anti-malware solution, Minerva’s Anti-Evasion Platform allows enterprises to defend against all forms of ransomware, even those that are not yet known to AV vendors. Moreover, Minerva has a mechanism to prevent the destruction of files even if non-evasive malware finds a way to run on the system.
- Q. What advice would you have for a business looking to protect themselves from a ransomware attack?
A. Start with the basics: security patches, network segmentation, file backups, baseline AV protection. At the same time, recognize that these measures will often fail to work due to business decisions, staffing challenges, configuration errs, user behavior and other real-world reasons. Then consider what measures you can take to protect your organization against scenarios whether ransomware finds a way to get around your security measures. At Minerva, we believe organizations don’t need to resign themselves to a high number of infections that will cause damage and require costly intervention by the IT staff. There is a way to block even previously-unseen, advanced ransomware, strengthening endpoints’ resilience against ransomware attacks. That’s what Minerva does.
Lenny Zeltser is a seasoned business and tech leader with extensive information security expertise. He builds innovative endpoint defense solutions as VP of Products at Minerva. Beforehand, as a product portfolio owner at NCR, he delivered the financial success and expansion of the company’s security services and SaaS products. Earlier in his career he managed the US team of service professionals, aligning their expertise to the firm’s cloud offerings as the national lead of the security consulting practice at Savvis (acquired by CenturyLink).