From the demise of conventional signature-based endpoint technologies have risen next generation solutions. These technologies have cluttered the marketplace introducing a conundrum for endpoint selection. This session will focus on the key requirements for effective security prevention, detection, and remediation. It will introduce a real-world framework for categorizing endpoint capabilities, and enable selection of solutions matching the unmet needs of security programs. The following topics will be covered: • What do i actually need? • Real-world framework to categorize endpoint capabilities • Map vendors into buckets within the framework • Housekeeping, what's needed before you even start? • Cheat sheet of probing questions to ask vendors • Best practices of deploying best of breed solutions

1. NextGen Endpoint For Dummies: Tech Survey & Decision Guide
Atif Ghauri, CISSP
CTO & SVP at Herjavec Group

2. Live Survey – Show of Hands
a) Are you currently using an NextGen Endpoint Solution?
b) Are you looking for NextGen Endpoint Solution?
c) Are you ripping out your NextGen Endpoint Solution?

3. Today’s Agenda
1. What is NextGen Endpoint and why care?
2. What to look for and how to evaluate the clutter?
3. Give me specific details!
• Vendor Deep-Dive Analysis

4. Why Are We Talking Endpoint Today?
4
Your users are the #1 threat vector
• Phishing
• Malware
• Social Engineering
• Inside Threat
• URL Redirection
• Unpatched Systems
• Zero Day
70%+of attacks occur on the endpoint

5. Why is NextGen Endpoint So Hot?
» Industry is failing to kill bad code
» Failure of the current solution
• 47% legacy AV customers have been successfully compromised (Gartner)
• Hackers write real-time evasion code against legacy AV
» Customer Needs Multiple Protection Schemes
• Signature based, Behavior Based, Real-time Updates (Cloud)
» Consolidation
» Audit Compliance
5

6. When in doubt, follow the money…

7. Investment Community Frenzy
7
» Google invests in Crowdstrike
» Digital Guardian raises $66M
» McAfee developed Active Response
» Tanium raised $262M on $3.5B Valuation
» Cylance gets $100M with $1B Valuation
» Carbon Black acquires Confer in $100M deal
» McAfee went Private with $3.1B

8. Today’s Agenda
1. What is NextGen Endpoint and why care?
2. What to look for and how to evaluate the clutter?
3. Give me specific details!
• Vendor Deep-Dive Analysis

9. Long List Of Wants – Focus On Your Needs
 Ability to perform forensics
 Cloud based solutions an alternative
 Infection analysis capability
 Mobile integration roadmap
 Virtualized footprint and performance
capability
 Vulnerability management, patch
management, app control
 Process Attestation – Known vs
Unknown
 Malware analysis capability
 Scalability from 1k to 100k users
 Operation System Coverage
 BYOD Impact
 Integration with existing NG or APT
Network technologies
 Unified Policy for both Network and
End Point
 Sandboxing with cloud support
 Ability to perform forensics
 Cloud based solutions an alternative
 Infection analysis capability
 Mobile integration roadmap
 Virtualized footprint and performance
capability
 Vulnerability management, patch
management, app control
 Process Attestation – Known vs
Unknown
 Malware analysis capability
 Scalability from 1k to 100k users
 Operation System Coverage
 BYOD Impact
 Integration with existing NG or APT
Network technologies
 Unified Policy for both Network and
End Point
 Sandboxing with cloud support

10. Let’s Simplify with a Framework
10
1 - Prevent 2 - Detect 3 – IR & Remediation
 24/7 Real-time Monitoring
 System Baselining, and Hardening
 Process and App Whitelisting
 User Behavior Analysis
 IP/URL Lookup
 Sandboxing
 IoC Integration for Rapid Detection
 Incident Identification and Notification
 Triage and Confirmation
 Containment
 Dwell Time Reduction
 Enriched Alerts for Remediation
• Process Hunting for Unknown vs Known
• Design and Model Changes
• Unleash Forensics
• Capturing Lessons Learned
• Configuration Management
• Vulnerability Assessments

11. What’s influencing your peers when buying?
» Flexible Licensing Models
» Attractive Admin Interface and Ease of Use
» Ambidextrous Vendor Integration
» Performance
» OS Coverage
» Reference Customers
11

12. Structured POC Scorecard
12
Vendor A Vendor B Vendor C
Cost (1 year) 1M 400K $354K
Cost (3 years) $1.3M $940k $790k
Flexible Licensing 9.9 9.4 6.2
Ease of Use 6.4 8.0 8.0
Integration 3.1 2.7 2.2
Performance 4.4 4.3 3.6
OS Coverage 8.4 6.5 5.5
Reference Customers 9.1 7.1 6.5
Buy
Criteria

13. Do’s and Don’ts
» Don’t just kill your AV
» Do measure twice but cut once
» Don’t forget to consider desktop support
» Do multiple bake-off POCs
» Don’t forget about user compliance
» Do buy a solution you can actually manage

14. Today’s Agenda
1. What is NextGen Endpoint and why should I care?
2. What should I look for and how do I evaluate the clutter?
3. Give me details!
• Vendor Deep-Dive Evaluation Notes

15. 5 Protection Techniques for Dummies
1. Signature Based Anti-Virus
2. Isolation or Sandboxing
3. Behavior Based Anomaly Detection
4. Whitelisting
5. IR and Remediation

16. How does it work? LegacyAV
» Compare signatures from bit patterns of known threats
» AV scans file before user interaction detecting known threats
» Yes it’s legacy but has evolved to handle near zero day threats
» Smart AV uses cloud to phone home ‘real-time’ for detection
» Remediation techniques: Clean and Quarantine

17. How does it work? Isolation
FACT: An average workstation is capable of hosting hundreds of tiny disposable computers concurrently
THEREFORE: Why not create a container (or Sandbox, microVM) to allow threats execute with minimal resources
» Work on a “need to know” basis with OS
• Leverages hardware based isolation to defeat both known and unknown threats
• CPU bound hypervisor (aka microVisor)
» microVM’s are isolated from both OS and each other -> kills risk of lateral movements attacks
• Uses microVM capability enabled in modern operating systems
• microVM containers pawn off new applications or suspected threats in a secure environment
• Threat is allowed to run and if dangerous the process is stopped and the container trashed
» Desired Results
• Safe environment to play
• Capture detailed threat information which can be used for forensic analysis

18. Bromium – How does it work?
» All user actions are disposable
• Task based isolation at a hardware level is unprecedented!
» Controls all access to files systems, registry, communications and auth
» Works on virtualization technology and does not use signatures
» Isolates suspect file into a microVM to allow the file to execute
» Only needed resources are visible and all trusted resources are visible
» Converts printing files to a trustworthy format
» Can be CPU and memory intensive at times
18

19. How does it work?
Behavior-Based Anomaly Detection
» Monitor process and memory execution for anomalies
» In theory there’s a finite number of ways to attack a system and most
commonly known attack vectors.
• Accordingly intercept the process and watch for known attack vectors and stop the
process when it occurs.
• Simultaneously report it and kickoff forensic analysis and for remediation before too late
» Differs from Sandboxing
• Triggers as process is invoked, so does not need to containerize  increases speed

20. CrowdStrike – How does it work?
» Works like a high-definition surveillance camera
• Want to know what happened and how blow by blow
• Pattern bad behavior and make money off of this knowledge
» Cloud based with detection and a prevention philosophy
• Small kernel driver and no hardware required Heavy process monitoring and cloud
based analysis real-time
• Protects when Internet is down using custom protection and exploit blocking
• Uses known attack vectors to analyze the suspected threat and will block the processes
» Now also provide VirusTotals, SO both behavior and signature-based

21. CrowdStrike – Details
» CS has a deep understanding of hacker trade craft
• Adversary focus enables visibility into who is attacking and how
• Extensive IoA and IoC library in a cloud database
• Forensic data is extensive - follows the infection and traces origin
» Big on Indicator of Attack (IOA) which is modeled and recorded as patterns
• User established network connection, Process is executed, registry edited, memory called
» Tech Notes
• When you deploy CS the agent doesn’t require a reboot
• Kernel mode driver - records all patterns of memory call, io operations, network connections, etc
• 1.5MB agent, very small compared to 50MB other agents
• Uses on ~5MBs of day per user per agent
• Locally caches events when offline

22. PANTraps - Overview
» Behavior Based (Cyvera Acquisition 2014)
• Monitors for known illegal activities at process level, kills process upon detection
• Looks for a common set of tools or techniques used in all known exploits to detect threats
» Uses small driver enabled with behavioral techniques to detect threats
• Monitor the process and analyse the behaviour of the application
• Triggers Wildfire Cloud system to check the Hash of the file.
• Compares to user policies governing what software is allowed to run and from what directories as well as
Java apps and external media
» Tech Notes
• Runs on approximately 50MB of RAM with average of .1% CPU utilization
• Sends in-depth data to endpoint server for forensic analysis and reporting
• Local server caches Wildfire verdicts and provides a responses locally to other victims

23. Cylance – Overview
» Solve the problem of ‘Malware Identification’ at Scale
• Uses statically analyzing features found in the binary itself
• Use machine learning through math models
» Do “File Genome” - Similar attribute mapping scoring as biologists do with human genome
» Avoid Patent 0 or Sacrificial Lamb
» Tech Notes
• Never see the file execute, quarantine prior to execution in bits/bytes from the binary on host
• Strong coverage across operating systems
• No infrastructure to install, all cloud based management
• Cylance Footprint vs Traditional AV
- 1/10 of CPU
- 1/40 of IO
- 1/3 of network usage
- 20-40 MBs large
23

24. Tanium - Overview
» It’s fast
» Query thousands of endpoints in real time and report
• Software versions an in-depth inventories
• User processes and activities
• Current software being run by users with history
» Perform single touch software patching, updates, and deployments
» Provides real-time monitoring of all endpoints
» Incident response: mark desktops for re-imaging and kill switches if a threat is
detected
» Analysts use Tanium to delete files that were identified as threats by other systems
» Forensic information is detailed and can be reported in many different ways or
queries.

26. Thank You
Atif Ghauri
CTO & SVP Herjavec Group
aghauri@herjavecgroup.com
26