The document discusses the complexities of malware prevention, highlighting the importance of endpoints as critical points of vulnerability within organizations. It outlines a roadmap for improving endpoint security, including developing better detection techniques and enhancing system visibility while addressing non-malware threats. Additionally, it emphasizes the need for root cause analysis and process improvements to effectively tackle the evolving landscape of cybersecurity threats.

1. Why is malware so difficult to defeat?
• We no longer have one perimeter: we have many
• Market currently unstable (still consolidating)
• Endpoint is a blind spot
• Blaming the user (aka “stop clicking links”)
• Discarding useful tech because it couldn’t solve
the problem by itself
• Many, many more...
1

2. Why is the endpoint important?
1. This is where work happens
2. One of the easiest paths into a company
3. BYOD and ShadowIT are unsolved problems

3. How I see the market
Prevention
(pre-execution)
Detection and Data
Collection
(post-execution)
Platform
Hardening
80+ Vendors
50/50 split
complementary/
primary

4. Buzzword Bingo: NGAV and EDR definitions
NGAV: The ability to stop threats without prior
knowledge of them
EDR: Endpoint Data Recorder
(a slight acronym modification)

5. NGAV
NEED: a better
malware
mousetrap
WHAT: Automated
detection of
unknown threats
WHY: auto-
generated
malware gets
through
EDR
NEED: endpoint
visibility; serious
blind spot
otherwise
WHAT: Record
detailed endpoint
data
WHY: detect
attacks that defeat
1st layers of
defense
Hardening
NEED: More
permanent,
resilient solutions
WHAT: Wide
variety of
approaches
WHY: Passive
defenses reduce
pressure on
frontline defenses
Remediation
NEED: Contain
and clean up
threats
WHAT:
Containment and
automated
remediation
WHY: Reduce
expense and labor
of dealing with
threats
Endpoint categories: What’s driving them?

6. My roadmap for the industry
1.Build a better malware mousetrap
2.Threat-driven hardening
3.Detect/Stop Non-Malware attacks
4.Full-system visibility (EDR)
5.Data visibility
6.More resilient host
6

7. Ready for a Malware Relief Program?
Before we tackle the roadmap...
let’s explore how we got into this fix...
7

8. Where did we go wrong?
8

9. Where did we go wrong?

10. Where did we go wrong?
$$$

11. Where did we go wrong?
12

12. Where did we go wrong?
1.Not enough root cause
analysis
2.Not enough process
improvement (if any)
3.Even when we do succeed,
we force the attacker to
change tactics.
Are we ready for that?

13. Step1: Build a better mousetrap

14. MY definition for NGAV
The ability to detect and stop threats without prior
knowledge of them
15
What is prior knowledge?
• Signatures
• IoCs
• Malware analysis sandbox
• Blacklisting
Most common NGAV strategies
• Machine learning models
• Static behavior analysis
• Dynamic behavior analysis

15. Step2: Threat-driven hardening

16. Step2: Threat-driven hardening
Most infections occur due to vulnerabilities in a handful of apps, like:
1. The Java browser plugin
2. Flash
3. Browsers
4. Operating Systems
5. MS Office
The Point: You don’t have to fix EVERYTHING. Fix the things most likely to result in malware infections first.
Threat Intel*
Root-cause
analysis
Process
Improvement
* - Not the “here’s 1 billion hashes and IP addresses, good luck” ‘threat intel’. We’re
talking high level, “

17. Step3: Stop and detect non-
malware attacks

18. Step3: Stop and detect non-malware attacks

19. Step4: Full system visibility (EDR)

20. Why EDR? Blind spots.
22
Endpoint
East-West
Traffic
Cloud/SaaS Data

21. EDR: Endpoint Detection and Response
Many use cases:
• detection
• forensics
• incident response
• source for automation event triggers
Ultimately, EDR is a sensor that provides rich,
forensic data before you need it
23

22. Examples: Ransomware prevention
1. Kill any process attempting to stop the volume
shadow service (VSS)
2. If a powershell or CMD process is created
shortly after opening an office document,
inspect and/or quarantine the office document.
3. Create a folder sure to be the first in an
alphabetical list (__aardvarks). Trigger a
containment action (e.g. isolate machine).
24

23. Step5: Data visibility

24. 7 million records?
7000 records?
7 records?
Nothing?
No clue = assume the worst 
What was breached?

25. Step6: A more resilient endpoint

26. Prevention: AV/NGAV versus Hardening
Think of AV/NGAV as active prevention,
whereas hardening is passive.
AV/NGAV knows it prevented something; a
more hardened system may not.
Example?

27. What about recovery???

28. What about remediation and response?
• Remediation = cleaning up after the attack
• Containment = isolating the incident
• Automated Endpoint Remediation: can we stop
reimaging PCs yet???
30

29. What about remediation and response?
31

30. Post-Roadmap: Malware is
solved! Right?
32

31. Solving malware = solving endpoint security?
33
0%
5%
10%
15%
20%
25%
30%
35%
40%
2012 2013 2014
Error
Hacking
Malware
Misuse
Social
How big a part of the
breach problem is
malware?
15% in 2012
24% in 2013
33% in 2014
Source: Verizon Enterprise Solutions

32. What are your endpoint security pain points and goals?
Pain Points
1. Cleaning up infections 24/7
2. Catch attacks that bypass preventative controls
3. Catch/prevent non-malware threats
4. Catch insider threats
5. Did a breach actually occur?
Goals
1. Better prevention; hardening
2. Better detective controls, better endpoint
visibility
3. Better endpoint visibility; hardening
4. Better endpoint visibility
5. Visibility into file movement, data exfiltration
34

33. Recommendations
1.Think through and act out worst-case scenarios
2.(Combined with #1) Test and fail repeatedly. Learn from
failures.
3.Don’t turn security products to 11 until they’ve been
thoroughly tested
4.Include security software/systems in your threat mapping
5.Don’t break the user.
6.Consider time-to-value and labor-to-value ratios
36

34. Adrian Sanabria
@sawaba
37