Should the endpoint protection marketplace (i.e. EDR and anti-malware) provide below the operating system malicious code execution prevention?

278 views1 Upvote10 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
There's portions of that below the operating system stack that even Intel, Nvidia, Qualcomm and stuff don't control. They're a part of it, but the person who actually manufactured the server, the motherboard, in some cases has implemented the final version of it or has implemented their own. And then there's the update pathways to those things that... think of Solar Winds. 

I think about my Sony DVR over there and my set-top box, that gets a firmware update every once in a while. My smart TV gets a firmware update. So even Sony, Panasonic, Vizio. So, which is where you start looking at it and you go, "Well, okay. Could a Solar Winds type thing happen there?" And then basically forget about the vulnerabilities that might just be because the firmware was written poorly, that somebody hijacks the update process and then adds extra bits to it and injects a level of maliciousness across a wide range of devices. So you have actually two ways of thinking about that firmware risk.
CISO in Software, 51 - 200 employees
It's sticky. Because you start seeing things, that's the problem. They start sticking their nose into stuff that they shouldn't see. On a point of sale system. So we're going to swipe that credit card and you're going to be on that end point in the firmware and you're going to see everything that goes in and out. All of a sudden all your endpoint protection has to be 100% PCI, DSS, level 1. Good luck.
7 Replies
Board Member, Advisor, Executive Coach in Software, Self-employed

Either way, whether they do it or you have to have a different level of mitigation. Think of the firmware as another operating system. I've seen things in both my past at Intel and in other companies that would bypass any of those things that sit at the operating system level, because of the way in which they can hook into UEFI or hook into the firmware. And then it's invisible to any of them. So should they go there? Or if you get another solution? Either way, whatever solution would be there, would have visibility to certain things.

CISO in Software, 51 - 200 employees

My point isn't to say that it shouldn't happen. It's just something that is very difficult. Which is probably why it hasn't happened. I don't know the answer. I mean, I don't think any of us do. I don't mean to speak for everybody but-

Board Member, Advisor, Executive Coach in Software, Self-employed

I wasn't sure either. Other than some startups that I know that are thinking about approaching it architecturally in different ways, in different parts, whether it be IOT or the traditional PC server, cloud infrastructure.

VP, Field Engineering and Enablement in Software, 1,001 - 5,000 employees
Full Disclaimers: 
(1) I work at Bitdefender (a cybersecurity company that creates cybersec solutions since 2001 and yes, we have EPP/EDR/MDR, and soon, XDR
(2) what I'm writing here and below represents my sole opinions and in no way it cannot be associated with Bitdefender 

Here is where I get very frustrated with all the marketing around our industry and I quote: "endpoint protection (platforms) marketplace and, for example, EDR (endpoint detection and response)." 

Coming for a guy that spent the last 15 years building/leading/struggling with technical teams (pre/post-sale), I can tell you that I see a lot of confusion in the market, and people (C-level, Directors, Engineers, etc.) are just sick and tired of this non-sense, oftentimes ending up with a solution that does nothing. And just to emphasize, I don't blame the customers, but the marketers, more specifically, technical marketers.  

In 2015-2017 we had the "Cylance approach", which has basically disrupted the cyber market with "the best detection a light agent can bring" claims, by performing product POCs with their own samples; they would basically come in, give you a USB stick with "live malware" (very professional and ethical) and asked you to test their "light" agent against any other competitor. For anyone who has an idea on how basic encryption or even basic archiving works, would have immediately smelled the air in the room and called it a day. Sadly, their mission was successful and the company got acquired for $1.4bn in 2018 or so. 

In the meantime (2016-2018), the "EDR" players (Carbon Black, S1, CRWD) built the momentum and repositioned existing SIEMs technology in the market, (e.g. CRWD is built on Splunk, which probably will soon migrate to Humio). spent marketing $ into making the market believe that they have an infosec detection and response problem + that there's no way you should focus on prevention; that you need to start from the assumption that you are breached or soon to be breached. In addition to that, when you don't have the slightest idea about all the endpoint data that you have collected, make some room for the MDR "experts".


Coming back to the question that was asked, allow me to share with you my point of view: 

1) Solutions that claim they've done inspection (pre/run/post cod execution) from outside the OS, without affecting the performance of the user productivity is one, and to this moment, I am not aware of anyone else working to solve this. (McAfee also tried it a long, long time ago). 
2) Bitdefender has managed to develop that technology for virtual environments for production-level, DC environment capabilities together with Citrix (XenServer team), back in 2015-2016.  For anyone interested, this approach was not antimalware-based, was not anti-exploit-based, but we were detecting methods of attack (brute force,  heap-sprays, memory injections, etc.) happening in the virtual machine's memory. With this solution, you achieve isolation of the virtual machine in a malware event (there is no agent on the machine, everything happened at the hypervisor level) and real-time insights into what happens with the memory (hypervisor API provided insights into the attack phases). I will not go into details, I'm not trying to sell anything here (it's open-source). 
3) The response to the question is a hard Yes IMHO. This is actually, the only way we will ever win the security battle at the endpoint level.  As long as we continue to have system-level driver access, the battle is ... equal. 

Also, do me a favor and ask your security vendor to explain what prevention technologies they use and test them (with your own malware test-bed). 

Hope I didn't bore you guys to death.

Content you might like

Will deploy my IT and network virtually for the short term25%

Will consider virtual IT and networking for the long term, to replace physical deployments63%

Waiting for our Managed Service Provider to solve any issues6%

Not sure yet what to do6%


883 views3 Upvotes

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.6k views132 Upvotes319 Comments

<6 months8%

6-12 months54%

12-18 months24%

18-24 months7%

>24 months5%


2.8k views5 Upvotes2 Comments