Should the endpoint protection marketplace (i.e. EDR and anti-malware) provide below the operating system malicious code execution prevention?
Either way, whether they do it or you have to have a different level of mitigation. Think of the firmware as another operating system. I've seen things in both my past at Intel and in other companies that would bypass any of those things that sit at the operating system level, because of the way in which they can hook into UEFI or hook into the firmware. And then it's invisible to any of them. So should they go there? Or if you get another solution? Either way, whatever solution would be there, would have visibility to certain things.
My point isn't to say that it shouldn't happen. It's just something that is very difficult. Which is probably why it hasn't happened. I don't know the answer. I mean, I don't think any of us do. I don't mean to speak for everybody but-
I wasn't sure either. Other than some startups that I know that are thinking about approaching it architecturally in different ways, in different parts, whether it be IOT or the traditional PC server, cloud infrastructure.
(1) I work at Bitdefender (a cybersecurity company that creates cybersec solutions since 2001 and yes, we have EPP/EDR/MDR, and soon, XDR
(2) what I'm writing here and below represents my sole opinions and in no way it cannot be associated with Bitdefender
Here is where I get very frustrated with all the marketing around our industry and I quote: "endpoint protection (platforms) marketplace and, for example, EDR (endpoint detection and response)."
Coming for a guy that spent the last 15 years building/leading/struggling with technical teams (pre/post-sale), I can tell you that I see a lot of confusion in the market, and people (C-level, Directors, Engineers, etc.) are just sick and tired of this non-sense, oftentimes ending up with a solution that does nothing. And just to emphasize, I don't blame the customers, but the marketers, more specifically, technical marketers.
In 2015-2017 we had the "Cylance approach", which has basically disrupted the cyber market with "the best detection a light agent can bring" claims, by performing product POCs with their own samples; they would basically come in, give you a USB stick with "live malware" (very professional and ethical) and asked you to test their "light" agent against any other competitor. For anyone who has an idea on how basic encryption or even basic archiving works, would have immediately smelled the air in the room and called it a day. Sadly, their mission was successful and the company got acquired for $1.4bn in 2018 or so.
In the meantime (2016-2018), the "EDR" players (Carbon Black, S1, CRWD) built the momentum and repositioned existing SIEMs technology in the market, (e.g. CRWD is built on Splunk, which probably will soon migrate to Humio). spent marketing $ into making the market believe that they have an infosec detection and response problem + that there's no way you should focus on prevention; that you need to start from the assumption that you are breached or soon to be breached. In addition to that, when you don't have the slightest idea about all the endpoint data that you have collected, make some room for the MDR "experts".
[...]
Coming back to the question that was asked, allow me to share with you my point of view:
1) Solutions that claim they've done inspection (pre/run/post cod execution) from outside the OS, without affecting the performance of the user productivity is one, and to this moment, I am not aware of anyone else working to solve this. (McAfee also tried it a long, long time ago).
2) Bitdefender has managed to develop that technology for virtual environments for production-level, DC environment capabilities together with Citrix (XenServer team), back in 2015-2016. For anyone interested, this approach was not antimalware-based, was not anti-exploit-based, but we were detecting methods of attack (brute force, heap-sprays, memory injections, etc.) happening in the virtual machine's memory. With this solution, you achieve isolation of the virtual machine in a malware event (there is no agent on the machine, everything happened at the hypervisor level) and real-time insights into what happens with the memory (hypervisor API provided insights into the attack phases). I will not go into details, I'm not trying to sell anything here (it's open-source).
3) The response to the question is a hard Yes IMHO. This is actually, the only way we will ever win the security battle at the endpoint level. As long as we continue to have system-level driver access, the battle is ... equal.
Also, do me a favor and ask your security vendor to explain what prevention technologies they use and test them (with your own malware test-bed).
Hope I didn't bore you guys to death.
Content you might like
Will deploy my IT and network virtually for the short term25%
Will consider virtual IT and networking for the long term, to replace physical deployments63%
Waiting for our Managed Service Provider to solve any issues6%
Not sure yet what to do6%
<6 months8%
6-12 months54%
12-18 months24%
18-24 months7%
>24 months5%
I think about my Sony DVR over there and my set-top box, that gets a firmware update every once in a while. My smart TV gets a firmware update. So even Sony, Panasonic, Vizio. So, which is where you start looking at it and you go, "Well, okay. Could a Solar Winds type thing happen there?" And then basically forget about the vulnerabilities that might just be because the firmware was written poorly, that somebody hijacks the update process and then adds extra bits to it and injects a level of maliciousness across a wide range of devices. So you have actually two ways of thinking about that firmware risk.