A Cybersecurity Proof: The Application is the Endpoint

Author: No Comments Share:
  • Vulnerable applications and browsers are the persistent data breach entry points—it’s not about the files
  • Isolation is the only solution that can absolutely eliminate kernel-level exploits and malware escapes
  • It’s time to rethink information security defense around fewer, smarter, yet more effective layers

You have many more endpoints than you think.

How many endpoints do you have on your PC? That might sound like an odd, counter-intuitive question—how could the answer be anything other than one? In fact, the truth is not as straightforward as you might imagine. Fixed applications are under siege—the files that manifest within those applications are just the traveling attack vectors. Applications are the ever-present pathways into your computer—and from there, into the enterprise. Now how many applications do you use on a daily, weekly, or monthly basis? For most of us, the tally can easily reach 10 or more. If you really think about it, each of those potentially vulnerable applications represent its own unique endpoint target.

One physical endpoint can easily contain 10 or more vulnerable application access points, each representing a persistent attack vector.

Register and attend or get the recording:
SANS Maturity Model Webinar
How to Grow Your Security Strategy

The application-as-endpoint concept becomes increasingly apparent when you think about the way bad actors operate. How do malware actors target your PC as a means of gaining a foothold into the organization? They don’t target the operating system, file system, kernel, or registry directly—after all, how would they possibly go about doing that?

Instead, they take advantage of both known and unknown vulnerabilities—everything from decade-old unpatched flaws to true zero-day exploits—that exist within everyday applications and browsers running on every Windows machine, targeting them with files and web-based content expressly designed to exercise those exploits, including:

  • Malicious Office documents
  • Weaponized PDFs
  • Steganographic malware in image files
  • Malicious executable content in Windows Media Player’s DRM functionality
  • File-less malware in web browsers

Application flaws will never go away.

Since there will always be software vulnerabilities, it’s primarily through the persistent flaws in these applications—including the intentional misuse of legitimate program capabilities—that host compromise is accomplished. So, the real key to solving this intractable problem lies in preventing a compromised application from ever harming the host.

Make no mistake: the vulnerability lies in the permanent applications, not in the transient files. So, defense shouldn’t be about the files at all—it should be about protecting the host from each potentially compromised process, which equates to the applications in which those malicious files run.

“True security can only be achieved by reducing the ability of a compromised process to do damage to the host.”

Detection won’t solve the problem—file-based defense is dying a slow death and is mathematically proven to be non-deterministic in regard to divining malicious intent. Whitelisting won’t solve it either, as legitimate content-rendering applications relied upon by every enterprise and government agency are being deliberately exploited and misused. And don’t think that sandboxing is your magic bullet—desktop and user emulation are poor substitutes for real users performing genuine business workflows on actual production systems, plus sandboxes are vulnerable to kernel-level exploits and escapes.

Smarter layers; not more layers.

What if you could do more with less? Achieve better, more effective, more reliable security with fewer defensive layers? You can, if you accept that detection always fails at enterprise scale and subsequently change your security mindset from “prevent, detect, and respond” to a new worldview of “isolate, contain, and control.”

Virtualization as a new security approach.

Virtualization has been universally accepted across a wide range of enterprise IT domains—from data centers, to cloud services, to virtual desktops, and more—with the next logical frontier being security. Isolation within protected virtual machines is the only solution that can absolutely eliminate kernel-level exploits and malware escapes. That’s why prominent analyst research firms—including Gartner and IDC—are now strongly advising clients to look at virtualizing their security operations to isolate and contain threats.

Enterprise and government defenders are increasingly adopting virtual security solutions—either as a supplement to, or as a replacement for—traditional detection-and-respond tools. Like other elements of your infrastructure, why would you knowingly expose real production endpoints to harm when you can safely virtualize them instead?

Register for our free, interactive webinar (and if you can’t attend, we’ll send you the recording), to learn how to align your defenses around the SANS Endpoint Security Maturity Model and leverage virtualization-based security to solve for the highest threat levels. Learn how to improve your security by replacing ineffective malware detection layers with the steady reliability of application isolation and control instead.

Previous Article

Cybersecurity vs Productivity: The CISO’s Dilemma

Next Article

Watch: SANS Maturity Model Describes How to Grow Your Security Strategy [Webinar]

You may also like