Skip links

Defending the endpoint with AI

Paid feature Remember the good old days, when the only devices a company had to worry about were the PCs on its own network? Today, security teams must yearn for those times as they struggle to protect endpoint devices everywhere.

Now, one vendor is pushing for a new approach to protect the endpoint: An AI-based mechanism that mirrors the human immune system. Darktrace is mirroring the approach it takes to security at the core of the network with an endpoint agent that uses machine learning to protect PCs.

“The way we operate our businesses has changed so drastically over the last few years,” says Justin Fier, the company’s Director of Cyber Intelligence & Analytics. “Our endpoints look very different. They’re sitting in our houses, as opposed to in the brick and mortar buildings.”

It’s one thing to secure a PC on a network that you control. It’s another thing when the PC is sitting in your employee’s home, on the same LAN as their teenager’s malware-infested gaming rig, an internet-connected kettle, and a smart TV with software last updated years ago.

Traditional endpoint security isn’t working

Organizations grappling with these pandemic-borne challenges have been slow to adapt their endpoint security, Fier warns. They cling to traditional endpoint detection and response (EDR) tools, which vendors have tailored to serve endpoints that venture outside the company LAN.

The problem is that many EDR tools cling to yesterday’s approaches, which rely heavily on threat intelligence and rules-based responses. This leaves them looking at where attackers have been rather than where they’re going.

Online criminals are becoming more adept at evading these rules-based systems. They switch out their domains more quickly than they used to, test their malware against anti-virus systems’ rules-based mechanisms, and use snowshoe attacks to minimize the visibility of their malicious domains to blacklists. This makes it harder to maintain a comprehensive threat intelligence database with the most up-to-date information.

The effectiveness of these old approaches is questionable. Researchers who tested the 18 most popular EDR and endpoint protection products found that only two had full coverage for all attack vectors.

Throwing away the rule book

Rather than spotting known indicators of compromise and using them to trigger mitigation rules, Darktrace approaches the problem from the opposite side, working out what’s normal and spotting any traffic that deviates from known healthy patterns.

To do this, the company’s AI-powered Enterprise Immune System collates and crunch network traffic patterns. It uses machine learning techniques to create a statistical model representing a picture of normal activity. It then monitors the network core in real time to spot any deviations from that expected behavior.

An anomaly could be a user accessing a server that no one has ever seen before and trying to upload files to it, or a local machine beaconing to multiple machines that it wouldn’t normally talk to. Or perhaps the product might detect an email to an employee from a domain that rarely if ever sends mail to the company.

When it finds suspicious activity, its Antigena product can alert administrators and can also go further in an optional active mode by taking its own measures to instantly mitigate the behavior. Its self-learning mechanism can adopt a proportional response based on how serious it thinks the behavior is, ranging from quarantining an email through to cutting an endpoint off from the entire network.

Taking care of remote endpoints

That’s all well and good for endpoints that are actually on the corporate network, or at least connected by a VPN. But what about those endpoints that aren’t?

Let’s say an employee takes a device home to access the company network, which is something far more likely to happen in a post-pandemic world. Then they unwittingly forget to connect their computer to the VPN. Even worse, perhaps they maliciously pull the plug to hide some illicit activity.

Perhaps that client downloads data to the computer at home that they have legitimate access to for work. Then, having disabled the VPN, they use their own connection to transfer it to a USB key, copy it to their home server, or upload it to a cloud-based file sharing service.

“We have always looked for that perfect visibility into our networks,” Fier says. “But now they’re doing whatever they want to do.”

An AI-powered agent

The company needed to extend that visibility to disconnected endpoints, so it launched Darktrace Endpoint. This endpoint detection and response product includes a lightweight agent called a cSensor that runs on Windows, Mac, or Linux and analyzes what’s happening on that device.

The agent acts as a local chaperone for the endpoint. It conducts its own local anomaly detection, mostly at the networking and communications level.

“The cSensor allows us to spot those very early precursors that something is amiss on a device, whether it’s intentional or unintentional,” Fier explains.

The agent looks for unusual connections or protocols (it would pick up an endpoint that suddenly started using onion routing protocols, for example). It could also spot newly installed applications talking to unusual places, or notice if a user connected an external device like a USB key to the laptop. The device also picks up internal networking connections, such as the virtual connections used by malware running in virtual machines.

The cSensor provides extra telemetry that gives Darktrace’s other products more context. It is useful even when the endpoint is connected to the VPN, because it helps Antigena spot real-time endpoint issues while updating its self-learning corpus of network traffic.

For example, the cSensor agent works with Darktrace’s Antigena Email product to hone its autonomous response. It might spot an email from a new sender requesting a bank transaction, which might raise suspicions. Extra context from Antigena Email might reveal that the domain is new to the entire organization, not just that individual user. Darktrace Endpoint would level up its autonomous response based on this context.

Monitoring disconnected devices

The agent’s real utility kicks in when a device is disconnected from the network. It establishes a secure tunnel to the Darktrace instance running on the company’s network, enabling it to immediately alert the back-end software and take informed action based on intelligence gleaned from the Enterprise Immune System’s company-wide traffic model.

Malicious employees could completely disconnect the endpoint from the internet, which would stop the agent communicating with the back-end Darktrace instance. However, the disruption in regular heartbeat checks between agent and back-end would itself be an outlier that Darktrace would spot and address when the endpoint came back online.

A malicious employee who tried to get data from the device using a USB drive while the device was offline would also be detected. The agent would alert Darktrace to this and any other activities conducted on the laptop after the connection was restored.

The product offers protection against malicious activity by employees deliberately going off the reservation, but it’s also a useful way for organizations to cover all their security bases, explains Fier.

“A good use case is for organizations that don’t have 24×7 monitoring services but have internal regulatory requirements,” he says, adding that the agent will help Antigena detect unsafe combinations of personal and work activity on the same device. “It ensures that company devices aren’t being abused.”

Darktrace Antigena continues to protect other endpoint devices that don’t have agents, such as Android and iOS systems, by monitoring their network traffic. It also protects those devices that wouldn’t have been considered endpoints before the rise of the IoT. This includes low-footprint devices ranging from sensors to smart light bulbs and connected IP cameras.

“These days, I look at anything with an IP address as an endpoint,” says Fier. “We can use our Immune system platform to do anomaly detection with these systems too.”

The future of endpoint security

As people settle into a new post-pandemic working model, Fier predicts bigger changes in endpoint security. One of his biggest predictions is a change to home networking setups.

“Over the next year or two you’re going to see more companies asking to physically segregate company business from home personal use,” he says. “That might mean shipping you out a separate wireless network so that they can physically segregate their data from employees’ personal data and other devices on the home network.”

The endpoint is a traditional ingress point for digital toxins from phishing emails to malicious attachments. Now that the network boundary has dissolved, this attack vector is more complex and comes in many forms. By melding traditional EDR with machine learning-based analysis of all company traffic, Darktrace hopes that companies will have a better chance of catching suspicious activity – on whatever endpoint device it may occur.

Sponsored by Darktrace.