Today's multiheaded malware needs a multipronged solution

By analyzing and predicting process behavior, a new approach to endpoint protection overcomes the limitations of traditional AV detection and sandboxing

Targeted attacks, advanced threats, and government-grade malware have evolved beyond the detection capabilities of traditional security solutions. They use one-of-a-kind polymorphic malware and obfuscation techniques to infiltrate corporate networks, set up command-and-control communications, open backdoors, and steal sensitive data.

For example, in March 2014, our research organization detected a sophisticated piece of malware dubbed Gyges that is capable of operating undetected for long periods of time. This government-grade malware, which appears to be designed to carry out nation-state attacks, had fallen into cyber criminals’ hands.

Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized, and coupled with other malware to commit cyber crime.

Most attacks target organizations where they are most vulnerable: on endpoint devices. These include desktops, laptops, phones, tablets, servers, and embedded devices like point-of-sale terminals. Endpoints are easy prey primarily due to the fact that signature-based antivirus has become obsolete, even according to Symantec.

Second-generation approaches, namely network-based monitoring and sandbox analysis, too often fail to prevent and remediate damage. That’s because attackers have developed anti-virtual machine techniques to create sandbox-aware malware that will act benign until it is running on an unprotected target device.

It’s clear we need a new approach to endpoint security — one that doesn’t rely on static signatures, whitelists, or static indicators of compromise.

Reinventing endpoint security

A new, more effective approach to malware detection and response is to predict the attack sequence — which promises to deliver a giant leap in security innovation. SentinelOne has developed a predictive execution inspection technology that can determine what a threat is likely to do next, based on behavioral analysis, attack patterns, malware techniques, and up-to-the-minute crowdsourced threat intelligence.

Unlike antivirus solutions that focus on static signatures and known binaries, predictive execution inspection is focused on threats and how they behave. The SentinelOne implementation uses a lightweight native client to monitor all endpoint activity, both on and off network, tracking each newly created process from beginning to end. By building a full context around every process execution path in real time, the predictive execution modeling engine can detect, predict, and block malicious behavior — instantly.

This approach can detect threats at the inception stage, but in cases where behaviors are not immediately and conclusively malicious, it provides two additional layers of protection.

To stop attacks as they unfold, predictive execution inspection analyzes threat behavior based on low-level instrumentation of all OS activities and operations, including memory, disk, registry, network, and more. This allows for the detecting and tagging of anomalies using behavioral logic derived from advanced clustering techniques and machine learning. The system can stop threats from fully executing to prevent damage and data loss. It also creates and shares behavioral patterns to prevent the spread of infection to other endpoints.

As a last line of defense, predictive execution inspection identifies hidden threats by detecting kernel tampering, exfiltration attempts, and aberrant behavior, including “low and slow” stealth activity that would otherwise be invisible. This minimizes damage and data theft by reducing threat dwell time.

Predictive execution inspection at work

Here are two examples that illustrate how SentinelOne’s predictive execution inspection technology can detect threats that evade and bypass traditional endpoint and network security mechanisms.

Example 1: An attacker modifies a known malware RAT (remote administration tool) variant to make it look like a new binary. However, it still performs the same actions – allowing the attacker to remotely control an endpoint. Binary changes – but behavior doesn’t. Antivirus tools are unable to detect the new binary because it is not blacklisted yet. SentinelOne inspects the code’s execution and detects behaviors associated with a RAT (persistence, command-and-control communications, access to sensitive information, keylogging, and data theft techniques) without prior knowledge of this specific malware sample.

Example 2: An attacker targets an organization that he knows is using a given commercial software platform such as an ERP or CRM system. This company has a sandbox security system in place. The attacker modifies a known Trojan and packs it with a piece of code that will execute only on a machine that has the target software installed. The malware accomplishes this by first searching for the platform on the program files directory. When the sandbox intercepts, examines, and emulates the file, the binary acts benign and aborts execution because the target software is not found on the sandbox. When the file later arrives on the target device where the targeted software is present, the malware executes. Because SentinelOne resides on the actual device and does not use emulation or virtualization, it can natively monitor live endpoint activity, detect the Trojan behavior, and block it.

Deployment consideratons

Because the SentinelOne agent follows the entire execution lifecycle of a process, it understands and builds context – instead of relying on single-point-in-time inspection (like traditional HIPS systems). This greatly reduces the number of false positives because the system collects evidence regarding whether a process is malicious or not. Only when the agent is certain that the entire behavior chain cannot be attributed to a legitimate application will it take action.

The administrator can configure the system to work in a detect-only mode or in an automated mitigation action mode that includes threat quarantine options, network quarantine, endpoint shutdown, and other remediations.

Because SentinelOne’s endpoint agent observes processes by trailing them, it adds less than a microsecond per monitored process and has an average CPU usage of 0.4 percent. Its impact is virtually unnoticeable by users.

Today the most common deployment use case for SentinelOne is as a complement to other security solutions. When we release our full endpoint protection suite, we will be able to displace current signature-based (AV) and whitelisting solutions, because that functionality will already be included in the SentinelOne agent.

Predictive execution inspection leapfrogs current approaches to endpoint security. By tracking each newly created process on a device from beginning to end, this model can determine what a threat is likely to do next. This enables SentinelOne to conclusively detect and block even the most sophisticated zero-day attacks and government malware.

Tomer Weingarten co-founded SentinelOne in 2013. He is responsible for the company’s direction, products, and services strategy. Before SentinelOne, Tomer led product development and strategy for the Toluna Group as a VP of Products. Prior to that he held several application security and consulting roles at various enterprises, and was CTO at Carambola Media.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to

Copyright © 2014 IDG Communications, Inc.