Editor’s Note — August 19, 2020: The Elastic Endpoint Security solution mentioned in this post is now referred to as Elastic Security. The broader Elastic Security solution delivers endpoint security, SIEM, threat hunting, cloud monitoring, and more. Future mentions of Elastic endpoint security will refer to the specific anti-malware protection that users can enable in Ingest Manager.
Openness has long been at the heart of our ethos at Endgame, and it’s part of what makes joining forces with Elastic — an organization with nearly identical culture and values — so exciting. It has long been important to us that endpoint security not be treated as a magic black box shrouded in buzzwords and marketing deception. To this end, we participate in third-party testing and evaluation of our products, inform our users on how our capabilities work at the ground level, and publicly share tools and relevant data.
Note: The third-party reports mentioned below refer to the Endgame product, which is now known as Elastic Endpoint Security in light of Endgame joining Elastic.
One such evaluation we participate in monthly is AV-Comparatives, an independent organization that tests and assesses antivirus software. We have been certified as an Approved Business Product by AV-Comparatives since 2017, undergoing rigorous testing of emergent malware that appears in the real world. The samples AV-Comparatives uses test only a single preventative feature of the product: our Windows anti-malware capability, MalwareScore — but MalwareScore’s ability to provide protection on its own is self-evident in the results.
AV-Comparatives recently released its Business Security Test August-September 2019 — Fact Sheet containing the results of the Business Malware Protection Test (September 2019) and Business Real-World Protection Test (August-September 2019). Elastic Endpoint Security is shown delivering 99.7% effective protection during real-world malware testing and a 99.8% protection rate in the broader malware protection test. Notably, we are able to achieve this level of protection with no reliance on cloud connectivity. Our autonomous agent provides both online and disconnected endpoints complete prevention against malware and fileless attacks to minimize any potential missed detections when network or data center issues are present — a risk that was highlighted in these AV-Comparatives results.
Other major third-party evaluations include the NSS Labs Advanced Endpoint Protection (AEP) Test and MITRE ATT&CK evaluations. NSS Labs provides a comprehensive test of endpoint prevention, evaluating accuracy, effectiveness, and total cost of ownership, while the MITRE ATT&CK evaluation focuses on a vendor’s ability to provide data visibility and post-compromise detection. Our results in the last round of testing in both of these speak for themselves and we look forward to demonstrating the effectiveness of our product in the next evaluation of each.
How does Elastic Endpoint Security work?
Elastic Endpoint Security has a series of protections that operate on the endpoint in real time. Our protection philosophy is that any single protection, whether signature- or behavioral-based, can and eventually will be bypassed as attacker tradecraft evolves. With multiple layers of defense in place, if one protection is bypassed, the attacker has to pass through many more layers of behavioral protection before they can achieve their objective. Our research team continually enhances our protection components in order to stay ahead of the attacker.
The signature-less protections in Elastic Endpoint Security cover three main categories: File-based malware prevention, kernel behavioral protections, and post-compromise adversary tradecraft protection. Let’s dive into what each of these entails.
File-based malware prevention
Elastic Endpoint Security has three file-based malware prevention capabilities built for:
- Windows Portable Executable files (executable binaries compiled to run on the Windows operating system, commonly called PE files)
- MacOS files (executable binaries compiled to run on the Mac operating system)
- Macros (embedded executable macro code contained in Microsoft Office files for Windows)
Our endpoint agent implementation allows us to evaluate files and block malware before it’s allowed to execute. We do this using our kernel driver, which monitors filesystem activity, process execution, module loads, and document opens. The file in question is passed to the ML model evaluation engine where features such as file entropy, header information, byte histograms, and more are extracted, and then passed through the model. If the score generated by the model exceeds the built-in threshold for malware, blocking actions are taken and alerts generated. This allows us to block malware without the endpoint itself relying on cloud connectivity, signature distribution, or external threat intelligence. We like to talk about this approach as being just as effective on a submarine as it is in Starbucks.
Kernel behavioral protections
Along with the file-base malware prevention, Elastic Endpoint Security has inline behavioral evaluation and blocking against common adversary threat vectors. Rather than relying purely on the Event Tracing for Windows (ETW) data from the OS, Elastic Endpoint Security implementation leverages our kernel driver for data visibility. Combining this with detection logic in user mode, our agent is able to accurately evaluate the maliciousness of the action a process is attempting.
Our behavioral protections include process injection protection, credential harvesting protection, user authentication token protection and manipulation, exploit protection, and ransomware protection. These categories contain a number of sub-techniques that protect against specific adversary tradecraft. For example, our process injection protection spans many sub-techniques used by adversaries to achieve process injection and evade traditional defenses. Elastic Endpoint Security regularly updates these protections to stay in front of the latest adversary tradecraft.
Our kernel driver allows us to selectively monitor key system level activities. We carefully select which system level activities to monitor based on what is necessary to observe malicious behavior without impacting system performance. We implement many hooks that run concurrently on a system, blocking certain potentially malicious requested actions or conditions and passing data to user mode protection logic that decides whether and where the action is malicious. If malicious, our driver is able to block the adversary action inline without the execution ever happening and without requiring a specific malware signature or cloud connection. We regularly update our set of hooks and visibility to ensure we can provide our customers the best possible protection.
We’re proud that our deep inspection capabilities have far less impact on system utilization than many of the more inferior protection products. Our benchmarks across ALL our active customers show that at this very second we are using an average of 0.53% CPU on our Windows clients, 0.39% on macOS clients, and 1.8% on Linux clients.
Adversary tradecraft protection
Elastic Endpoint Security adversary tradecraft protections are a set of protections similar to kernel behavioral protection in that they are the result of real-time monitoring and analysis of actions on a system, but are different in that they are looking at higher level indicators to map post-compromise activities of the MITRE ATT&CK matrix.
The Elastic Endpoint Security agent is able to accurately determine maliciousness such as process command lines, relationships between files written and executed on the system, parents that spawned a process, and much more. Blocking actions related to tradecraft protections can take place on the endpoint within milliseconds — before damage or loss can occur.
The system involves a set of analytics expressed using our open-sourced Event Query Language (EQL). These analytics can be simple, like a match for a given process command line, or very complex, such as those involving combinations of various types of events in certain sequences. Elastic Endpoint Security provides 100+ analytics out of the box that can be edited or extended to create new, bespoke protections. These analytics are regularly updated and extended to account for evolving adversary behaviors. With these, we describe behaviors commonly seen when malware is delivered, when malicious scripts or software executes, or when built-in tools like Powershell are misused by attackers.
Our implementation of adversary tradecraft protection differs significantly from other similar technology in that it operates entirely independently on the endpoint in near real time, while most other solutions require cloud connectivity. Most vendors must send raw event data to an analysis engine in the cloud and wait for the responses to return back to the endpoint.
If a rule matches for an adversary behavior, alerts are generated. With a capability we call Reflex, autonomous actions can take place on the endpoint in isolation. When there is a match for an EQL analytic, the user can ensure some automatic action takes place, like the malicious powershell process be killed. Again, this requires no integration with other orchestration products or cloud round trip.
To achieve the highest level of protection, Elastic Endpoint Security implements a hybrid architecture consisting of a single host agent that encapsulates all the layers mentioned for prevention, detection, and response — all managed through a centralized platform and backed by cloud-driven global services. Whether an endpoint is connected to the cloud or running in a distributed, offline environment, our integrated interface is designed to streamline security operations workflows for prevention, incident response, and hunt operations.
Want to learn more about Elastic Endpoint Security? Check out our Introducing Elastic Endpoint Security release blog — which includes links to documentation, solutions pages, and other resources.