Content uploaded by Sonali Chandel
Author content
All content in this area was uploaded by Sonali Chandel on Jan 06, 2020
Content may be subject to copyright.
Endpoint Protection
Measuring the effectiveness of remediation technologies and methodologies for
insider threat
Sonali Chandel, Sun Yu, Tang Yitian, Zhou Zhili, Huang Yusheng
College of Engineering and Computing Sciences, New York Institute of Technology, Nanjing, China
{schandel, ysun33, ytang11, zzhou23, yhuang66}@nyit.edu
Abstract - Wi th t he i
ncrease in the incidences of data leak
age,
enterprises have started to realize that the endpoi nts (especi ally
mobile devices) used by their employees are the primary cause
of data breach in most of the cases. Data shows that employee
training, whic h aims to prom ote the awareness of protecting the
sensitive data of the organization is
not very useful
. Besides,
popular third-party cloud services make it even more difficult
for employees to keep the secrets of their workplace safer. This
pressing issue has caused the emergence of a significant market
for various software products that provide endpoint data
protection for these organizations. Our study will discuss some
methods and technologies that deal with traditional, negative
endpoint protection: Endpoint protection platform (EPP), and
another new, positive endpoint protection: Endpoint detection
and response (EDR). The comparison and evaluation between
EPP and EDR in mechanism and effectiveness will also be shown.
The study also aims to analyze the merits, faults
, and
key
features that an excellent protection software should have. The
objective of this paper is to assist small-scale and big-scale
companies to improve their understanding of insider threats in
such rapidly developing cyberspace, which is full of potential
risks and attacks. This will also help the companies to have better
control over their employee’s endpoint to be able to avoid any
future data leaks. It will also help negligent users to comprehend
how serious is the problem that they are faced with, and how they
should be careful in handli ng their privacy when they are surf ing
the Internet while being connected to the company’s network.
This paper
aims to contribute to further research on endpoint
detection and protection or some similar topics by trying to
predict the future of protection products.
Keywords—Endpoint protection, Endpoint detection and
response, Endpoint protection platform, Data leakage, Privacy,
Insider threat, Data Breach
I. INTRODUCTION
Endpoint security or endpoint protection is an approach
to protect the computer networks that are remotely bridged to
client devices [1]. Many electronic devices we use, such as
mobile phones, laptops, and tablets, are all endpoints. The
connection of laptops, tablets, mobile phones, and other
wireless devices to corporate networks creates attack paths for
security threats [2]. No one wants to be disturbed or
eavesdropped when sending or receiving messages over the
network. As a result, endpoint security has become a hot topic
for researchers in the cybersecurity area.
Laptops and mobile phones have become an essential part
of our modern life. The owner of an enterprise must figure out
some features and standard methods of protecting the most
vulnerable endpoints. A phishing link in an e-mail can give
access to company secrets to the hacker, and a third party
‘cloud’service can quickly become the hacker’s target as well.
While many large organizations take a more
sophisticated approach towards endpoint security by using
different, specialized products for the tasks of prevention,
detection, and response, a growing trend in implementing a
single, “all-in-one” solution enables centralized management
of multiple security functions instead [
3
]. Companies are
always looking for the software that contains all the tasks
mentioned above so that it could help them defend the threat.
For IT decision-makers, the present time is very crucial
for increased investment in stronger endpoint protection. Of
113 respondents in the 2018 Endpoint Security Spending
Priorities Survey, conducted by Barkly, advanced malware
protection and prevention was by far the highest priority for
most companies in 2018. [4]. According to 2018 Insider
Threat report, among the companies that were surveyed, at
least 27% agreed that the insider threat is causing much more
damage than ever before that too at a higher frequency. In the
same report, 53% of companies also reported that they had
experienced an insider attac
k more than once in the
last year
or so [5].
Insider threat is a generic term used for a threat to an
organization's security or data that comes mostly from within
the organization [6]. For many companies, the security of
information is the most significant. At the same time, insider
threatsare the biggest target for hackers. Because they are hard
to detect and can easily
be manipulated to breach the firewalls
in use. Many hackers target insiders to steal data or infiltrate
the system mostly through social engineering. In the recent
past, many companies have been targeted this way. An
example can be from Facebook, Sony, LinkedIn, and many
more prominent companies.
There are sever
al ways and tools to defend an
endpoint. In this paper, we will focus on two of them, namely,
the endpoint protection platform (EPP) and endpoint detection
and response (EDR). EPP is a platform that consists of
different security tools such as antivirus, anti-malware, data
encryption, personal firewalls, and intrusion prevention. EDR,
with its spe
cific function like continuous monitoring,
remediation, and no interference to the endpoint, has become
a popular way of detecting and responding accordingly when
it comes to insider threat.
In section I, the content of the article is briefly introduced.
In section II, the related work about insider threat is mentioned.
In section III, the essential features of the endpoint protection
platform are introduced.
In section IV,
the drawbacks of
endpoint protection platform are discussed. In section V,
endpoint detection and response are presented. Disadvantages
of endpoint protection platform are mentioned as well. In
section VI, effectiveness comparison between endpoint
protection platform and endpoint detection and response is
81
2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)
978-1-7281-2542-8/19/$31.00 ©2019 IEEE
DOI 10.1109/CyberC.2019.00023
made. We have proposed a model with the help of some
information that we obtained from test corporations and
conduced the formula of the effectiveness of different products.
In section VII, the conclusion is made, and future work is
discussed.
II. RELAT ED WORK
The insider threat has already been one of the biggest
problems in the field of cybersecurity in the present times.
Many tasks related to the insider threat has been done, and
many papers have presented several ways to detect the insider
threat by proposing different models and architecture. Many
experts have tried to identify the risks by introducing new
algorithms as well.
In [7], the author introduces a framework that uses
different modules to detect insider threat based on algorithms
and functional methods. One algorithm in [8] called GP also
achieved this function. Another mathematical method
discussed in [9] claims to help in managing the authorized
admins to detect the insider threat. Some even propose that we
could utilize a system-based architecture called directory
virtualization [10] to detect the insider threat
.
Machine
learning is another essential aspect of the modern internet, and
in [11], a detection method based on machine learning is
discussed.
In [12], the author presents a tool called user behavior
analytics and gives a clear architecture and design idea of this
software. Some white hat hackers even think about an idea that
could utilize “decoy file” [13
] to attract the insider threat’s
attention and then trap them. Different situations of insider
threat have been discussed in [14]. [15] discusses different
categories of detection tools. In [16], the author discusses the
“insider threat infiltrates database system” situation in detail
and briefly discusses how to handle the insider threat at an
early stage.
Most of these papers
mentioned
above focus on new methods
to detect the insider threat. It can genuinely contribute to the
development of the detection method. However, in articles [7]
[9] [8] [11] [12], they do not mention a mature product that
could help simple consumer and clients to defend the insider
threat. In [10] and [13], they have proposed practical methods
to handle insider threat, but they did not discuss the mature
production. Another flaw is that they are all a little outdated.
Insider threat mutates so quickly that the method they present
may no longer be useful.
Survey papers [14, 15, 16] is related to the topic of our article.
In [14], the author mainly discusses different scenarios of
insider threat attacks. However, it does not prove any solution
for that. In [15] and [16
], they have described some tools in
detail to defend the insider threat. However, they did not
mention their features and effectiveness or any comparison
between those tools. Our goal is to solve all these problems
mentioned above.
We have presented distinct and detailed information about
different types of threat detection and response technologies in
our paper. The reader can quickly and clearly understand the
functions
, feature
s, merits, and flaws of each one of them.
Besides, we have also presented a comparison between EPP
and EDR through gathering information and establishing a
model of our own. We have analyzed them under different
situations and factors and calculated the full effectiveness and
efficiency of them. Using our proposed model, we can obtain
the formula of efficiency ratio of two products, and we can
predict which one of them is more efficient under different
circumstances.
In the proposed model, we obtained
the
equation of efficiency ratio. Using Matlab, we drew graphsand
curves to visualize the change of efficiency trend with the
evolution of different factors. This will help our readers to
understand our research more efficiently.
III. A PASSIVE WAY TO DEFEND THREAT: FEATURES OF
ENDPOINT PROTECTION PLATFORM
Endpoint protection platform (EPP) is a traditional,
signature-based, negative endpoint protection software. The
primary mechanism it uses to protect the endpoint is to match
the signatures of threats already stored in the database to
determine if it is harmful or not. EPP is a set of software tools
and technologies that enables the security of endpoint devices
[17]. The main procedure of treating the threat of EPP is shown
in Figure 1. When the threat penetrates the firewall, the Host
Intrusion Detection System (HIDS) detects the threat and
determine whether it is malicious or not. The malicious ones
will be mitigated by Host Intrusion Protection System (HIPS).
The following sub-
section lists the main features of EPP.
Figure 1. Process of how EPP address threats
A. Detection
The most significant part of the endpoint is its detection.
EPP, like traditional antivirus software, has a complete
signature identity function. There are large amounts of the
database with the virus’ signature. This database can be used
to identify each kind of
already known
viruses. The matching
procedure is based on different algorithms. Each security
company has its algorithms to detect the threat.
As we know, EPP is a union of different software. The
mechanism used by most of them is intrusion detection.
Intrusion detection is a significant method of EPP. It is the
process of monitoring the events occurring in a computer
system or network and analyzing them for signs of intrusions
[4]. IDS can help users defend the attackers and complete the
procedure of intrusion detection. Signature-based detection is
just one of the detection methods used, but it is the most widely
used method. HIDS monitors and collects the characteristics
for hosts containing sensitive information and servers running
public services, and suspicious activities [18]. It is the most
82
common system when defending the intrusion.
B. Protect the infected system
Detection certainly is an essential part of endpoint
protection. However, no matter how prudent users are,
sometimes they still face a situation where viruses still infect
the system or the network through the endpoint. Organizations
must eliminate any possibility of any external invasion through
endpoint to keep their system secure. Protection function aims
to eliminate the virus that ha
s already been inside the system
as the source that may cause significant devastation to the
system. It is crucial because if the EPP system takes no action,
the viruses will infect the whole system. It supplies a solution
to remedy mistakes. EPP uses another algorithm for HIPS.
HIPS must work with HIDS. However, a very significant
difference
between
HIDS and HIPS is that HIPS will
annihilate threats that have been identified as a malicious
resource of HIDS. A HIPS has a mechanism of automatically
mitigating the detected risk [19].
C. Whitelist and Blacklist
Whitelist/Blacklist function is another vital function that
EPP provides. “Blacklist and Whitelist” is treated as one of the
significant
solutions for endpoint security. EPP has its
database about viruses. It will automatically blacklist or block
software or files that are considered malicious. With the help
of whitelist, users can still get access to the software or data as
a whitelisted application or software is marked safe for the
system or network.
IV. WHY IS THE ENDPOINT PROTECTION PLATFORM NOT
FULL PROOF?
With enormous merits, EPP is treated as a perfect guardia
n
of the endpoint. However, EPP begins to show its flaws faster
when confronted with advanced hacking methods. EPP uses a
massive database for virus signatures, and as a result, the
matching process creates much wastage of resources.
Sometimes the virus signatures cannot be matched on time
because viruses mutate very fast. However, the most
significant flaw of EPP is that it cannot defend insider threats,
which have become one of the most popular methods of
hacking these days. Some weaknesses of EPP are listed in the
following sub-section:
A. A matching signature needs too many resources
A considerable number of viruses are developed every day.
An antivirus must record all the signatures of viruses to grant
the security of endpoint. This
also means that the database of
signature is so extensive that users must spend much money
on creating storage to install this database. Users also have to
invoke a significant number of resources on their devices when
they wish to scan their device to be able to use the antivirus. It
is an advantage that these large numbers of threats can be
detected and dealt with. However, it also means that it can take
a considerable amount of resources to run through each of
these signatures and match them against a scannable resource
(like files, network traffic, etc.) [19]. ‘Cloud scan’ is a kind of
method to solve the problem of resources. In this method, the
organization invokes a database of signatures from cloud to
match files’ signature on the local computer. Many third-party
companies provide this service, and users can quickly notice
that the running efficiency of their devices reduces very
sharply when it is under attack.
B. The proportion of fileless attacks is on the rise
Viruses are mutable. Hackers will develop a new virus by
transforming the existing features and changing the known
signature to avoid detection from EPP. Creating a virus with a
unique signature is a child’s play now. Thanks to the nearly
automated virus construction kits that have filled the internet
over the past several years [20]. Ponemon’s Institute’s State of
Endpoint Security Risk Report for 2018 exposed that 54% of
organizations admitted becoming a victim of a successful
fileless or file-based attacks. Of all the organizations
compromised, 77% were attacked by the fileless techniques.
The report also i
ndicat
ed that fileless attacks are ten times
more likely to succeed than traditional, file-based methods. [1]
Fileless attack techniques that exploit a fundamental gap in
the traditional endpoint security are on the rise. Current
solutions are not able to stop them [21]. If HIDS cannot match
the signature, the HIPS will not work, which
in turn
will cause
the protection system to crash completely. HIDS typically runs
on the operating system. This means it can be easily
compromised by malicious insiders or malware [25]. Figure 2
shows that the frequency of fileless attack is growing more
rapidly than ever [21].
Fi
gure
2. The growth of fileless and file-based attacks from 2016 -2018
C. Many functions require internet
‘Cloud scan’ can be a solution to avoid the occupancy of
too many resources while scanning the signature of the known
threats. However, using a cloud scan needs being connected to
the cloud server and keep the device or system connected to
the network all the time. For
example, Data Loss Prevention
(DLP) is an essential component of EPP. DLP is a strategy for
making sure that end users do not send sensitive or critical
information outside the corporate network [22]. However, to
make DLP work, typically the EPP must connect to the internet,
or it will not work. Not only for cloud scan, but users must also
connect to the server of the security company as this is the only
way user can get the latest updated data, security patches, and
information regarding recent threats.
In some cases, if one endpoint has already been infected, then
the virus will spread into the system and the network very fast.
This can happen even if an employee connects the infected
device to the corporate network unintentionally. Therefore, the
employees need to be very careful when connecting to the
corporate network. Sometimes, EPP cannot detect this kind of
83
threats, and as a result, cannot eliminate it either. Such type of
situations can lead to a massive loss for the company.
D. Insider threats can cause more damage than external
threats
Many different reasons can lead to data leakage. However,
the main reasons for information leakage can be divided into
two categories: accidental exposure and malicious exposure
[23
].
xAccidental exposure: Accidental exposure sources from
negligent actions taken by the employees such as poor
password security, unauthorized download of infected
software and applications without the IT department’s
knowledge or permission [23]. A phishing e-mail is
another widespread factor that leads to the
insider threat.
Most insider threat is the employee of a company. They
are manipulated by hackers to get the data they want. The
insider threat is powerful than any external attack because
an employee can provide easy access to the company’s
system. The only solution is to educate and train the
employees and improve their awareness of data privacy
and security [6].
xMalicious exposure: Malicious exposure is another
situation that is very common when it comes to data theft.
It sources from the criminal motive such as a competing
company or revenge from a former employee who intends
to destroy the whole system of a company or at the least
the part where they have the access. They can achieve it
by releasing malicious software in the company’s network
or system. However, this behavior can be easily
eliminated with the help of defending tools like EPP.
Figure 3 [5] shows that there is a considerable increase in
hacking through endpoints to get access to a corporation’s
confidential and commercial secrets. Hackers’ attackshave
made the situation of endpoint security more severe than ever
before. Besides stealing the sensitive data, the target of these
attack varies from stealing financial information to operational
data,
as these data are top secret. The leakage of these data will
cause severe data loss to a company as it makes them lose their
clients’ or employee’s data. Therefore, enterprises need to be
vigilant of insider threats [2]. The complete procedure of how
insider threat separates and infects the entire system is shown
in figures 4, 5, 6, and 7. Many attackers begin to utilize new
kinds of threat with no known signature to avoid antivirus and
EPP’s detection. In such cases, the EDR becomes another
solution to protect the endpoint.
V. SOLVING MOST DRAWBACKS OF EPP: FEATURES OF
ENDPOINT DETECTION AND RESPONSE
Passively waiting for traditional security countermeasures
to detect attacks is not enough. Proactive threat hunting, led by
human security experts, is a requirement for any organization
looking to achieve or improve real
-time threat detection and
incident response [24]. Endpoint detection and response (EDR)
system is an advanced, positive endpoint protection software.
Threat intelligence is an essential feature of EDR. Also, it can
supply anomaly detection and alert, remediation of the internal
network that has been infected. Also, they can utilize machine
learning to predict and avoid the threat. Main features of EDR
are listed in the following sub-section:
Figure 3. Different data sources under hacker ’s radar
Figure 4. One trusted endpoint is infected
Figure 5. The virus infects the server through an internal network.
Figure
6. Whole internal network and endpoint are infected
84
Figure 7. The process of insider threat infecting the entire internal network
A. Threat intelligence
Threat intelligence, also known as Cyber Threat
Intelligence (CTI), is organized, analyzed, and refined
information about potential or current attacks that threaten an
organization [25]. Avoiding risk is much safer and more
reliable than putting the available data and network under risk
and then trying to fix it. EDR is not only a protection software,
but its threat intelligence function allows it to warn corporates
about the potential risks and threats. It can provide some
information about the threat, which is collected by the server
of EDR. This kind of intelligence will facilitate the elimination
of the insider threat by analyzing the information and data
about the insider threats that happened in the past rather than
predicting the latent risk.
B. Continuous monitoring
The only way to detect abnormal endpoint behavior is
enhancing its control. If one endpoint is infected, EDR will
detect the unusual activity of that particular endpoint
immediately and isolate it instantaneously. They can supervise
endpoints dynamically, which means they shall test endpoint
incessantl
y and automatically. Furthermore, it can supply CPU
protection that can defend the kernel of the server. More
sophisticated behavior-based protection will include visibility
into activities at lower levels of the system, including CPU.
Visibility into CPU-level is active for blocking malware that
attempts to manipulate and make changes in memory,
including many exploits [26]. Powerful EDR tools enable easy
access to this data, providing immediate visibility to any area
of the organization. Consistent monitoring makes it impossible
for the threat from spreading through the endpoint [27].
C. Remediation and cleanup
Once abnormal endpoints are cleaned up, the escalation of
the virus stops. One may think that the whole system is clean
and safe. However, the presence of the advanced virus can act
as an ink drop into pure water. It will diffuse to the other part
to infect the internal network very fast.
Moreover, every residue of that can generate virus again.
This is one of the biggest drawbacks of EPP as it cannot deal
with the complete internal network but only a part of the
endpoint. EDR can scan all the internal networks to guarantee
there are no residues of the virus. They can also repair the
damages caused by viruses to maintain the security of the
internal system.
D. Observe without interference
“No one wants to burden the endpoint with heavy client
software anymore: that was one of the antiviruses’ biggest
drawbacks.” [27]. As one of the security researchers from the
Office of Information Technology said, antivirus needs to be
installed in the user’s devices, which waste s many resources
of the endpoint. However, when it comes to EDR, it can just
execute in the kernel of the network with its endpoint detection
component. For example, a network manager can install EDR
in the company’s server instead of every device of the
employee. This will protect the entire internal network of the
organization.
E. Using machine learning to detect unknown threats
Machine learning is a subset of artificial intelligence in the
field of computer science that often uses statistical techniques
to give computers the ability to "learn" with data, without
being explicitly programmed [28]. By using machine learning,
EDR also becomes a “clever” platform, which is its another
advantage compared to EPP. Predictive models use
sophisticated analytical techniques, such as deep learning, to
understand the characteristics of malware and “predict” the
likelihood of malware from unknown applications. This
enables them to block never-before-seen attacks with a high
degree of certainty [26]. Machine learning can improve the
ability to identify the threats that they have never encountered
before. In such conditions where threats are mutable, this
ability may become the most significant merits of EDR and the
reason why most companies prefer to use it now
.
F. Highly customizable
Another feature of the EDR product is that it can adjust
itself to suit a company’s environment. Every company has its
unique distinguishing environment. Scanning from the root or
a folder? Are essential files stored in disk C or D? Mitigating
false positives? These functions require machine learning and
AI ability, which exactly are the most significant advantages
of EDR. “Sophisticated endpoint protection providers can take
the burden off of the admin by developing protection models
that are automatically tailored for each organization by using
machine learning to analyze the organization’s unique
software profile”[34].
Through machine learning, EDR can filter a standard
software from a
malware, know which part it should focus on
when scanning, refine its’ effectiveness as time goes by, save
more resources than an unfit, unintelligent EDR production.
Because of these advantages, EDR has become very popular
in many organizations. Many organizations are replacing EPP
with EDR to protect their network system. However, EDR is
not a panacea. Some of EDR’s drawbacks still puzzle the
companies. Very high false-positive rates and the requirement
of highly trained operators are two of the most significant
flaws of EDR.
How to mitigate the high false-positive rates is a crucial
feature to estimate the effectiveness of an EDR product. High
frequency of false positives will lower the productivity of an
organization. “Some endpoint protection models force a trade-
off between the strength of protection and false positives - they
85
take a heavy-handed approach that blocks malware but also
flags much legitimate software in the process” [30]. An EDR
production with strict protection mechanism can certainly
block most of the threats, but sometimes they will treat normal
software as malware as well. In such situations, it
will cause
much trouble, such as not allowing access to a normal file in
the way it is usually done.
EDR is an advanced technology to deal with cyber and
network threats. The more advanced it is, the more the
requirement for the operators who run it. The company would
need to hire a highly trained operator to control the entire EDR
system, which ultimately increases the cost to the company.
Surely, it is not a very big problem for
a large company but
some medium or small-sized companies it becomes a
significant concern, as they must consider the increasing cost
concerning their information security. [31]
Table.1 concludes the summary of the main features of EPP
and EDR mentioned above.
Table.1. C
omparison between
EPP and EDR
EPP
EDR
Rationale
Unification of different
passive functions
Actively detect and eliminate
threats
Functions
Databases of virus’
signature
Threat intelligence function
Supervise endpoints dynamically
HIDS and HIPS
Repair the damage caused by a
virus
Detection Function Running in
Network Kernel
Blacklist & White list
Use machine learning to detect
an unknown threat
Highly customizable
Drawbacks
A matching signature
needs too many
resources.
High frequency of false positives
will lower the productivity of the
organization
Detection of v
irus
signature is outdated
The requirement of high
ly
trained operators
Cannot defend insider
threats
Many functions
require internet
VI. WHICH IS BETTER: EPP OR EDR?
After the fundamental conception of two products, we will
propose a model to compare the effectiveness of both.
A. The EPP Model
First, we built a model for EPP. We know that EPP is a
passive defender and uses virus signature matching to detect
threats. Moreover, as we mentioned in section IV earlier, two
disadvantages stand out:
xIt will reduce the efficiency of the system because it takes
too many resources, which means it will lower the
productivity of a company
xSignature-
based detection will
lead to false positives
According to the statistical data from AV-TEST company
[32], we found that the average efficiency reduced by running
EPP is 12.5%. In addition, according to statistical data from
AV-C company [33], we found that the average protection rate
is 99.3%, and the average false-positive rate is
. With the
help of these data, we can divide EPP into two states:
xProtection—EPP detects the threat and report
successfully.
xCompromise—EPP does not detect threats and allow
them to invade the system successfully.
Protection states could be further divided into two situations:
xTrue report—threats truly invade, EPP detects it and
reports.
xFalse-positive—there is no actual threat invasion, but EPP
mistakes it for threat invasion and reports.
We assume R as the rate for EPP to get into protection states.
We know that R is 99.3% from statistical data collected by
AV-C company [33], so the formula could be represented as
follows:
⎩
⎪
⎨
⎪
⎧
(99.3%) 2983
3000
17
3000
(0.07%)(1)
Because we have to take the performance of the computer
into account, we assume that
xy is the lost productivity of one company
x is the work efficiency of one company.
x is the time that is needed to eliminate the threat.
x is the working hours.
According to an eight-hour workday system implemented
by many companies, we assume
is equal to eight hours.
Therefore, the formula of the true report is:
y =12.5% (2)
Considering the states of EPP and according to equation (1),
multiplying the probability of protection by the probability of
true report, we can obtain the probability of true report as
99.3%×
Considering the false positives state. The formula for false
positive is: y=12.5%(−)(
3)
where is the time that cannot be put to work because of
false positives. According to the services of some EPP
company, they need 1-2 working days to solve the false
positives. Therefore, it can be treated in 8-16 hours.
Considering the state of EPP and according to equation (1),
multiplying the probability of protection by the probability of
false positive. We can obtain the probability of false-positive
as 99.3%×
.
When it comes to the worst situation, which is a
compromised situation: y=(4)
Since the probability of protection is R, and EPP has only
two states: protection and compromise, we get the probability
86
of compromise as 1-R, where R is 99.3%. Therefore, the rate
of compromise states happens at 0.07%.
Then we calculate the weighted average of all the three cases,
and finally get the average productivity loss, which is as
follows: y=0.124−0.007
+0.0007(5)
Using equation (5), we used Matlab to draw the trend
map. In figure 8, we find that the intercept of Y-coordinate
(loss) is 2, and the value of Y increases slightly with the
increase of X. The reason for the trend on this chart is that the
probability of compromise is very low. So, even if (time
that is needed to eliminate the threat) changes a lot, it will not
have such a big impact on the company's economic losses.
The reason why Y interception starts from 2 is that running
EPP will cause the system to run slowly, which will lead to a
decrease in productivity.
Figure 8. The trend of EPP loss (is 8h, is 24h, is 1)
B. The EDR model
We know that the EDR system defends a threat very
actively. The basic concept of EDR is that it can gain some
threat intelligence to help users predict the potential threat and
then protect it in advance.
W
e assume R as the possibility
of EDR to get into
protection statesThe value domain for R should be [0, 1] as
it is a possibility. We design a specific parameter () for
EDR. () is the function of R, which represents the
reduction as a proportion of the invasive time of the threat.
For example, when a virus invades and causes system
paralysis (a state where the machines cannot work) for 1 hour,
EDR can reduce the severity of virus invasions by collecting
intelligence, thus reducing the severity of paralysis events.
When ()=
, the virus can only paralyze the system
for half an hour. R is inversely proportional to (), but both
of them are smaller than 1. The higher the probability of R,
the more information it has. Which means, the shorter the time
of system paralysis. Therefore, the formula of EDR is:
y=()(6)
Then we calculate the weighted average of the two cases and
finally get the average productivity loss as:
y=R∙()
(7)
While taking the actual state of most EDR products, we
decide to change the domain of R to [0.5, 1]. As most EDR
productions defense rate is higher than 95%, so, it means that
R should not be between 0 and 0.5. In our model, we assume
()=1−
. Based on the above assumption, we get
figure 9.
Figure 9. The trend of EPP loss (is 8h, and is 1)
As shown in Figure 9, with the increase in R, the loss of the
company reduces dramatically. When R reaches 1, and Loss
reaches to 0, all the viruses
are defended.
After taking values of multiple times in MATLAB and
experimenting, we found that, if the parameters are too large
or too small, the trend will fluctuate in either a very large or a
minimal range, and =10 is the most reasonable value,
which can make the image show its trend in a reasonable
range.
So,
in this graph, we assume = 10h as the average
time for most EDR products to clean up the invasive viruses.
However, we know that varies from one virus to virus, so
we decided to take this unknown value into account and draw
a 3D figure. In figure 10, we can see that with the increase of
R and
, the loss of the company will increase, which fits
the real situation and verify the effectiveness of our model.
Figure 10. The trend of EDR loss (is 8h, and is 1)
87
C. Comparison of EPP and EDR
After obtaining the data and figures for EDR and EPP, we
combined them into one figure and compared their efficiency.
In figure 11, we can see that there is an intersected
boundary between EPP and EDR. Through solving the
simultaneous equations of function (5
) and function (
7). We
got that the equation of boundary is as follows:
=0.8240
()−0.0007 (8)
Figure 11. The combined trend of EPP and EDR loss (is 8h, is 24h and
is 1, the red plane is ED R, and th e blue plane is EPP)
Therefore, at the left of this boundary, the blue plane is
above the red plane, which means that the loss in EPP is
higher than the EDR. This is an exceptional situation that the
success rate R, of EDR, is high, and the paralysis time caused
by threat is short
. S
o, the best choice under such
circumstances is EDR, and the prerequisite is:
<0.8240
()−0.0007 (9)
When it comes to the right of the boundary, the red plane is
higher, and the best choice, in that case, is EPP. The
prerequisite is:
>0.8240
()−0.0007 (10)
EDR, once compromised, will be paralyzed for a long time.
Therefore, the increase in the rate of this plane is significant.
Once defense succeeds, it does not have to bear the cost of
slowing down the system. Thus, the loss of productivity could
be as low as zero. EPP is the opposite; it pays the price but
runs stable, and it will not be influenced by threat dramatically.
VII. CONCLUSION AND FUTURE WORK
We have several methods to defend insider threat. However,
the most popular way that is being widely accepted is EPP and
EDR. We found that they have different effects in different
situations. EPP is good at dealing
with external threats. EPP
can effectively protect endpoints through its component
function such as HIDS, HIPS, and antiviruses. It can detect and
eliminate risks outside the system itself. There are certainly
some disadvantages of EPP as well, which includes
overutilization of resources, signature-based detection
methods, and requirement of the internet as a must to run many
functions. However, the most important and the most
significant threat is that it cannot defend the insider threat.
When a virus infiltrates into the internal network, EPP is not
the right solution anymore.
On the contrary, EDR can do what EPP cannot do. EDR is
an expert in dealing with the insider threat. It can gather
different information; develop its intelligence to help detect
the abnormal endpoints to eliminate insider threats. It also
overcomes some disadvanta ges that EPP has, such as
occupying too many resources. However, it cannot do what
EPP can do too. A primary problem of EDR is that it cannot
prevent the endpoints from being infected. In other words, it
cannot handle external threats very well, and it cannot monitor
what happens to one specific endpoint. Prevention always goes
beyond remediation. In some difficult situations, when a virus
can infect an endpoint countless times, the EDR is not the right
solution at all.
In our proposed models, we find that the loss caused by
EPP will be the least, and the loss will not i
ncrease according
to the increase of threat severity. The reason is that the high
detection rate makes most threats unable to penetrate the
computer in depth. However, since EPP can reduce the speed
of system operation, once opened, it has to incur a small loss.
However, even so, these losses are perfectly acceptable
compared to the enormous damages threatened by the
intrusion.
Secondly, in the EDR model, we notice
d that EDR is the
only product that may not lead to a loss but can completely
defend against the threat. However, it all depends on the
efficiency of EDR products. There are a few cleaning
mechanisms. So, once the active prediction fails, threat
intrudes into the system, which will cause severe loss to the
whole system. So, we suggest that we should consider the pros
and cons carefully when choosing EDR products.
Thirdly, which one to choose between EPP and EDR?
From our final formula, we can see that the effectiveness
comparison between EPP and EDR involves two influencing
factors, which are the time that is needed to eliminate the
threat () and the probability the EDR can actively predict
(R).
We suggest that priority should be given to the accuracy
of active defense of EDR if its accuracy can approach 1, or the
time needed to clear the virus is very short, which will not
cause significant loss to the enterprise, and the efficiency of
EDR will be higher than that of EPP. In other cases, EPP is
more efficient than EDR.
However, to analyze the actual effectiveness of EPP and
EDR, we had to put many factors into consideration. The
success rate of EDR is a crucial element to consider whether
to use
this produc
t or not. When the success rate is high, and
the paralysis time caused by the risk is low, it is better to use
EDR. However, if anything is different and either of the two
conditions is contrary, it is better to choose EPP. Most EDR
providers can guarantee high success detection and defense
probability, and the company must defend the threat. We
strongly suggest that both products should be taken into
consideration to ensure the safety and security of a company.
88
In this paper, we introduced some concepts of EPP and EDR
and established a model for both of them, but there are many
challenges and flaws that we could not address because of the
limitations of the time, data and resources. However, as we
know, threats and anti-threat methods are developing rapidly,
so the following needs to be done in the future:
xAll the contents mentioned in this paper need to be
updated and supplemented in time.
xWe also did some tests and data to verify the accuracy and
deviation of our model. There are still many factors that
should be taken into consideration in future tests.
xWe can improve our model and help some scholars to
strengthen their theory as well if some company can
release
more data about their production.
REFERENCE
[1] Margaret Rouse. “Endpoint security management”, Availab le: end
point security management [Accessed: September .16,2018]
[2] TechTarget, “Endpoint security management.” Available: http s://se
archsecurity.techtarget.com/definition/endpoint-security-management
[Accessed: March .11,2018]
[3] The Barkly team, “Endpoint Protection for the Mid-Market:3 Trends
Driving Big Changes”, Availab le: https://blog.barkly.com/endpoint-
protection-trends-2018-mid-market [Accessed: July .15,2018]
[4] Barkly. “Endpoint Protection wa
s the #1 spending priority in 2018
”,
pp1-2, 2018.
[5] Cybersecurity insiders. “2018 Insider threat report”, Available: htt
ps://www.cybersecurity -insiders.com/port folio/insider-threat-report/ [
Accessed: March .11,2018]
[6] L. Xiangyu, L. Qiuyang, and S. Chandel, "Social Engineering and
Insider Threats," 2017 International Conference on Cyber-Enabled
Distributed Compu ting and Knowledge Discovery (CyberC), Nanjing,
2017, pp. 25-34. Copyright © 2017, IEEE
[7] Zhang, Hongbin, et al. "An Active Defense Model and Framework of
Insider Threats Detection and Sense." International Con ference on
Information Assurance & Security IEEE Computer Society, 2009:258-
261.
[8] Due to C. Le, Sara Khanchi, A. Nur Zincir-Heywood, Malcolm
I. Heywood, "Benchmarking evolutionary computation approaches to
insider threat detection, “Proceedings of the Genetic and Evolutionary
Computation Conference, Kyoto, Japan,2018, pp.1286-1293
[9] Yuqing Sun, Ninghui Li, Elisa Bertino, “Proactive defense of insider
threats through authorization management, “Proceedings of 2011
international workshop on Ubiquitous affective awareness and
intelligent inte raction, Beijing , China,2011, pp.9-16
[10]
William R. Claycomb, Dongwan Shin, “Detecti
ng insider activity using
enhanced directory virtualization, “Proceedings of the 2010 ACM
workshop on Insider threats, Chicago, Illinois, USA,2010, pp.29-36
[11] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on
Detecting Insider Threats: Exploring the Use of Hidden Markov
Models, “Proceedings of the 8th ACM CCS International Workshop on
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[12] Tabish Rashid, Ioannis Agrafiotis, Jason R.C. Nurse, “A New Take on
Detecting Insider Threats: Exploring the Use of Hidden Markov
Models, “Proceedings of the 8th ACM CCS International Workshop on
Managing Insider Security Threats, Vienna, Austria,2016, pp.47-56
[13] Jonathan Voris, Jill Jermyn, Nathaniel Boggs, Salvatore Stolfo,
"Fox in the trap: thwarting masqueraders via automated decoy
document deployment, “Proceedings of the Eighth European Workshop
on System Security, Bordeaux, France,2015, Article No. 3
[14] Kenneth Brancik漓Gabriel Ghinita漓"The optimization of si tuation
al awareness for insider threat d etection, "Proceedings of the Firs
t ACM Conference on Data and application security and privacy,
San Antonio, TX, USA,2011, pp.231-236
[15] Ameya Sanzgiri, Dipankar Dasgupta, "Classification of Insider
Threat Detection Techniques, “Proceedings of the 11th
Annual Cyber
and Information Security Research Conference, Oak Ridge, TN,
USA,2016, Article No. 25
[16] Elisa Bertino, Gabriel Ghinita, “Towards mechanisms for detectio
n and prevention of data exfiltration by insiders: keynote talk pa
per, “Proceedings of the 6th ACM Symposium on Information,
Computer and Communications Security, Hong Kong, China,2011
, pp.10-19
[17] Techopedia,
“Endpoint Protection Platform”, Available: https://ww
w.techopedia.com/definition/30918/endpoint-protection-platform-epp
[Accessed: March .11,2018]
[18] Liao, Hung Jen, et al. "Intrusion detection system: A comprehensive
review." Journal of Network & Computer Applications 36.1(2013):16-
24.
[19] Sean Wilkins, “A Guide to Choosing an Endpoint Protection Sol
ution,” Available: http://www.tomsitpro.com/articles/endpoint-
protec
tion-solutions,2-820.html [Accessed: March .11,2018]
[20] David Strom, “7 trends in advanced endpoint protection”, Availa
ble: https://www.networkworld .com/artic le/3089858/endpoint-protect
ion/7-trends-in-advanced-endpoint-protection.html [Accessed: March
.11,2018]
[21] Ponemon’s
Institute. “The 2017 State of Endpoint Security Risk,
”pp2,
2017.
[22] Margaret Rouse. “data loss prevention (DLP),” Available:
https://whatis.te chtarget.com/definition/data-loss-prevention-DLP
[Accessed: September .17,2018]
[23] “Accidental or malicious insider threat: staff awareness makes the
difference,” Available:
https://www.itgovernance.co.uk/blog/accidental-or-malicious-
insider
-
threat-staff-awareness-makes-the-difference/ [Accessed: September
.16,2018]
[24] CrowdStrike. “2018 Global Threat Report”, pp79, 2018.
[25] S. Chandel, M. Yan, S. Chen, H. Jiang and T. Ni, "Threat Intelligence
Sharing Community: A Countermeasure Against Advanced Persistent
Threat," 2019 IEEE Conference on Multimedia Information Processing
and Retrieval (MIPR), San Jose, CA, USA, 2019, pp. 353 -359.Barkly.
“Endpoint Protection Buyer’s Guide,” pp5-7, 2018.
[26] Lital Asher-Dothan, “Seven essential elements of modern endpoin
t security,” Available : https://www.cybereason.com/blog/7-elements
-of-modern-endpoint
-
security [Accessed: March .11,2018]
[27] Samuel, Arthur. "Some Studies in Machine Learning Using the Game
of Checkers." IBM Journal of Research and Development. 3 (3): 210–
229.
[28] Fortinet. “FORTIGUARD 2018 THREAT PR EDICTIONS,” pp 4-7,
2017.
[29] Barkly, “Endpoint Protection Buyer’s Guide,” pp8-9, 2017
[30] Arcticwolf. “Endpoint Detection & Response Is Not Enough”,
Available: https://arcticwolf .com/reso urces/endpoint-detection-and-
response-is-not-enough/ [Accessed: September .25,2018]
[31] AV-TEST, “AV-TEST Product Review and Certification Report
–Sep-Oct/2018” Available: h ttps://www .av-test.org/en/antivirus/bus
iness-windows-client/windows-10/october-2018/kaspersky-lab-endpoi
nt-security-11.0-184137/ [Accessed: January.11,2019]
[32] AV-C, “Real-World Protection Test July-November 2018”. Availa
ble: https://www.av-
comparatives.org/tests/real
-world-prote ction-test-
july-november-2018/ [Accessed: January.11,2019]
89