Imagine that every endpoint on an IT network is self-aware — it knows if it’s under attack and immediately takes steps to thwart the attack. It then shuts itself down and autonomously rebuilds itself with new software patches and firmware updates.
This is the promise of self-healing endpoints: endpoints that continually learn about new attack techniques while keeping their configurations optimized for network and security performance. Unfortunately, the reality does not match the hype.
Defining the self-healing endpoint
A self-healing endpoint is defined by its self-diagnostics, combined with the adaptive intelligence needed to identify a suspected or actual breach attempt and take immediate action to stop the breach. Self-healing endpoints can shut themselves off, complete a recheck of all OS and application versioning, and then reset themselves to an optimized, secure configuration. All these activities happen autonomously, with no human intervention.
What differentiates self-healing endpoint offerings on the market today is their relative levels of effectiveness in deploying resilience techniques to achieve endpoint remediation and software persistence to the OS level. Self-healing endpoints with multiple product generations of experience have learned how to create persistence to the firmware, OS, and application layer of endpoint system architectures. This is distinguished from automated patch updates using scripts governed by decision rules or an algorithm. That doesn’t qualify as a true self-healing endpoint and is better described as endpoint process automation.
Beware the self-healing endpoint hype
The self-healing endpoint is one of the most overhyped areas of cybersecurity today, with over 100 vendors currently vying for a piece of the market. The anticipated growth of business endpoint security is feeding this frenzy.
Gartner predicts the endpoint protection platform (EPP) market will grow 18.5% in 2021 and climb from an estimated $8.2 billion in 2019 to about $18.8 billion by 2024. By the end of 2025, more than 60% of enterprises will have replaced older antivirus products with combined EPP and endpoint detection and response (EDR) solutions that supplement prevention with detection and response capabilities. Taken in total, Gartner’s Top Security and Risk Management Trends for 2021 underscores the need for more effective EDR, including self-healing endpoints.
Growth is also being driven by rapidly changing cybersecurity threats. The recent SolarWinds hack forever changed the nature of cyberattacks by exposing how vulnerable software supply chains are as a primary threat vector and showing how easily endpoints could be rendered useless by compromised monitoring systems. The hackers embedded malicious code during DevOps cycles that propagated across customers’ servers. These techniques have the potential to render self-healing endpoints inoperable by infecting them at the firmware level. The SolarWinds attack shows how server, system, and endpoint device firmware and operating systems now form a launchpad for incursions initiated independently of the OS to reduce detection.
Endpoints that were sold as self-healing are still being breached, and current gaps in the effectiveness and reliability of endpoints must be addressed. Runtime protection, containment, and fault tolerance-based endpoint security systems were oversold under the banner of self-healing endpoints. In fact, many don’t have the adaptive intelligence to recognize a breach attempt in progress. Fortunately, newer technologies that rely on behavioral analytics techniques found in EDR systems, threat hunting, AI-based bot detection, and firmware-based self-healing technologies have proven more reliable.
Further complicating the self-healing endpoint landscape is the speed with which EDR and EPP begin merging to form unified endpoint security stacks. The value of EDR/EPP within an endpoint security stack depends on how well cybersecurity vendors strengthen platforms with new AI and machine learning.
EPP offers a prime example of the need for AI and machine learning. The primary role of EPP in an endpoint security stack is to identify and block malicious code that seeks to overtake control of endpoints. It takes a solid combination of advanced threat detection, antivirus, and anti-malware technologies to identify, stop, and then eradicate the endpoint threat.
How to prove an endpoint is self-healing
A knowledge base comprising fully documented adversary tactics and techniques provides tooling to truth-test self-healing endpoint claims. Known as MITRE ATT&CK, this knowledge base has captured and cataloged data from actual breach attempts, supplying the verifications teams need to test out self-healing endpoint security claims.
The knowledge base for endpoint validation also benefits vendors, as it discloses whether an endpoint is truly self-healing. Using the MITRE dataset, cybersecurity vendors can discover gaps in their applications and platforms. MITRE ATT&CK’s 14 categories of adversarial tactics and techniques form a framework that provides organizations and self-healing endpoint vendors with the data they need to simulate activity cycles.
MITRE sponsors annual evaluations of cybersecurity products, including endpoint detection and response (EDR), where vendors can test their solutions against the MITRE ATT&CK datasets. The methodology process is based on a design, execute, and release evaluation process. Simulations of APT29 attacks comprise the 2019 dataset and the Carbanak+FIN7 2020 dataset. Evaluations for 2021 are now open for Wizard Spider and Sandworm. The ATT&CK Matrix for Enterprise serves as the framework for evaluations of each vendor’s EDR capabilities.
EDR and self-healing endpoint vendors create test environments that include detection sensors designed to identify, block, and prevent intrusions and breaches from the datasets MITRE provided. Next, MITRE creates a red team comprising emulated adversarial attacks. APT29-based data was the basis of the evaluation in 2019 evaluations and Carbanak+FIN in 2020 and Wizard Spider and Sandworm data. The test involves a simulation of 58 attacker techniques in 10 kill chain categories.
MITRE completes attack simulations and relies on detection types to evaluate how effective each EDR solution is in identifying a potential attack. The detection times are classified into alerts, telemetry, or none generated. Microsoft Threat Defender 365 was able to identify all 64 active alerts and successfully identified eight MITRE attack categories from the Enterprise Matrix. The following is an example of the type of data generated based on the simulated MITRE attack scenario.
MITRE ATT&CK data has come to influence self-healing endpoint product design. When cybersecurity EDR vendors test their existing self-healing endpoints against MITRE ATT&CK data, they often find areas for improvement and innovation.
For Microsoft, 365 Defender’s advances in identifying credential access, initial access, and privilege escalation attack scenarios based on modeled data help improve Threat Defender analytics. Based on the cumulative lessons learned from three years of MITRE ATT&CK data evaluations, the most effective self-healing endpoints are designing in self-generative persistence, resilience, and adaptive intelligence.
The three techniques delivering the best results are AI-enabled bots that threat-hunt and remediate self-healing endpoints, behavior-based detections and machine learning to identify and act on threats, and firmware-embedded persistence.
AI-enabled bots identify and eradicate anomalies
Companies across all industries can successfully use automation bots to anticipate security threats, reduce help desk workloads, troubleshoot network connectivity issues, reduce unplanned outages, and self-heal endpoints by continually scanning network activity for any signs of a potential or actual breach. Throughout the pandemic, software vendors have fast-tracked much of their AI and machine learning-based development to help customers improve their service management, asset management, and self-healing endpoint security.
In the case of Ivanti, a decision to base its latest IT service management (ITSM) and IT asset management (ITAM) solutions on its AI-based Ivanti Neurons platform reflects the way AI-based bots can contribute to protecting and self-healing endpoints in real time in the “Everywhere Workplace.” The goal with these latest innovations is to improve ITSM and ITAM so IT teams have a comprehensive picture of IT assets from cloud to edge. Ivanti’s product strategy reflects its customers’ main message that virtual workforces are here to stay. They need to proactively and autonomously self-heal and self-secure all endpoints and provide personalized self-service experiences to support employees working from anywhere, anytime.
VentureBeat spoke with SouthStar Bank IT specialist Jesse Miller about how effective AI-based bots are at self-healing endpoints. Miller said a major goal of the bank is to have endpoints self-remediate before any client ever experiences an impact. He also said the bank needs to have real-time visibility into endpoint health and have a single pane of glass for all ITSM activity.
“Having an AI-based system like Ivanti Neurons allows what I call contactless intervention because you can create custom actions,” Miller said. “We’re relying on Ivanti Neurons for automation, self-healing, device interaction, and patch intelligence to improve our security posture and to pull in asset data and track and resolve tickets.” SouthStar’s business case for investing in a hyper-automation platform is based on hours saved compared to more manual service desk functions and preemptive self-healing endpoint security and management. Below is an example of how self-healing configurations can be customized at scale across all endpoints.
Microsoft Defender 365 relies on behavior-based detections
Continually scanning every artifact in Outlook 365, Microsoft Defender 365 is one of the most advanced self-healing endpoints for correlating threat data from emails, endpoints, identities, and applications.
When there’s a suspicious incident, automated investigation results classify a potential threat as malicious, suspicious, or no threat found. Defender 365 then takes autonomous action to remediate malicious or suspicious artifacts.
Remediation actions include sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. The Microsoft 365 Defender suite, which provides autonomous investigation and response, includes a Virtual Analyst. Earlier this month, Microsoft made Microsoft 365 Threat Defender analytics available for public preview. Most recent threats, high-impact threats, and threat summaries are all available in a single portal view.
Firmware-embedded self-healing endpoints for always-on connection
Absolute Software offers an example of firmware-embedded persistence providing self-healing endpoints. The company’s approach to self-healing endpoints is based on a firmware-embedded connection that’s undeletable from every PC-based endpoint.
Absolute’s customers say the Persistence technology is effective in remediating endpoints, providing resilience and autonomous responses to breach attempts. Dean Phillips is senior technology director at customer PA Cyber, one of the largest and most experienced online K-12 public schools in the nation, serving over 12,000 students based in Midland, PA. Phillips said it’s been helpful to know each laptop has active autonomous endpoint security running and that endpoint management is a must-have for PA Cyber.
“We’re using Absolute’s Persistence to ensure an always-on, two-way connection with our IT management solution, Kaseya, which we use to remotely push out security patches, new applications, and scripts. That’s been great for students’ laptops, as we can keep updates current and know where the system is,” Phillips said.
Such an agent enables capable endpoint management on student laptops, which he called “a big plus.”
Absolute’s 2021 Q2 earnings presentation reflects how quickly the self-healing endpoint market is expanding today.
Endpoint, heal thyself
Cybersecurity vendors all claim to have self-healing endpoints. Absolute Software, Akamai, Blackberry, Cisco, Ivanti, Malwarebytes, McAfee, Microsoft 365, Qualys, SentinelOne, Tanium, Trend Micro, Webroot, and many others attest that their endpoints can autonomously heal themselves. Separating hype from results starts by evaluating just how effective the technologies they’re based on are at preemptively searching out threats and removing them.
Evaluating self-healing endpoints using MITRE ATT&CK data and sharing the results with prospects needs to happen more. With every cybersecurity vendor claiming to have a self-healing endpoint, the industry needs better benchmarking to determine how effective threat hunting and preemptive threat assessments are.
What’s holding more vendors back from announcing self-healing endpoints is how difficult it is to provide accurate anomaly detection and incident response (IR) results that can autonomously track, quarantine, or remove an inbound threat. For now, the three most proven approaches to providing autonomous self-healing endpoints are AI-enabled bots, behavioral-based detections, and firmware-embedded self-healing technologies.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more