endpoint modeling 101 - a new approach to endpoint security

Dynamic Endpoint Modeling

What is Endpoint Modeling?

• It’s observing all behavior of all of your network endpoints and watching for changes in that behavior; changes that could indicate possible compromise or malicious activity.

• It’s rapid identification of compromised equipment thus driving remediation response times to near immediate.

What is Endpoint Modeling?

• It’s passive collection of IP traffic information - and not payload - to determine anomalies, thus not affected by encryption or levels of transparency in virus signatures.

• It’s utilization of cloud powered compute and remote run algorithms to deliver real-time analysis and alert functionality.

• It’s unprecedented visibility. At the core it’s “Baselining” – comparing current & past activity and performance to an historical baseline.

endpoint modelingis profoundly

different

RoleNetwork ActivityCommunication Patterns

✔✔✔

Continuous Validation

4

Compliance✔T:406, TAG 19, EXPLORE, ALERT-3F

V:9011, TAG 139, EXPLORE, ALERT-3A

T:126, TAG 6D, CONFIRMEDALERT-12

How Does Endpoint Modeling Work?Roles, Profiles, and AlgorithmsModels include five key dimensions of behavior analysis, each of which is built upon our robust proprietary catalog of device profiles, roles, and security algorithms.

• PROFILES - device profiles are network flow-level labels recognized by port, traffic,, destination IP and packet characteristics. Device profile names are given to a behavior associated with a software application or service, such as a streaming media client.

• ROLES - device roles are combinations of device profiles that represent more complex network devices. A device role is a high-level category for a connected device, such as a printer, domain controller, or medical imaging server. Devices on enterprise networks typically fulfill one or more device roles.

• ALGORITHMS - security algorithms are modeling and anomaly-detection techniques based on statistical, state-based, rule-based, and learning theories that rapidly identify aberrant events, whether known to be normal, new, or potentially malicious.

Copyright © Observable Networks, Inc. 5

How Does Endpoint Modeling Work?Assessing Behavior over Time

according to its type? like similar types? like it has in the the past? in a way that breaks rules? as predicted?

How is the device operating:

Important: No Deep Packet Inspection No end host agents



Why Is Endpoint Modeling Important?Key IT Security Shifts

No ThreatSignatures 1End-to-EndEncryption

2DeviceProliferation3 MORE Devices

• Everything connects to the network• High growth in unmanaged devices• Creating blind spots in security

posture

HIGHER Specificity of Attacks• Little to no signatures• Social engineered attacks are

common• Perimeter defenses are weakening

MORE Encryption• Desire for increased security and

privacy• Everything will be opaque• Creating vulnerability in existing tools


Why Is Endpoint Modeling Important?Key IT Security Shifts

Complex Networks 4Inside & Insider Threats 5Too Many Vectors 6 KNOW yourself

• Can’t know all enemies• Can’t know all vulnerabilities• Can know normal to recognize attacks

POROUS perimeter• Partner connectivity• Mobile connectivity• 3rd Party hosting and SaaS services

Watch everything• Attackers roosting inside• Employees and contractors• Holistic awareness is required

How Does Endpoint Modeling Improve Security?

• A continuous, unobstructed understanding of every endpoint's behavior, regardless of its function

• Rapid identification of indicators of compromise without dependencies on log file monitoring, deep packet inspection (DPI), or other signature-based methods

• Insightful and efficient security actionsT:406, TAG 19, EXPLORE, ALERT-3F

V:9011, TAG 139, EXPLORE, ALERT-3A

T:126, TAG 6D, CONFIRMEDALERT-12

9

With Dynamic Endpoint Modeling, you gain:

All data being unencrypted or the need to be unencrypted

A current signature for every new threat

An agent installed on all network endpoints

Endpoint Modeling has NO legacy dependencies, such as:

How Does Endpoint Modeling Improve Security?


endpoint modeling provides a

XX

X


✔BETTER THREAT DETECTION

DPI

SIGNATURES

PAYLOAD CAPTURE

AGENT SOFTWARE

SPECIAL HARDWARE

Real Time/Near Real Time

PostCompromise

Summarizing Endpoint Modeling

End-to-end encryptionDevice proliferation

Information overloadInfoSec staffing challenges

Trends & RealitiesNo DPI, meta-data only

No endpoint agentsConcise, actionable alerts

Profoundly aids productivity

Endpoint Modeling

you can know more about your network

than any adversary


About Observable’s Endpoint Modeling Service observable.net/trial


Dynamic Security IntelligenceDEM uses real-time network flow data, automated security analytics, and big-data methods to continuously model all of your network devices.

Cloud Platform No specialized hardware to purchase or software agents to deploy, Observable offers Network Security-as-a-Service in the cloud, which greatly simplifies deployment.

Managed Service AgilityDo you have the people and tools necessary for advanced threat detection? It’s expensive and time consuming to deploy the latest tools, hire the best analysts, and maintain a continuous vigil to ensure the integrity of your systems and data.

Software-as-a- Service (SaaS) SubscriptionObservable simplifies threat detection as a SaaS subscription. Select cost-effective monthly or annual subscriptions, for any size organization.

Free 60 Day Trial, Experience the Full Product & ServiceSign-up, download and install the service today. In fact you can be building your endpoint’s baseline within hours of initiating your trial. Full support for placement, configuration and alerts.