How to
Jack Danahy
Jun 2015

Beginning at the End: Why Breach Protection Must Start on the Endpoint

Photo by Source


“Why then, can one desire too much of a good thing?”

- Rosalind, in Shakespeare’s “As You Like It”

Spending on cybersecurity continues to grow, and the Gartner Group expects it to reach almost $77B in 2015. With all that money and effort, and more that is certainly on the way, it’s hard to reconcile the growing war chest for defense with the more rapidly growing list and costs of breaches. One possible cause is that our appetite for security monitoring data has outstripped our ability to ingest and understand the masses of data that it provides. Very few organizations are capable of distilling value from all of the traffic that they are paying to receive.

The imbalance in spending and return is pretty obvious in the numbers. While security spending is increasing at roughly 8%/year, PWC reports that incidents are growing at almost eight times that rate: a 66% CAGR. This imbalance leads unmistakably to the conclusion that existing security approaches, and not just the tools that embody them, need to be revisited.

In their February 2015 M-Trends report, the Mandiant team at FireEye reported that the time it took for organizations to detect breaches had fallen from 229 days to 205 days. While any improvement is good, it is hard to get excited about security breaches detected more than 6 months after they began. In most cases, the data stolen during these attacks is sold pretty quickly on the Dark Web, as the value of the stolen information drops rapidly over time. Rest assured, these periods are much shorter than 205 days.

Even more disturbing, this reduced discovery period is also misleading. When asked about reasons for the drop, Mandiant’s Ryan Kazanciyan pointed to an increase in FBI notifications to breached customers. In cybersecurity terms, the FBI has become an important new tool for intrusion detection. They find themselves added to the other successful breach detection mechanisms; Customers and third-parties, who are typically cited as the detectors in a majority of data breaches.

Why is this the case?

One reason for the lack of internal breach detection is that networks are always getting faster; the systems which ride on them are getting faster, and they are generating ever-increasing amounts of traffic. Combine this volume of data with a highly dynamic definition of expected behavior, and it is clear that detecting intrusions within this traffic, before they result in damage to endpoints, is not in the cards. In addition, most detection approaches that watch from the network are actually looking for the external evidence that a system or systems has already been corrupted. They judge by the outgoing or intersystem traffic whether or not a system on the network has been coopted. At this point, the damage has already been done. The external evidence that a machine is corrupted is not an indication of an attack in progress, but rather is evidence of an attack that has succeeded, at least partially.

What can be done?

Most attacks begin on user systems, creating a foothold with phishing or other social engineering attacks. If organizations are going to stop these attacks before they spread, and before they are forced to look for them in the storm of data that describes their network, they need to do so on these local machines. Every machine that is compromised creates more hostile network traffic to be assessed, and each of these systems is a means through which other systems can likewise be compromised.

The only way to keep the security management tractable is to focus on the identification and elimination of breaches at the very start of the infection process, on the endpoint machine. The amount of data to be analyzed is much smaller, the specific conditions are more easily known, and the analytics benefit from the same performance improvements that are improving the local system. Each endpoint saved represents an unknowable amount of monitoring traffic denied, and one less source of noise to clutter the displays of administrators.

If we expect our security and IT teams to be able to see intrusions as they happen, we certainly need to clear the clutter that they are looking through.

Photo by Tomasz Bazylinski

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.