LiveTrust

Traditional endpoint solutions, including AntiVirus (AV) and Host Based IDS (HIDS), are inadequate to prevent advanced persistent threats from launching and operating undetected for days on an endpoint. AV and HIDS use file reputation (file signatures), heuristics and well-known footprint detection. In contrast, LiveTrust uses evidence harvested at application runtime to detect and to analyze risk locally based on observed application behaviors. As recent high-profile breaches indicate, endpoint solutions in the market often fail to detect landed threats, causing a network-level compromise that escalates into a major data breach. A significant information gap that SIEM-based host log analysis systems fail to bridge is that malware does not leave a footprint by generating self-incriminating logs for continuous monitoring.

LiveTrust monitors all local activities of applications (including user interactions, system interactions, execution patterns, and file/registry/network transactions) to detect and correlate action sequences without requiring baseline anomaly detection to look for deviations. LiveTrust operates as a service with strategically positioned kernel extensions to instrument the platform for trust metrics. Detected patterns reflect the behavior DNA of malware, characterized by specific actions and methods leveraged to exploit the local software stack (system APIs) and network protocols for hard-to-detect (benign) signaling, reconnaissance and data transfers. LiveTrust uses a network analytics service component for risk analytics based on integrity profiles generated and reported by the endpoint service, and for integration with daily threat intelligence from a plurality of data sources.

LiveTrust generates integrity profiles (action sequences) to capture behavior patterns. The patterns indicate execution of actions that constitute a high risk (e.g. screen capture, key logging, return oriented programming, use of encryption to communicate over clear channels, data execution protection (DEP) evasion, thread injection, DLL injection, anti- debug/anti-trace/anti-dumping techniques, shell commands, in-memory data encryption/decryption, protect/ unprotect, clipboard monitoring, SSDT/IAT hooks, rootkit camouflage). Such behavior patterns are early indicators of malicious intent, and therefore the application and process launch sequence information is a significant piece of forensic evidence for security analysts to intervene. The Application Tracker provides historic and in-depth evidence (true execution profile) to preserve all otherwise volatile forensic information that are not available today from SIEM logs generated by contemporary solutions.

Incident Response benefits from intelligence that can be harvested from knowing that an endpoint is in an infected state. This allows security professionals to quarantine the infected system and extract valuable evidence to trace the behavior for IPS/Firewall countermeasures. The integrity profiles generated by LiveTrust also provide valuable information for Antivirus engines to disinfect the host based on the types of activities the malware engaged in on the endpoint (e.g. file system and registry hives modified, exploit vectors). The LiveTrust Analytics Service also helps pin- point and pivot on other affected endpoints based on the observed patterns.