Invincea Advanced Endpoint Protection (AEP)
September 01, 2015
£28/year per endpoint.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: The Cynomix engine is both cool and useful. Ease of deployment.
- Weaknesses: None that we found.
- Verdict: This is a significant anti-malware tool. It takes the position that by controlling malware at the endpoint you make the endpoint – and, thus the enterprise – more secure from today’s sophisticated threats. We agree, and we make this our next generation Recommended product.
Advanced Endpoint Protection (AEP) is a very competent anti-malware tool that really focuses on the task at hand: protecting the endpoint from malware threats.
Advanced Endpoint Protection (AEP) is a very competent anti-malware tool that really focuses on the task at hand: protecting the endpoint from malware threats. It does this by encapsulating the endpoint application in a virtual environment and allowing malicious files to detonate, but containing the attack so that not even the most advanced zero-day can escape. That's a pretty strong statement, but Invincea lives up to it because the tool has no need for signatures or traditional heuristics.
The tool reduces the attack surface significantly through its use of "secure virtual containers." We really liked that the company did not try to convince us that it was sandboxing since sandboxes usually are a protective layer over the kernel that prevents the malware or its effects to escape. Sadly, it is possible to "go around" the sandbox layer and still infect.
Virtual containers are much different. They fully encapsulate the app in a secure environment, making it nearly impossible for a malware payload to do any damage. The container is Invincea's own virtual machine that is more lightweight than a typical type 2 hypervisor.
Invincea bases its approach on four elements: containment, detection, prevention and intelligence. Functionally, AEP contains the threat, identifies it and controls it. The secure virtual container contains the threat. Threats are identified using several techniques, including OS monitoring, comparing to local knowledge, and sending to the cloud for further analysis, if necessary, and analyzing with a cool tool, developed under the DARPA-funded Cyber Genome project, called Cynomix. Control is achieved by checking across the enterprise for other examples of the threat found on a single endpoint.
AEP even works if the threat for some reason is outside of the container. It detects the threat due to its unknown behaviour and analyses it using advanced static analysis.
The Cynomix engine identifies threats in a unique way. First, it treats every file that exhibits malicious behaviour as if it was a zero-day. It looks at the code in the suspected sample and compares it with code in other samples. It also executes the sample and looks for its capabilities. If all of this looks suspicious, it contains the malware in the secure virtual container.
The server comes as a pre-packaged virtual appliance running in VMware. It also can be installed in the traditional manner on a physical server running a 64-bit version of Linux with a MySQL database. Integration with VirusTotal, ReversingLabs and Metascan is part of the management server.
Setup is not at all difficult. The endpoint sensor is small - 50 to 90 MB - and does not load down the endpoint. Because the endpoint is small and well able to deploy at scale, setting up an AEP environment is pretty easy.
The management server also is easy to use and has a number of screens that help isolate functionality. When a threat is detected, AEP creates an alert with suspect activity details. Forensic information comes in the form of a map that shows exactly how a threat executed and the damage that it did. Additionally, a threat tree allows detailed analysis of the threat's dynamic functionality. Each infection vector is given a point value during analysis and that value determines the threat level of the event. Of course, the tool is vendor agnostic removing any vendor-specific restrictions. Once the sample is collected, it can be shipped to a partner such as VirusTotal for a full analysis.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Microsoft update left Azure Linux virtual machines open to hacking
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry