Non-Invasive User-Space Endpoint Security - The Best of Both Worlds

December 8, 2014 | 3 minute read

The amount of data collected as well as its quality are essential for the ability to detect complex cyber-attacks. Endpoints carry the most accurate, first-hand information needed for detection of persistent, non-signature based attacks, as they provide visibility to critical information such as: process actions, file access information, network events and configuration changes on the endpoints, etc.

Despite the clear advantage of endpoint security solutions, many security leaders refrain from using them because kernel-level tools are difficult for IT to maintain and notorious for causing blue screens and interfering with machine performance.

Cybereason is the only endpoint detection and response (EDR) solution that based in the user-space of the operating system and is designed to be non-invasive. It enables the highest quality of data collection without interfering with the user experience.

Kernel-Level Deployment: Perpetuating the Security vs. IT Dilemma

When considering an endpoint solution CISOs face a tough dilemma: while they do not wish to leave their endpoints completely unprotected, they also become weary when deploying a kernel-level endpoint tool.

Kernel level tools are notorious for frustrating end-users and IT departments because they disrupt the operating system of a machine. Everyone has experienced it - a slow machine, a non-responding browser, reduced battery life, a blue screen or even worse, a full-on computer crash. When broadly used, a kernel level tool may overburden IT. Often, fixing such a widespread problem will become costly and intrusive. For example, if a security tool pushes an update that causes a computer crash, an out-of-band process of uninstalling updates must take place. In addition, in some cases, this process can only be done in safe mode, which will require physical access to the machine.

Kernel-Level deployment: Blue Screens – Guaranteed

Unfortunately, there is no way to build a kernel level tool that will not interfere with machine stability and performance.  Although all security vendors claim to be practically invisible to end-users, recent news reveals that even Microsoft itself created a very unsuccessful kernel patch.  Microsoft, in attempt to fix a security vulnerability, implemented a patch that led to BSOD crashes for everyone that applied it. Anything that functions in kernel level has the ability to motivate a BSOD crash. If Microsoft, the creator of the operating system can initiate a crash, why wouldn't a security tool? This highlights a fundamental problem when working with kernel level components; it doesn't take much to cause significant problems and to interfere with the user experience.  There is no doubt that Microsoft has a very rigorous process of testing and amble resources to ensure things like this don't happen, but they still do. Corporations should be cynical - if a security company with a kernel level tool does not have a large amount of resources, as Microsoft does, the risk of significantly disrupting business continuity is very high.

The Cybereason Approach: Doing No Harm

While securing an organization is Cybereason’s number one priority, we wanted to ensure that we are not the cause of new problems for our clients. Because traditional security solutions have, for years, violated this principle, everyone in security looks at any endpoint solution with distrust. Cybereason strives to earn the trust of end-users and IT, in order to completely shift the security approach and better protect against the most sophisticated cyber attacks. Cybereason was built to live alongside end-users and not to break the user-experience.

No Compromise on Security

One may be concerned that user-space solutions can be easily accessed by hackers while kernel level deployment is much harder to offset by a hacker. In reality, all systems could be exploited by a determined hacker.

Cybereason approach to spot an attacker trying to shut off the endpoint sensor is to detect attacker's activities across the organization, instead of looking at a single endpoint. If an attacker is targeting Cybereason Silent Sensor on one endpoint or more, he might succeed to do so, but he'd still get detected by Cybereason. This is because Cybereason is installed across the organization, monitoring vast amounts of activities on all stations: local and network, while looking for anomalies tailored to that specific organization. Cybereason’s solution will automatically flag any attempt to turn off the endpoint sensor as malicious behavior, so that security teams can closely monitor all future connections to and from the endpoint that was disconnected.

The Bottom line: Frictionless Collection. No Security Compromise.

Cybereason is the only endpoint security solution that runs completely in user-space and is designed to be non-invasive.  Cybereason is easy to deploy and maintain and it always retains the user-experience. By staying far away from the core of the operating system, Cybereason ensures that business continuity will never be disrupted. Cybereason leverages proprietary mechanisms in user-space to gain kernel-level data quality without using a kernel-level component. learn more about our user-space data collection here.



Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.