Gain Top-Notch Cyber Skills. Register for SANS Chicago 2017. Save $400 thru June 28.

Reading Room

SANS eNewsletters

Receive the latest security threats, vulnerabilities, and news with expert commentary

Clients and Endpoints

Featuring 7 Papers as of June 20, 2017

  • Next Generation Endpoint Protection – CIS Control 8, Malware Defense Effectiveness, Performance Metrics and False Positive Rates STI Graduate Student Research
    by Dean Sapp - June 20, 2017 

    The Center for Internet Security (CIS) Critical Security Controls v6.1 is comprised of battle tested and prioritized security controls that significantly reduce the risk to businesses from cyber breach. Endpoint security is the primary objective of Control eight, Malware Defenses which will be analyzed in this study. (Manage Cybersecurity Risk with the CIS Controls). This paper details a handful of real-world testing scenarios to determine which Next Generation Endpoint Security (NGES) products have the greatest effectiveness in blocking file based malware from executing, including freshly minted zero-day variants that have been repacked so they have unique hashes. In addition to measuring efficacy in blocking malware, this paper includes a secondary scope to examine the system resource consumption introduced by these products to give the reader a better understanding of the business impact these products have on the overall end-user experience. A tertiary scope analyzes the false positive rate of NGES with respect to common administrative tools used regularly by IT practitioners on the Microsoft Windows 10 Enterprise and Windows 2012 R2 Server platforms.

  • A New Era in Endpoint Protection Analyst Paper
    by Dave Shackleford - April 26, 2017 

    Conventional antivirus solutions aren’t keeping pace with today's threats. There's a lot of fear, uncertainty and doubt around replacing antivirus with next-generation antivirus solutions, particularly in legacy environments. Learn what NGAV actually is; where it fits into the IT infrastructure; and how to easily utilize CrowdStrike's Falcon cloud-based services against a variety of threats first-generation AV normally wouldn't catch. SANS analyst Dave Shackleford explains and presents his findings.

  • Next-Gen Endpoint Risks and Protections: A SANS Survey Analyst Paper
    by G. W. Ray Davidson, PhD - February 27, 2017 

    Results of this survey suggest that we may need to broaden the definition of an endpoint to include users, as the two most common forms of attack reported are directed at users. Lack of adequate patching programs also results in endpoint compromises, despite reported centralized endpoint management. Results also point to the need for improved detection, response, automation of remediation processes.

  • Out with the Old, In with the New: Replacing Traditional Antivirus Analyst Paper
    by Barbara Filkins - November 2, 2016 

    Research over the past 10 years indicates that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. This doesn’t mean that antivirus is “dead.” Instead, antivirus is growing up. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks. This paper provides a guide to evaluating NGAV solutions.

  • Intelligent Network Defense Analyst Paper
    by Jake Williams - September 8, 2016 

    When an army invades a sovereign nation, one of the defenders’ first goals is to disrupt the invader’s command and control (C2) operations. The same is true when cyber attackers invade your network. Network defenders must prevent adversary communication, stopping the attack in its tracks while alerting the incident response (IR) team to the point of compromise and nature of the attack. Read on to learn more.

  • Endpoint Security through Device Configuration, Policy and Network Isolation by Barbara Filkins and Jonathan Risto - July 15, 2016 

    Sensitive data leaked from endpoints unbeknownst to the user can be detrimental to both an organization and its workforce. The CIO of GIAC Enterprises, alarmed by reports from a newly installed, host-based firewall on his MacBook Pro, commissioned an investigation concerning the security of GIAC Enterprise endpoints.

  • Success Rates for Client Side Vulnerabilities by Jonathan Risto - June 14, 2016 

    The user is the weakest link in the computer security chain. From clicking on links that they shouldn to having weak passwords, it generally comes down to the end user doing something they shouldn . If the user runs a piece of malware or opens an infected file, will it always lead to a compromise? This paper plans to test if client-side exploits will always function or if there are additional factors to consider when dealing with these vulnerabilities and associated exploits. Is the Common Vulnerability Scoring System (CVSS) score enough to determine if a particular vulnerability is more critical than another and should be remediated sooner than another? This testing will be accomplished through the use of freely available exploitation software (e.g. Social Engineering Toolkit, Metasploit) in a closed testing environment.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.