A New Model to Protect the Endpoint, Part 2: Attack Chain Weaving
In my last post, I talked about the need for a paradigm shift from point-in-time detection technologies to a new model that combines a continuous approach with a big data architecture. This new model lets Cisco deliver a range of other innovations that enhance the entire advanced malware protection process across the full attack continuum—before, during, and after an attack.
One of these innovations, unique to Cisco AMP for Endpoints, is Attack Chain Weaving which introduces a new level of intelligence not possible with point-in-time detection technologies.
We all know that attackers are making it their job to understand traditional point-in-time detection technologies and innovate around their limitations to penetrate endpoints and networks. However, as these attacks unfold, they leave in their wake massive volumes of data. Attack Chain Weaving allows defenders to use this data to their advantage. A big data architecture handles the ever-expanding volume of data that is essential to effective malware detection and analytics, and a continuous approach uses that data to provide context and, most importantly, prioritization of events when and where you need it.
Here’s how Attack Chain Weaving works:
Process-level telemetry data is collected and analyzed over time and continuously from the network and endpoint. This capability is called retrospection and offers significant advantages over event-driven data collection or scheduled scans for new data, as it captures attacks as they happen, much like a video surveillance system. This data includes all file activity on the endpoint, all communication to and from the endpoint, and all processes or parent/child relationships of file creation and file execution on the endpoint. Specifically:
- File retrospection – After initial detection analysis, file retrospection continues to interrogate files over an extended period of time with the latest detection capabilities and collective threat intelligence, allowing for an updated disposition to be rendered and further analysis to be conducted well beyond the initial point-in-time it was first seen.
- Communication retrospection – Continuously captures communication to and from an endpoint and the associated application and process that initiated or received the communication for added contextual data.
- Process retrospection – Similar to file retrospection, process retrospection is the ability to continuously capture and analyze system process I/O over an extended period of time.
Attack Chain Weaving links together the file, process, and communication retrospection streams as they happen over time to capture the relationship dimension that is missing in two dimensional point-in-time technologies I described in Part 1 of this series. Available for analysis in real time, anytime it is needed, this linked data reveals new information about an attack by analyzing patterns of behavior from an individual endpoint or across the community of endpoints.
In my next post, I’ll talk more about the automated, advanced analytics capabilities built-in to Cisco AMP for Endpoints that let you take action based on the insights gained from the attack chain you’ve woven together.
To learn more about this new model and Attack Chain Weaving, download the whitepaper: Continuous Endpoint Threat Detection and Response in a Point-in-Time World.