A New Model to Protect the Endpoint, Part 1: Continuous vs. Point-in-Time Security
The fundamental security problem that many defenders face is securing their environment in a world of continuous change. IT environments change. Threats change. But today’s threat detection technology doesn’t change. It’s stuck in time, point-in-time to be exact.
Sure, detection technologies have evolved. The latest improvements include: executing files in a sandbox for detection and analysis, the use of virtual emulation layers to obfuscate malware from users and operating systems, reputation-based application whitelisting to baseline acceptable applications from malicious ones, and, more recently, attack chain simulation and analysis detection. But predictably, attackers fundamentally understand the static nature of these security technologies and are innovating around the limitations associated with them to penetrate network and endpoint defenses.
These point-in-time detection technologies will never be 100 percent effective and are unable to identify the unfolding follow-on activities of the attacker which require continuous scrutiny. The disconnect stems from the fact that malware is dynamic and three dimensional. It doesn’t just exist in a two-dimensional point-in-time ‘X-Y’ plot waiting to be detected, where X is time and Y is the detection mechanism. Malware exists as an interconnected ecosystem that is constantly in motion. To be even remotely effective, malware defenses have to be multi-dimensional and just as dynamic, taking into account the relationship dimension as well.
What’s needed is a transformational approach that delivers ongoing protection and visibility from point of entry, through propagation, and post-infection remediation.
Based on a model of delivering protection before, during, and after an attack, the Cisco Advanced Malware Protection (AMP) for Endpoints solution leverages a big data architecture combined with a continuous approach to detect advanced threats and breach activity. In this model, process-level telemetry data is continuously collected as it is happening, while it is happening across all sources, and is always up to date when it is needed. Analysis can be layered to work in concert to eliminate impacts to control points and deliver advanced levels of detection over an extended period of time. Analysis is more than event enumeration and correlation; it also involves weaving telemetry data together for greater insights into what is happening across the environment. Tapping into a broader community of users, Collective Security Intelligence is continuously updated globally and is shared immediately. This global intelligence is correlated with local data for even more informed decision making.
With Cisco AMP for Endpoints, detection and response are no longer separate disciplines or processes but an extension of the same objective: to stop advanced threats. Moreover, by applying a continuous approach to traditional detection, defenders can improve upon point-in-time technologies, enabling them to be more effective, efficient, and pervasive. For example, multiple detection engines can work in concert, sharing context for improved detection capabilities. Detection can be performed over an extended period of time, which is exactly how attacks unfold. And detection intelligence can be shared instantaneously, across multiple control points, for improved protection.
But this is just the beginning of how Cisco’s continuous approach combined with a big data architecture transforms advanced malware protection. More importantly, it lets us deliver a range of other innovations that enhance the entire advanced malware protection process from detection through response in an integrated and continuous way.
Next time we’ll take a look at how this model enables something unique to Cisco AMP for Endpoints—Attack Chain Weaving.
To learn more about this new model, download the whitepaper: Continuous Endpoint Threat Detection and Response in a Point-in-Time World.