In my final post in this series, I wanted to focus on another powerful innovation made possible by combining a big data architecture and a continuous approach for more effective protection: automated, advanced analytics.

Today’s advanced malware compromises environments from an array of attack vectors, takes endless form factors, launches attacks over time, and can obfuscate the exfiltration of data. To detect advanced attacks as they move laterally through the network and across endpoints, defenders need technologies that automatically look for Indicators of Compromise (IoCs) left behind by malware and exploits, as well as more advanced behaviors of compromise that happen over time.

Cisco AMP for Endpoints delivers this level of automation through advanced behavioral detection capabilities, not with the aim of providing yet another list of alerts to investigate, but to deliver a prioritized and collated view of top areas of compromise and breach activity. A big data architecture collects and stores real-time telemetry data from the network and endpoints. A continuous approach automatically analyzes and reanalyzes data against sophisticated algorithms to look for patterns of activity as they emerge so that security teams can quickly detect and focus their efforts on the threats with the greatest potential for damage.

Some of the specific analytic capabilities this new model allows include:

  • Behavioral IoCs – Leveraging Attack Chain Weaving capabilities (the ability to collect file, communication, and process data and link it into a chain of activity, as discussed in Part 2 of this series), Behavioral IoCs look for sophisticated patterns of activity across detection events, static IoCs, and telemetry data that indicate potential compromise. A classic example is a dropper that has slipped through initial detection. Events leading up to and after the triggered Behavioral IoC are also collected and available for additional forensic insight.
  • Open IoCs – Security teams can leverage their custom, static IoC detection lists within the continuous model as part of the data that is used for correlation.
  • Intelligence-based IoCs – More than static intelligence, black lists, or detection scripts, these IoCs are based on behavioral algorithms that look for specific malicious actions and related actions over time. Intelligence-based IoCs are developed and fully supported by our Threat Research teams.
  • Prevalence – An advanced analysis engine determines a detected malware’s prevalence in relation to the organization and the broader global community. Often, malicious files with low prevalence indicate targeted malware and a targeted attempt at compromise and are typically missed by security teams. Prevalence analysis highlights these sorts of attacks, especially if correlated with other static or behavioral IoCs involving those systems as well.

Automated, advanced analytics is a transformative innovation in the battle against advanced threats. Combing big data analytics and continuous capabilities to identify patterns and indications of compromise as they emerge enables security teams to focus their efforts on the threats that matter most.

To learn more about this new model that considers detection and response not as separate disciplines or processes but as an extension of the same objective – to stop advanced threats – download the whitepaper: Continuous Endpoint Threat Detection and Response in a Point-in-Time World.


Tom Stitt

Product Marketing Director

Advanced Malware Protection