Continuous Protection on the Endpoint: Show Me
Advanced malware is dynamic, elusive, and evasive. Once it slithers into the organization’s extended network, it can very quickly proliferate, cause problems, and remain undetected by traditional point-in-time security tools. These tools poll or scan endpoints for malware or indicators of compromise at a moment in time, and then do not evaluate again until the next big scan is triggered.
To prevent a malware intrusion from becoming a full-fledged and costly breach, it is important to catch that malware as quickly as possible. To do that, you need to go beyond point-in-time tools, and instead continuously watch and analyze all file and program activity throughout your extended network, so that at the first glimpse of malicious behavior you can contain and remediate immediately.
However, despite this need for a continuous approach to advanced malware protection, it’s difficult to see which security vendors truly offer this capability. The world of endpoint threat protection is awash in high-level messaging that all sounds the same. Some security vendors have recently claimed to be leading the next revolution in the detection of malware on the endpoint. Each one claims they are more “real-time” and “continuous” than the other, when in reality they are only providing incremental improvements on the same tools with the same fundamental limitations. For a detailed understanding about how those limitations compare to a continuous approach to malware protection, check out the whitepaper Continuous Endpoint Threat Detection and Response in a Point-in-Time World.
In contrast to these tools, Cisco’s Advanced Malware Protection (AMP) for Endpoints solution leverages a big data architecture combined with a continuous approach to overcome the limitations of traditional point-in-time detection technologies. With AMP, process-level telemetry data is continuously collected as it is happening, while it is happening across all sources, and is always up to date when it is needed. Analysis can be layered to work in concert to eliminate impacts to control points and deliver advanced levels of detection over an extended period of time. Analysis is more than event enumeration and correlation; it also involves weaving telemetry data together for greater insights into what is happening across the environment. Tapping into a broader community of users, Collective Security Intelligence is continuously updated globally and is shared immediately. This global intelligence is correlated with local data for even more informed decision making.
Benefits of a Continuous Approach
- Less focus on data collection
- Automation of advanced analytics
- Better threat prioritization
- Faster time to remediation
OK, I’ve told you how continuous protection is better for security.
However, if I was an IT Security Manager looking for a security product to defend my organization, and a security vendor claimed to provide “continuous protection” and some of the other capabilities discussed here, my first request of that vendor would be:
Show me how it will answer four key security questions: How did malware get here? Where did it go? What is it doing? How do I stop it?
Show me how your product continuously analyzes files: Colby Clark on Continuous Analysis
Show me how your product can find the APTs or targeted attacks that are hard to spot: Least Prevalence
Show me other organizations that have had success with your endpoint product: First Financial Bank and AMP
Let’s face it…words only go so far these days. You have to see it to believe it.