While protecting the endpoint is nothing new to an organization’s cybersecurity efforts, endpoint security itself has dramatically progressed. Initial endpoint protection started out as nothing more than virus protection, which utilized file signatures to recognize previously established malware strains.
As attackers are quick to take advantage of new technologies, evading signature-based detection eventually became common and simplistic. Organizations and security solutions then began to add heuristics to malware detection. By evolving the platform’s detection capabilities, IT and cybersecurity teams didn’t have to rely on a 1-to-1 match between lines of programmed malware code and a partial file signature on their organization’s anti-malware solution.
Although this was a step in the right direction for threat prevention measures, additional layers of security were needed. As cybercriminals continued to outsmart typical anti-malware protection, next-generation antivirus (NGAV) was developed to bridge the gap left by traditional antivirus platforms. NGAV was created to go beyond recognizing established malware strains and to include other indicators of malevolent behavior, which includes anomalous file hashes, suspicious IP addresses, and pseudonymous URLs.
In the current state of cyber threat actors and state sponsored threat actors, endpoint detection has continued to evolve. Experts have drawn a line between legacy endpoint threat prevention and what is now called advanced endpoint threat prevention (AETP).
What makes Advanced Endpoint Threat Prevention “Advanced?”
There are multiple distinctions between advanced endpoint threat prevention and previous generations of endpoint defense. These characteristics include:
- Smart behavioral identification. Advanced endpoint threat prevention does not utilize known malware code or malware variants to determine that a threat may be in an organization’s IT ecosystem. Instead, AETP observes a variety of additional endpoint behavior to identify potential threats. This includes anomalous operating system activity, suspicious user commands, interactions with suspicious hosts, and use of unidentified software code.
- Timely, scalable threat intelligence. Periodically updating on-premise repositories of known threat intelligence malware strains can be time consuming for SecOps teams, not to mention risky if not done quickly. AETP utilizes cloud-based, single-instance threat intelligence to maintain awareness for every endpoint in an organization, and that intel can be deployed globally.
- Correlated telemetry. Endpoint telemetry alone is not enough to holistically understand if an organization has been compromised. AETP combines and analyzes cybersecurity telemetry from not only endpoints, but from all monitored network segments and cloud instances. This way SecOps teams can piece together the correlating indicators of compromise (IoCs) that are necessary to identify advanced threats.
- Automated response. Unfortunately, understanding if organizations have an active threat in their environment is only half of the work. Once identified, the threat must be completely stopped and defused. AETP allows SecOps teams to take clear, critical action to quickly and effectively neutralize detected threats in their IT ecosystem.
Why is this important?
AETP is crucial to understanding, identifying, and neutralizing threat actors in organizations’ environments. The benefits of this include:
- Robust protection against continually challenging potential threats. With greater awareness comes more comfort. AETP monitors endpoints and connects behavior with activities in the network and cloud, which ultimately creates a full picture of what threat actors may be doing – including phishing, spearphishing, Advanced Persistent Threats (APTs), insider cybercrime, penetration via trusted third parties, and more.
- Faster, more thorough eradication of malicious code. Each organization’s risk to cyber threats is lowered when tapping into the combination of accurate AETP threat diagnostics and automated defense countermeasures. The clear actions AETP presents once a threat is identified allows SecOps teams to quickly remediate, rather than getting lost in details and potentially missing other active threats.
- Minimized false positives. The number of false positives grows exponentially when increasing the amount of endpoint, network, and cloud telemetry, and this leads to overwhelmed SecOps teams. It also increases the risk that true threats go unaccounted for. AETP filters out low-probability indicators and enables organizations to focus time and resources on critical threat identification and remediation.
If you’d like to learn more about how Secureworks® can add threat prevention to your Extended Threat Detection and Response (XDR) strategy, request a demo of our Taegis™ XDR NGAV-Add On.