Understanding Advanced Endpoint Threat Detection (AETD)By: Secureworks
Technically speaking, endpoint protection has existed for as long as we've had endpoints. The first endpoint protection was the password—which means that the first endpoint threat detection was the login attempt counter.
Endpoint security evolved considerably from there. One of the first endpoint security measures we needed to implement –once we exposed our endpoints to the outside world via the Internet—was virus protection, which began as a set of file "signatures" used to identify known malware strains.
When attackers began learning how to evade signature-based detection, we added a layer of heuristics to our malware detection. This added intelligence meant we no longer had to depend on an exact match between a piece of code within an attacker's malware and a partial signature in our anti-malware protection portfolio.
Advances in endpoint threat detection continued with the advent of next-generation antivirus (NGAV), which went beyond identification of malware itself to look for other indicators of malevolent activity, like anomalous file hashes, suspicious IP addresses, and pseudonymous URLs.
As attackers kept stepping up their game, endpoint defense had to step up as well. That's why, at this point in the evolution of cybersecurity, we have drawn a line between past traditional approaches to endpoint protection and what we now term advanced endpoint threat detection (AETD) and/or advanced endpoint threat protection (AETP).
What makes Advanced Endpoint Threat Detection "Advanced?"
Several characteristics clearly distinguish true AETD from previous generations of endpoint protection. These characteristics include:
- Intelligent behavioral observation. Advanced Endpoint Threat Detection no longer relies on the identification of specific malware or malware variants to determine the possibility that a threat may be present in your environment. Instead, AETD monitors all aspects of endpoint behavior—including anomalous operating system activity, suspicious user commands, interactions with suspicious hosts, and use of unidentified software code—to alert the SecOps team about potential threats.
- Real-time, global-scale threat intelligence. Advanced Endpoint Threat Detection no longer relies on periodic updates to on-premise repositories of threat intelligence from limited proprietary sources. Instead, AETD leverages amalgamated global-scale threat intelligence in the cloud to maintain vigilance at every endpoint, even against actively emerging Zero-Day threats.
- Integrated correlation/polygonation. Advanced Endpoint Threat Detection no longer relies on endpoint telemetry alone to ascertain whether an organization may be in danger. Instead, AETD continuously and rigorously correlates cybersecurity telemetry from all monitored endpoints with telemetry from all monitored network segments and cloud instances to piece together the composite indicators of compromise (IoCs) that are essential for discovering today's more advanced threats.
Why should you care?
Everyone loves to leverage the latest and greatest in technology. But you shouldn't implement AETD just for innovation's sake. You should embrace it because of the indispensable benefits it offers to organizations concerned with cybersecurity-related business risk.
These benefits include:
- More reliable protection from a broader range of potential threats. By more effectively monitoring endpoints for suspicious behavior and better correlating endpoint telemetry with other cybersecurity telemetry, AETD more reliably uncovers the entire range of weapons in threat actors' arsenals—including phishing, spear-phishing, Advanced Persistent Threats (APTs), insider cybercrime, penetration via trusted third parties, and more.
- Earlier, more accurate, and more complete insight for the kill chain. It's not enough to know something bad is happening. Your SecOps team needs to know the exact nature of the attack; find and eliminate all the potentially persistent artifacts of the attack, and eliminate it by its root. Only AETD enables this fast, decisive remedial action.
- Minimized false-positive time-sinks. There's one potential downside to implementing the increased telemetric sensitivity you need to detect today's super-sneaky threat actors: massive false positives. They can be as much of a problem as false negatives because they burn out your staff and ultimately wind up causing you to miss critical true positives. However, by applying appropriate intelligence and accelerating threat identification, AETD filters out low-probability indicators while enabling your team to dramatically abbreviate wild goose chases before they get out of hand.
If you'd like to learn more about how Secureworks® can maximize the value of your Advanced Endpoint Threat Detection solution as part of the telemetry gathered through Taegis™ XDR, our cloud-native solution for extended threat detection and response, sign up for a demo today.