Over the last few months, I've introduced a "law" that I believe should fundamentally dictate what one should expect of next generation malware defense technology. I'd like to "unveil" the third such law: "Don't think Endpoint, Think Endpoints." Let me explain what I mean by that.
Traditional anti-malware vendors have had a singular focus on "the endpoint." While that ostensibly seems like a reasonable thing to do, it turns out to be extremely limiting. There is often valuable information that is lost when we consider systems in isolation. Instead, if we can understand trends across collections of endpoints, we can actually identify malicious behavior with an alarmingly high success rate. But by looking at one endpoint alone, we do not get that same degree of leverage. Collections of endpoints give you context; a single endpoint only gives you a single datapoint, but with nothing to compare it to.
Having a universal perspective allows us to determine what normal trends should look like. This knowledge, in turn, allows us to spot anomalies. Of course, being able to achieve these aims in near real time is reliant on having a robust analytics infrastructure that can process large data sets quickly.
As part of Sourcefire's Immunet anti-malware product, we have built a number of advanced analytics engines that leverage collective intelligence. These engines work in concert with our other detection technologies. For example, a file might be deemed “somewhat” suspicious by our Spero machine learning technology. In other words, all else being equal it is slightly more likely to be malicious than benign based on its characteristics. However, from a practical perspective, we might need more confidence before we conclusively determine that the file represents a threat. Our advanced analytics engines can provide that additional context. For example, they can consider what we have understood about that file when examined from the perspective of our entire user base and other intelligence sources. This global information, combined with what we have understood from Spero can help us make a far more accurate determination about the disposition of the file.
What’s more is that once we have made this determination, we propagate that intelligence across the entire community and protect all of our users from this threat. In other words, the system we have built is highly agile and highly intelligent. It attempts to leverage all relevant information with the goal of maximizing protection across the user base. In fact, over a recent 6-week period, a little over 7% of our detections came about through these advanced analytics capabilities.
There is an old adage that there is safety in numbers. However, from our perspective, it’s not just about the raw quantity, but rather about the quality of information we derive. Moreover, it's also about our ability to swiftly translate that intelligence into actual customer protection.
0 comments:
Post a Comment