In the animal kingdom, the ability to quickly identify predators is key to the survival of the species. Deer, for example, have a 310-degree field of vision that allows them to spot trouble coming from almost any direction. Meerkats have a glare-reducing band of dark fur around their eyes that allows them to see a predatory bird even as they look directly into the sun.
The ability to rapidly identify and respond to threats is also essential to survival in today’s data center. An impossible number of cyber predators are on the prowl, intent on hijacking, stealing or destroying critical information. And just as predators in the wild rely on stealth and concealment to stalk their prey, cybercriminals have learned how to disguise their attacks.
Cybercriminals today employ cryptors, code obfuscation, polymorphism and other techniques to create malware that can constantly change its identifiable features in order to evade detection by traditional signature-based security tools. These techniques have contributed to the rapid rise of zero-day exploits that have no known signatures.
In Cisco’s 2017 Annual Cybersecurity Report, researchers reported that 95 percent of the malware files they analyzed weren’t even 24 hours old. The Ponemon Institute reports that zero-day malware was used in 76 percent of successful attacks in 2018.
Signature-Based Shortcomings
Another problem with signature-based tools is that they produce large numbers of false positive alerts, which can overwhelm short-staffed IT departments and provide unintentional cover for real threats. For example, alerts triggered during the massive 2013 Target data breach were ignored because they were buried within hundreds of false positives.
Furthermore, signature-based detection provides no visibility into threat activity beyond the point of entry. That gives cybercriminals the advantage of lengthy “dwell times” in compromised systems and networks. A 2018 report from the Ponemon Institute finds that breaches go undetected for an average of 191 days.
Signature-based protection is still valuable, but it isn’t enough. Organizations today need a more comprehensive solution that adds cutting-edge behavioral- and anomaly-based detection, sandboxing technologies and more to identify and mitigate the threats posed by constantly evolving malware.
Cisco Improves Visibility
Cisco Advanced Malware Protection (AMP) goes beyond signature-based techniques by combining multiple detection engines, global threat intelligence and machine learning to dramatically enhance your ability to stop malware. AMP delivers protection at three distinct levels:
- Before an attack, AMP uses global threat intelligence from Cisco’s Talos Security Intelligence and Research Group and Threat Grid’s threat intelligence feeds to protect against known and emerging threats.
- During an attack, AMP uses that intelligence coupled with known file signatures and Cisco Threat Grid’s dynamic malware analysis technology to identify and block malicious files trying to infiltrate the network.
- After an attack, AMP goes beyond point-in-time detection capabilities and continuously monitors and analyzes all file activity and traffic, searching for any indications of malicious behavior. If a file starts behaving badly, AMP will instantly alert security teams with an indication of compromise. IT can then contain and isolate the malware with just a few mouse clicks.
What separates AMP from other solutions is the use of machine learning to create what Cisco calls “Cognitive Intelligence” capabilities. AMP uses this technology to correlate telemetry data from a broad range of sources to produce context-rich data about threats and their potential variants. One particular AMP algorithm called Probabilistic Threat Propagation (PTP) enables knowledge sharing among multiple sources to identify polymorphic malware and other mutable exploits based on data about known variants using similar command-and-control infrastructure.
Cisco says that the PTP algorithm is able to identify dozens of polymorphic threats from a single malicious binary. And because it runs offline in the Cisco cloud infrastructure, it doesn’t require any compute resources from your infrastructure or endpoints.
The ability to quickly recognize and respond to the presence of a predator is a matter of life and death in the wild. Cyber predators can pose similar existential risks to businesses — Accenture pegs the average cost of a malware attack on a company at $2.4 million.
