Signature-based endpoint protection is used to detect threats that have been previously identified as malicious. Algorithms can quickly scan an object and identify its signature. If that signature matches one of the hundreds of millions of blacklisted signatures, steps are automatically taken to mitigate the threat.
Traditional signature-based tools work quickly and effectively and are simple to run. But here’s the problem: It takes time for a signature to be identified, added to a database, and distributed to security teams. Meanwhile, hackers are researching their targets and creating about 75,000 new malicious programs every single day. According to the Cisco 2017 Annual Cybersecurity Report, 95 percent of analyzed files were less than 24 hours old.
A lot can happen between the creation of a new threat and the creation and distribution of a signature for that threat. Signature-based protection just can’t keep up, especially with hackers increasingly targeting endpoints. Also, as the number of threats increases exponentially, checking every object against a signature database that’s constantly changing can drain resources and create latency.
A highly sophisticated, rapidly evolving threat landscape has exposed the weaknesses of signature-based solutions. Although these tools still have value for their ability to detect known threats, they should be part of a layered security strategy that also includes next-generation endpoint protection (NGEP).
In addition to blocking known threats, NGEP uses several technologies and methods to identify and automatically mitigate unknown threats. Using real-time behavioral analysis and machine learning, NGEP can detect suspicious patterns and activity that would indicate the presence of a malicious file or object.
Root cause analysis and sandboxing make it possible to investigate threats in an isolated environment. When identifying and blocking threats at the source, changes to the network are not necessary and you avoid unnecessary roll-backs. NGEPcan also prevent command and control communications with the hacker stopping further infectious behaviors while minimizing data loss. Signatures are then automatically created and distributed to the security community accelerating the detection of similar threats.
When evaluating NGEP solutions, look for versatility. Can it be deployed on-premises and in the cloud? Does it work on multiple desktop and mobile operating systems? Can it be easily scaled to support more devices?
Make sure you choose a solution that prioritizes prevention by providing global threat intelligence and built-in sandboxing. Because prevention methods won’t stop every threat, your NGEP solution should offer continuous monitoring so you can spot malicious activity from threats that still manage to find their way to endpoints. Finally, look for agentless detection so you can detect file-less malware and other threats even when an agent isn’t installed on every endpoint.
Cisco’s NGEP solution, Advanced Malware Protection (AMP) for Endpoints, can be installed on virtually any device and even detects malicious activity on Internet of Things devices. AMP for Endpoints starts by running files through more than a dozen prevention and detection engines to block as many threats as possible at the network perimeter. Each file allowed to enter the network is tracked and monitored.
If a file begins to behave maliciously, Cisco AMP for Endpoints will have a full history that dramatically reduces the time to investigate and mitigate the threat. All intelligence is shared to the AMP cloud so the threat is automatically blocked everywhere in the network.