What is Advanced Threat Detection?

May 16, 2017
Anthony Verrill

If You Are Not Using Advanced Persistent Threat Detection, You’re Playing Malware Checkers While They’re Playing Malware Chess.

 

Today’s attacks are persistent and sophisticated. The typical threat detection, identification, and containment strategy is a five step process.

 

 

This traditional 5-step strategy is effective against known malware, recognizable through specific “fingerprints”, like signatures, heuristics (common coding shortcuts or algorithms), or by reputation. However, it does not protect against new, unrecognizable malware, or threats disguised in tunneling, encryption, or other sophisticated concealments.

 

To stay in the game, you have to match strategy with strategy. Unlike chess, the rules in this game change continuously. Yesterday’s Grand Master may not keep you in the game today. It’s critical to employ new strategies as fast as your opponent.
One of the most advanced strategies you need to deploy is Sandboxing, or Advanced Threat Detection (ATD). Sandboxing picks up where the standard 5-step strategy leaves off. Rather than identifying malware by fingerprints, Sandboxing looks at malware behavior.

 

Advanced Threat Detection programs use network traffic analysis to identify suspicious behavior.. It does this by creating an isolated, virtual world – a sandbox – that mimics the host operating environment. Heresuspected malicious code is executed, , observed, and rated based on its behavior instead of its attributes. This isolation prevents the files from infecting hosts or gaining access to data.

 

The advantages of Advanced Threat Detection are multiple; ATD can intercept new, previously unknown malware, especially today’s advanced, persistent and aggressive attacks. Additionally, it helps protect against zero-day attacks, exploits that even the best software vendors have not uncovered. Sometimes, ATD can reduce the time between detection and containment, and the quicker you find the problem, the less chance for trouble (Full disclosure, ATD can also sometimes add additional time to the detection process while potential threats are sandboxed. This is evaluated on an individual basis). Finally, the use of ATD gives your organization a leg-up when you need to investigate evidence of threats and enhance your security accordingly.

 

Sandboxing is a critical adjunct to your existing security strategy. When combined with traditional methods, re-evaluated and updated as needed, your company may never have any downtime.