The Importance of In-Memory Behavior Analysis for Endpoint Security

Posted by Madeline Lee   |   May 11, 2018


The increasing complexity of enterprise networks is adding new levels of uncertainty to the security officer’s job. Compounding this challenge is an evolving threat landscape, which includes an enormous number of malware variants and sophisticated new methods of attack that make it almost impossible to secure network with legacy endpoint protection platforms (EPP). To stay secure in this dangerous new environment requires not only a deep understanding of the most serious new threats, but an updated toolkit of resources to keep them from doing harm.

endpoint security

One of the most threats that’s most difficult to stop with traditional endpoint security technologies is known as fileless attacks. These attacks exploit common Windows applications like Visual Basic, the Command Line, and Windows Credential Editor to install malicious code without a detectable executable file. The lack of an identifiable payload makes them very hard to detect using endpoint protection platforms that rely on a signature or heuristics to identify malware. PowerShell, a task automation and configuration management tool that’s built in to the Windows operating system, is particularly popular conduit through which to launch a fileless attacks due to its ability to run dynamic code downloaded from the Internet in memory. Because fileless attacks have such a high success rate, they’ve experienced a significant uptick in recent years, and will continue to grow as a serious threat in 2018 and beyond.


Another form of endpoint threat that by its nature is immune to traditional endpoint protection platforms is the insider threat. The term “insider threat” refers to a cybersecurity threat that originates from within an organization's network. These threats can come from a current employee, a former employee, as well as from contractors, temporary workers, and even clients that have been given limited network access. Insider threats are on the rise as well, accounting for between 53% to over 75% of cyber security data breaches. Despite the prevalence of insider attacks, and damage they cause, they continue to attract less attention and a disproportionately small portion of many security budgets, in part because they’re so difficult to prevent with existing technologies.

To provide strong protection against these “indefensible” threats, enterprises and organizations are turning to in-memory behavioral analysis technology like Countertack’s Digital DNA. In contrast to the backward-facing approach of most security solutions, which identify threats based on pattern recognized from previous attack, in-memory behavioral analysis asks one essential question, are your users and applications acting the way that they’re supposed to? Countertack’s Digital DNA system answers this fundamental question by scanning your system’s live physical memory, reverse engineering suspicious code to analyze its makeup, and then mapping that code against an extensive library of 4000 traits. Digital DNA performs these tasks in real time, across all the endpoints in your network, locating stealthy threats before they can do your business serious harm. 

cyber security

Robust in-memory behavior analysis not only protects network endpoints from new and unseen threats, like zero day attacks, but can dramatically increase the speed at which these threats are located and contained. The ability to respond quickly to threats has become another top concern in the wake of recent attacks like NotPetya, which damaged over 49,000 endpoints at shipping giant Maersk before their security teams could formulate a suitable response, resulting in over $300 million dollar in damages.

Though in-memory behavioral analysis is quickly becoming the standard for enterprise endpoint protection, those looking to acquire a solution with this capability must be discerning shoppers. In many instances, the depth of the data these solutions collect is highly limited and can end up generating false positive results that require wasted time and energy to investigate. In other cases, lesser quality in-memory solutions may lack the ability to truly reverse engineer and analyze suspicious code in real-time.

digital dna

In contrast to those “pseudo in-memory” products, the Countertack Digital DNA behavioral analysis and predictive engine is a true in-memory solution that scans running processes, network connections, registry changes, and the live physical memory of your system in real-time, then feeds that information into a powerful predictive engine that identifies threatening behaviors based on a library of 4000 traits. Armed with a powerful machine learning engine that’s analyzed millions of pieces of malicious and non-malicious software, Countertack’s solution virtually eliminates false positives and delivers true, high-quality automated attack prevention. This functionality makes Countertack’s solution one of a kind, and a clear choice for businesses that need the best possible endpoint security to keep their data safe.


Topics: malware, cybersecurity, endpoint security, CounterTack, NotPetya, fileless, memory only, blogs

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all