APTs and advanced malware are having a profound effect on cybersecurity technologies. One notable change is the rise of new Advanced Malware Detection/Prevention (AMD/P) technologies from vendors like Bit9, Bromium, CounterTack, Invincea, Malwarebytes, and Sourcefire that detect and block advanced malware on servers and endpoints.
Aside from acting as another layer of defense, CISOs tell me that these tools provide another valuable security function – they capture host activities (i.e. file downloads, processes, registry settings, network activity, etc.). Some tools also provide analytics while others hand the data to SIEM platforms, cloud analytics, etc. Host behavior data is then used as part of advanced malware detection and also provides basic forensic information for incident response.
Let me step back and bit and provide some context here. Advanced malware circumvents traditional security controls and ends up compromising host computers (mostly endpoints). In spite of the fact that enterprises typically have thousands of Windows PCs, they are virtually blind to what happens on the actual devices. This issue was illustrated in a recent ESG Research survey where security professionals working at enterprise organizations (i.e. more than 1,000 employees) were asked to identify their weakest areas of endpoint security monitoring.