As hackers get more sophisticated, endpoint protection (EP) systems have grown more sophisticated. While no one claims to catch everything, endpoint protection matures each year. Let’s see what modern EP products have to do these days.
The term “machine learning”, like so many buzzwords in the tech industry, has multiple meanings. In simple terms, it means deriving conclusions from observed data – minimal human intervention. In other words, it can figure out if a piece of code is malicious, even if it hasn’t seen that code before. To do this, it must constantly observe data from disparate sources, determine if statistical sampling is applicable, update and revise its calculations, and even decide whether to detonate suspicious files in a sandbox. Some products even include a miniature “sandbox” on the endpoint.
Static and dynamic code analysis
Endpoint protection systems must evaluate code – no matter where it resides – to determine if it is malicious. They perform this tricky task in real time, using static code analysis – pre-execution – and dynamic analysis – observation of code behavior during execution in a sandbox.
Major security vendors collect huge amounts of threat data from around the globe. This data includes bad URLs, bad IP addresses, malicious code, and more. An endpoint protection system must integrate threat intelligence in two ways: it must ingest threat intelligence and use it effectively in stopping attacks, and it must be able to disseminate newly-identified threats in real time.
Endpoint protection, like other technologies, will grow into artificial intelligence. Neural networks, and perceptual computing – components of deep learning – will fine-tune behavior analysis and zero-day detection. Long-term, true artificial intelligence may be able to devise algorithms automatically, in much the same way the Alpha Zero created its own approach to chess. These approaches are not far-fetched; they are practical necessities to keep pace with the bad actors. They use good technologies for bad ends; we must use good technologies for good ends.