First-generation endpoint protection
Before there was widespread phishing, ransomware, and sophisticated malware masking, endpoint protection consisted of maintaining lengthy lists of known cyberthreats and scanning devices for their presence (blacklists). Antivirus companies and trusted third-party communities helped to keep these blacklists current through in-the-field reporting by recording the byte patterns, or signatures, of identified threats. Updated threat list downloads occurred daily in many cases, helping endpoint protection software block known and newly discovered malicious code from infecting devices and the networks to which they were connected.
However, as threats became increasingly sophisticated at hiding from virus scanners and relied more on user behavior or lax security to gain access, this first-generation of endpoint protection products became increasingly ineffective in protecting devices and networks. In addition, as the number and type of threats increased nearly exponentially, maintaining exhaustive blacklists and signatures consumed more space, bandwidth, and compute cycles to keep pace. In addition, an explosive increase in the types of endpoint devices—smartphones, tablets, and wearable devices—further complicated the blacklist and signature strategy for protecting endpoints. Reliance on blacklists, with its continual updates of extensive lists, required more and more resources and was unable to stop zero-day exploits or stop false positives that can complicate or halt business operations.
Another complication of the first-generation of endpoint protection products was the reliance on separate software processes to handle the security and security management of endpoints. This potential disconnect can provide an additional, highly susceptible attack surface for malicious activity above and beyond any registered blacklisted signature. For example, blacklisting malicious code does not prevent an insider from stealing data. A trusted user with endpoint security permissions is not blocked, under these conditions, from opening a URL that leads to an infected website. So, the first order of business for next-generation endpoint protection was to better integrate and lock down endpoint security.
The evolution to next-generation endpoint security
Next-generation endpoint security is as much about user and data access rights and behavior as it is about verifying user ID and logins. Passwords can be hacked or stolen. Hackers with administrator rights can gain control of systems. However, next-generation endpoint security can monitor user and network behaviors, and alert or outright block suspicious or anomalous actions. This proactive behavior monitoring thereby protects against both internal and external threats. For example, this monitoring can detect and stop potentially infected applications from acting outside of their allowable permissions—such has moving data to removable media or an unauthorized destination. Similarly, this monitoring can detect and block users from opening, copying, or writing unauthorized data.
Next-generation endpoint protection
Next-generation endpoint protection then must be tied to endpoint security. As “hidden” malware and ransomware can side-step signature scans in many cases, they cannot easily thwart behavioral monitoring. Once a suspicious behavior occurs, sophisticated next-generation endpoint protection software can act. If a user attempts to open an unauthorized file, the endpoint protection software can halt the action before the command is executed. If disguised malware attempts to exfiltrate data off-site, the connection can be halted immediately.
Next-generation endpoint protection software, using artificial intelligence (AI) and machine learning, can deliver the following protections that traditional endpoint protection cannot provide:
- Detecting unauthorized behaviors of users, applications, or network services
- Blocking suspicious actions before execution
- Stopping unauthorized data movement
- Analyzing suspicious app data in isolated "sandboxes"
- Rolling back endpoints and data to a previous state in the event of an attack
- Isolating suspect endpoints and processes
Behavioral analysis requires next-generation endpoint protection technology—AI and machine learning—to deliver this type of ongoing, continually evolving protection.
Next-generation endpoint protection through AI and machine learning
Blocking known threats remains useful, however, and will continue to be a part of endpoint and network protection. In fact, the best strategy is to use a combination of blacklisting along with AI and machine learning to weed out all the known bad threats and focus machine learning algorithms on just the unknown bad threats while still ensuring minimal false positives.
Integrating endpoint security and protection with machine learning technology creates a system environment that improves as each new threat is detected. Artificial intelligence can then act in a prescribed manner to these new and learned threats. By incorporating centralized management and control, this approach can move organizations beyond reactive, blacklist-centric controls to a much more proactive approach.
McAfee next-generation endpoint protection
McAfee believes in-depth defense, which is security and protection that’s interwoven and proactively evolving, is the most appropriate strategy for next-generation endpoint protection. McAfee Endpoint Security provides endpoint antivirus, firewall, exploit prevention, and connectivity protections and delivers machine-learning technology for detecting zero-day exploits and suspicious code and behavior.
AI-driven McAfee software stops malicious actions before they affect systems or data, while its integrated and automated endpoint detection and response (MVISION EDR) technology offers one-click, centralized incident investigation and proactive response. This defense-in-depth approach provides a highly integrated continuum of protection.
McAfee endpoint management and mobile protection
Next-generation endpoint protection means endpoints don’t stop at desktops or laptops. Endpoint management is especially important in providing a complete security and data protection environment, regardless of operating system or device, while helping organizations leverage the protection they already have. For example, McAfee MVISION Endpoint augments existing Microsoft antivirus and malware products, as well as other third-party solutions—all from one management interface. Meanwhile, McAfee MVISION Mobile delivers superior next-generation endpoint protection for Android and iOS devices.