Proactive IT Management (PM) has many features that add cybersecurity layers to an IT environment. Anti-phishing, content control, network traffic scanning, patching, and firewalls all help to secure points from threats. If a threat gets past these layers, the virus or malware could cause untold damage. What if the risk of intrusion could be greatly reduced even before reaching security points.? Machine learning and artificial intelligence are making this possible.
Examining one particular proactive management solution, SolarWinds N-Central, shows the risk mitigation improvements that are possible between current cybersecurity solutions and what the next generation of solutions can do.
Security Manager AV Defender (AVD) is the current solution and the next-generation solution is known as an Endpoint Detection & Response (EDR) solution. These programs are designed to protect endpoints and servers from threats that have bypassed the other cybersecurity layers. EDR may be the next generation of cybersecurity solution, but AVD has several features that the current version of EDR does not. This means that AVD and EDR work best in tandem until EDR fully develops into a stand-alone system. See Table 1 below for a breakdown of features between the two programs.
|Bit Locker Encryption Control||X|
|Anti-ransomware Scan Vaccine||X|
|Network Traffic Scanning||X|
|Malware Detection Using Heuristics||X||X|
|Threat Behavioral Analysis||X||X|
|Pre-Execution Program Analysis||X|
|Machine learning / AI-enabled threat detection||X|
|Enhanced quarantine (“Disconnect from Network”)||X|
|Automatic file rollback (Windows OS only)||X|
Disk encryption management, anti-phishing, content control, anti-ransomware (using Scan Vaccine) and network traffic scanning all protect endpoints and are currently not part of EDR.
Scan Vaccine is a tool that can protect against known and possible future versions of crypto-ransomware families such as CTB-Locker, Locky, and TeslaCrypt. The vaccine works by exploiting flaws in how the ransomware spreads then halts it. These features make current solutions, like Security Manager AV Defender, critical to a cybersecurity program. However, EDR is the future.
Looking Ahead: EDR, Machine Learning, and AI
EDR uses machine learning and artificial intelligence (AI) to protect from new kinds of threats. Current anti-malware programs use definitions and established patterns to identify and stop threats. When new types of threats develop, it takes time for malware systems to catch up. Any time spent unprotected could be an opening for a successful breach.
EDR utilizes eight AI engines that analyze multiple data points to identify threats and determine if a response is necessary before letting executable files or processes operate within a system. Utilizing these engines, EDR can determine how to best respond to threats and adjust responses over time. With the AI data stored locally on the endpoint, EDR does not rely upon access to the Internet or waiting for signature file updates to keep a device safe from new and emerging threats. EDR also utilizes machine learning to identify new threats and threat patterns. This allows the program to better protect systems as threats evolve, where current solutions have to wait to update their library of threats and patterns.
When evaluating programs like EDR, look for the capability to quarantine incoming threats. No cybersecurity program is perfect, so having the ability to quarantine compromised endpoints is critical. EDR, for instance, determines if the file or application is a threat and quarantines it, or clears it and lets it open and operate like normal. Also supported are enhanced quarantine measures that can disconnect a device from the network to prevent the risk of local infection from spreading to other endpoints or servers.
These leading-edge technologies will continue to develop and improve. Advanced heuristics (strategies derived from previous experiences with similar problems) will eventually replace traditional anti-virus and anti-malware programs and systems. With the ability to rapidly learn and adapt, they will be one of the main ways that new threats are detected and blocked.
EDR’s features will also continue to develop. The features that are currently missing (encryption control, anti-phishing, content control, etc.) are part of the roadmap. These will be enhanced by utilizing the AI engines and machine learning processes already part of EDR. Cybersecurity solutions must continue to evolve as threats evolve.