We’ve been spending a lot of time recently doing research on malware, both the tactics of the attackers and understanding the next wave of detection approaches. That’s resulted in a number of reports, including network-based approaches to detect malware at the perimeter, and the Herculean task of decomposing the processes involved in confirming an infection, analyzing the malware, and tracking its proliferation in our Malware Analysis Quant. But those approaches largely didn’t address what’s required to detect malware on the devices themselves, and block the behaviors we know are malicious.
So we’ve written up the Evolving Endpoint Malware Detection report to cover how the detection techniques are changing, why it’s important to think about behavior in a new way, and why context is your friend if you want to both keep the attackers at bay and your users from wringing your neck. This excerpt sums up the paper pretty effectively:
The good news is that endpoint security vendors recognized their traditional approaches were about as viable as dodo birds a few years back. They have been developing improved approaches – the resulting products have reduced footprints requiring far less computing resources on the device, and are generally decent at detecting simple attacks. But as we have described, simple attacks aren’t the ones to worry about. So we will investigate how endpoint protection will evolve to better detect and hopefully block the current wave of attacks.
We would like to thank Trusteer for licensing the content in this paper, and keep in mind that your work is never done. The bad guys (and gals) will continue innovating to steal your data, so your detection techniques will need to evolve as well.