Only one thing is certain in the threat landscape: the uncertainty around the attacks, the techniques, the tactics, and the vectors. Exploit kits dominated the landscape a few years ago, but has become quiet. Ransomware tops the list of today, but what’s in the store for the future? The trouble is, we don’t know for sure. The threats that we’re seeing today are almost certainly not the threats that we’ll likely see tomorrow. So what do we do in order to protect ourselves from the unknown? We need to take a holistic approach that allows us to protect against anything that may come our way.
Malwarebytes Endpoint Protection leverages 7 unique layers of detection techniques in what we call Multi-Vector Protection - a multi-vector approach protects against today and tomorrow’s threats. The layers fall into two categories: rules-based and behavior-based. The rules-based layers leverage human-intelligence: the curated work of our talented threat researchers. Contrary to popular belief – signature approaches are not bad. Effectively implemented, they offer fast, accurate, and highly efficient protection against known threats with little risk to false-positives. The behavior-based technologies are signature-less techniques that address unknown malware. Altogether, these 7 layers address the attack chain – both pre and post-execution for both known and unknown threats.
- Application Hardening (signature-less): During the initial phase of the attack, the attackers will profile the endpoint to identify the Operating System, browser version, and installed software to identify points of vulnerability and determine the specific malware payload to be delivered. Our Application Hardening reduces the vulnerability surface, making the endpoint more resilient. Malwarebytes can also proactively detect fingerprinting attempts made by advanced exploit attacks.
- Web Protection (rules-based): Following the identification of the malware to be delivered, the initial payload on the endpoint will connect to the server hosting the actual malware. Web Protection prevents the endpoint from connecting to malicious websites and downloading malicious payloads. Malwarebytes can also protect the end-user from unknowingly browsing to a known malicious website.
- Exploit Mitigation (signature-less): If the attack is leveraging an exploit kit, Exploit Mitigation proactively detects and blocks attempts to compromise application vulnerabilities and remotely execute code on the endpoint.
- Application Behavior (signature-less): Many attacks will use installed applications to execute malicious commands. The Application Behavior layer ensures applications behave as intended, preventing them from being leveraged to infect the endpoint.
- Payload Analysis (rules-based): Leveraging our threat intelligence curated by Malwarebytes Threat Researchers, our Payload Analysis layer uses heuristic rules to identify entire families of known and relevant malware.
- Anomaly Detection (signature-less): The traditional application of machine-learning in threat detection attempts to identify malware. This is done by training the machine learning algorithms with malware (by definition, “known malware”). The issue is that threats evolve so quickly that these approaches tend to result in models that degrade in efficacy very quickly. We’ve taken a different approach with our Anomaly Detection model, where we’ve focused on training with known good files. These models have proven to be very durable – meaning that they’re able to maintain their effectiveness very well over time.
- Ransomware Mitigation (signature-less): If an attack manages to get through all the pre-execution detection layers, the Ransomware Mitigation monitors for the behavioral traits of ransomware: enumeration of personal files, identification of back-up points, identification of network file shares, etc. and prevents the ransomware from encrypting any files. Most ransomware is blocked before this final layer, but this post-execution method serves as a final line of defense.
It’s critical to note that our remediation capabilities are included as part of Malwarebytes Endpoint Protection because we know we can’t be 100% effective 100% of the time. So when something does get through, as soon as we know about it, we’ll be able to find and thoroughly remove the infection.
What makes our approach work so well? It’s driven by the best threat intelligence in the industry. Over the years, Malwarebytes has been established as the gold-standard in remediation. More than 500,000 downloads occur daily from both consumers and enterprises when their existing solutions fail and more than 3 million remediation events are processed daily. Malwarebytes has the only threat intelligence in the industry with the ability to “see” the latest successful threats. This provides us the insight to understand the tactics, techniques, and procedures used by the attackers, allowing us to a) validate our ability to detect the threats and b) stay ahead of the threats by understanding the trends before anyone else.
Malwarebytes cloud platform
Malwarebytes Endpoint Protection is the second solution to be offered on our new single, unified endpoint agent and delivered via our cloud-based management platform. This new platform eases deployment of Malwarebytes Endpoint Protection (as well as Malwarebytes Incident Response). Additionally, larger organizations benefit from effortless, unlimited scalability and quick time-to-value.
In addition to managing the deployment, the cloud management console also centrally manages security policy and threat visibility across all endpoints in your organization. The cloud platform also enables endpoint Asset Management by delivering dozens of endpoint system details such as network interfaces, storage devices, memory objects, installed software, software updates, startup programs, and more.
I encourage you all to learn more about this new solution and more importantly, give it a try!