The Role of AI in Modern Endpoint Security

Traditional EDR solutions leave security teams overburdened with manual alert triage and classification tasks. Learn how AI-based endpoint security can help.

digital check point with people wearing facial protection mask picture id1263489094
iStock

Mobility and remote work have transformed the modern business landscape, as well as the security risks organizations, users and devices are facing today. Threat actors are hard at work creating new threats and attack techniques designed to overwhelm and evade traditional protections to infect corporate machines. Less conventional, perimeter-based defenses and increasingly sophisticated endpoint attacks mean company devices have never been more vulnerable or valuable to cybercriminals than they are today.  

Unfortunately, many legacy endpoint security solutions simply don’t offer enough visibility into processes and applications that might contain threats, and end up stunting security administrators’ productivity and effectiveness by requiring manual classification. That’s why artificial intelligence (AI) is taking the place of legacy solutions as the backbone of modern endpoint security success.

Here are several key benefits that AI-based endpoint security can offer your organization in the fight against off-network attacks in the remote work age:

Continuous Monitoring

As more employees work from home, having visibility into the activity of every application on every endpoint has become critical. But manual solutions to this challenge simply aren’t tenable due to the level of time and attention required and practical visibility obstacles remote workforces present for your IT and security teams.

AI-enabled endpoint security solutions can track and continuously monitor all endpoint activities and deem each execution as either malicious or approved. And in cases where an attacker co-opts software previously defined as legitimate to perform malicious activities, AI can spot the difference, reclassify it, and ensure it can’t execute. This level of uninterrupted, automated classification is why AI is the key to endpoint security that is trustworthy and scalable.

Automated Classification

How do these automated classifications work in practice? First, AI-based endpoint security solutions should automatically create a “deny” list based on known malware, an “allow” list based on known goodware and a separate list for unknown processes not contained in either of these categories. For unknown processes, machine learning (ML) algorithms assess static, behavioral and context attributes in a cloud-based AI system. These algorithms extract attributes from the telemetry for the cloud-based environment and from a set of physical sandboxes in which executable files are detonated to fully classify unknown processes as either legitimate or malicious.

The minute fraction of remaining uncategorized processes might require analysis from human malware analysts and threat hunters, but in general, AI-based automated endpoint threat classification should be self-sufficient and scalable to high volumes of files.    

Risk-based Application Control

There are two primary options to consider when it comes to the level of AI-based security that agents running on individual endpoints can provide. The first is to deny any unknown application or binary coming from the outside. This means the endpoint agent will block any processes originating from web downloads, email, removable media, remote locations, etc., by default until validated as legitimate. The second is to deny by default any application or binary at all, regardless of its location. This route would block processes from the network, from within the endpoint, or from the outside until the system confirms all running processes are trustworthy.

We know that endpoints are now sitting squarely in cybercriminals’ crosshairs. Fortunately, WatchGuard’s Zero-Trust Application Service is tailor-made for this moment. It uses AI to immediately determine if an endpoint process is trusted or not, and then only allows safe applications to execute on each endpoint. A fully automated, managed service included as part of WatchGuard’s EPDR and EDR solutions, it monitors endpoint activity, categorizes 100% of running processes in real time, and blocks malicious applications and processes (throughout pre-execution, in-execution and post-execution).

With the ever-growing volume of off-network attacks we’re facing today, you simply can’t afford to tolerate legacy EDR solutions that place a heavier burden on your security team by forcing them to triage alerts and classify threats manually. The only way to ensure robust, trustworthy and scalable endpoint security in today’s threat landscape is to leverage security services with AI and automation at their core.

Learn more about WatchGuard’s Zero Trust Application Service and suite of advanced endpoint security solutions here.

Related:

Copyright © 2021 IDG Communications, Inc.