Security at the core of Intel’s new vPro platform

Intel has introduced its 13^th Generation Core processor line, which the company claims is the first to build threat detection into hardware. In combination with endpoint detection and response (EDR) platforms from Intel partners, the new vPro processors promise a 70% reduction in attack surface compared to four-year-old PCs. Windows 11 systems can also take advantage of vPro’s memory encryption to provide better virtualization-based security.

In tests conducted by SE Labs and commissioned by Intel, the vPro platform had 93% efficacy at detecting top ransomware attacks, a 24% improvement over software alone. Other tests conducted by IDC showed that vPro’s virtualization security could result in a 26% decline in “major” security breaches and 21% fewer impactful security events while improving security team efficiency by 17%.

These test results, all conducted on individual systems, suggest a boon for security teams protecting user devices. However, it will take time before organizations can fully realize the benefits of hardware-based threat detection. “It’s fairly common for large organizations to have a ‘rolling replacement’ philosophy – replacing one-third [of their devices] per year over a three-year period as an example,” says Jack Gold, founder and principal analyst at J.Gold Associates. “So those devices on older technology will not be as well protected, but the new devices will be and that is an advantage for those users and the organization as a whole.”

How Intel vPro’s hardware-based threat detection works

At the heart of the vPro security features is Intel’s artificial intelligence-based Threat Detection Technology (TDT). It works with security solutions, adding a hardware-assisted detection layer. Intel TDT uses CPU telemetry and machine-learning (ML) heuristics to detect attack behaviors that leave a “footprint” on CPU performance monitoring units (PMUs), including ransomware and crypto-jacking. The technology is intended for EDR vendors to incorporate into their solutions.

The three core capabilities are:

Advanced Platform Telemetry identifies indicators of compromise (IoCs) of known malware and attacks. It uses data from Intel’s PMU, a component of the processor that measures instruction cycles, cache hits and misses, and other performance data. Intel trains the ML models on a representative set of platforms for each vPro generation, enabling Intel TDT to distinguish malware behavior from legitimate workloads. The PMU telemetry training data is collected from simulators that emulate the behavioral patterns of, say, ransomware encryption algorithms and techniques to avoid behavioral detection. Real-world samples supplement the behavioral data then telemetry data from benign workloads are added so Intel TDT can distinguish between normal and malicious activity.

Accelerated Memory Scanning (AMS) detects indicators of attack (IoAs). When triggered by a specific behavior, the AMS engine scans the memory of the suspect process to look for shellcode, unique strings, patches, and other signs of malicious activity. “AMS is especially well suited to catching polymorphic malware and file-less attacks that are using dual-use tools,” according to a report from ABi Research commissioned by Intel. “These tools are legitimate software applications that can be subverted to conduct cyberattacks (such as Cobalt Strike…) or drop fileless attacks like ransomware that can also execute in memory.”

Anomalous Behavior Detection (ABD) monitors applications during runtime for potentially malicious behavior using telemetry data from the CPU and machine learning. Deviations from normal behavior are flagged in real-time as suspicious. “The ML used is based on a continuous learning algorithm that allows ABD to update its models through controlled incremental training,” the ABi Research report read. “This continuous learning process can be managed and augmented by the EDR solution, with security ISVs importing additional telemetry into a base model for an app/process.”

Threat actors will undoubtedly look for ways around the protections that Intel TDT provides. Should that happen, the new vPro platform is updatable. It comes with Intel Active Management Technology and Intel Endpoint Management Assistant (Intel EMA), which allows for remote discovery and repair across an organization.

Intel TDT and EDR

Antivirus and EDR solutions providers might run Intel’s models with the default configuration. More advanced vendors can add indicators from their own research to the ML inference configuration. Intel will deliver updates to partner vendors as new threats emerge.

EDR providers with Intel TDT-enabled solutions include Crowdstrike, Microsoft, Trend Micro, Eset, Acronis, and Check Point. EDR solutions that are not Intel TDT-enabled should work as before with the new vPro systems but without the extra boost. “It’s always faster and more productive to do things in hardware than to try and simulate the same thing with software. With AI, that’s even more so,” says Gold. “AI-accelerated threat detection is a major advance over just looking at code and trying to see if it’s bad, as many antimalware solutions do. AI looks at the behavior and makes a judgment on the risk involved. That’s a major improvement over signature-based solutions.”

Similarly, Intel TDT-enabled EDR solutions will run normally on non-vPro 13^th-generation systems. “If the app sees a component (in this case vPro), it can leverage that component. If the component isn’t there, it still works but perhaps not as fast or as effectively,” says Gold.

As systems with hardware-enabled threat detection are deployed, most EDR solution providers will likely take advantage of it to enhance their own capabilities. “In the same way we see products being changed when you can employ accelerators generally (e.g., when you have GPU and not just a CPU to run for graphics, games, HPC, etc.), the hardware enablement means vendors can leverage those assets without having to try and create them themselves,” Gold says.