In what the chipmaker claims is an industry first, the latest processor line from Intel will incorporate threat detection right into the hardware, bolstering EDR and other cybersecurity platforms. Credit: Intel Intel has introduced its 13th Generation Core processor line, which the company claims is the first to build threat detection into hardware. In combination with endpoint detection and response (EDR) platforms from Intel partners, the new vPro processors promise a 70% reduction in attack surface compared to four-year-old PCs. Windows 11 systems can also take advantage of vPro’s memory encryption to provide better virtualization-based security.In tests conducted by SE Labs and commissioned by Intel, the vPro platform had 93% efficacy at detecting top ransomware attacks, a 24% improvement over software alone. Other tests conducted by IDC showed that vPro’s virtualization security could result in a 26% decline in “major” security breaches and 21% fewer impactful security events while improving security team efficiency by 17%.These test results, all conducted on individual systems, suggest a boon for security teams protecting user devices. However, it will take time before organizations can fully realize the benefits of hardware-based threat detection. “It’s fairly common for large organizations to have a ‘rolling replacement’ philosophy – replacing one-third [of their devices] per year over a three-year period as an example,” says Jack Gold, founder and principal analyst at J.Gold Associates. “So those devices on older technology will not be as well protected, but the new devices will be and that is an advantage for those users and the organization as a whole.”How Intel vPro’s hardware-based threat detection worksAt the heart of the vPro security features is Intel’s artificial intelligence-based Threat Detection Technology (TDT). It works with security solutions, adding a hardware-assisted detection layer. Intel TDT uses CPU telemetry and machine-learning (ML) heuristics to detect attack behaviors that leave a “footprint” on CPU performance monitoring units (PMUs), including ransomware and crypto-jacking. The technology is intended for EDR vendors to incorporate into their solutions. The three core capabilities are:Advanced Platform Telemetry identifies indicators of compromise (IoCs) of known malware and attacks. It uses data from Intel’s PMU, a component of the processor that measures instruction cycles, cache hits and misses, and other performance data. Intel trains the ML models on a representative set of platforms for each vPro generation, enabling Intel TDT to distinguish malware behavior from legitimate workloads. The PMU telemetry training data is collected from simulators that emulate the behavioral patterns of, say, ransomware encryption algorithms and techniques to avoid behavioral detection. Real-world samples supplement the behavioral data then telemetry data from benign workloads are added so Intel TDT can distinguish between normal and malicious activity. Accelerated Memory Scanning (AMS) detects indicators of attack (IoAs). When triggered by a specific behavior, the AMS engine scans the memory of the suspect process to look for shellcode, unique strings, patches, and other signs of malicious activity. “AMS is especially well suited to catching polymorphic malware and file-less attacks that are using dual-use tools,” according to a report from ABi Research commissioned by Intel. “These tools are legitimate software applications that can be subverted to conduct cyberattacks (such as Cobalt Strike…) or drop fileless attacks like ransomware that can also execute in memory.”Anomalous Behavior Detection (ABD) monitors applications during runtime for potentially malicious behavior using telemetry data from the CPU and machine learning. Deviations from normal behavior are flagged in real-time as suspicious. “The ML used is based on a continuous learning algorithm that allows ABD to update its models through controlled incremental training,” the ABi Research report read. “This continuous learning process can be managed and augmented by the EDR solution, with security ISVs importing additional telemetry into a base model for an app/process.”Threat actors will undoubtedly look for ways around the protections that Intel TDT provides. Should that happen, the new vPro platform is updatable. It comes with Intel Active Management Technology and Intel Endpoint Management Assistant (Intel EMA), which allows for remote discovery and repair across an organization.Intel TDT and EDRAntivirus and EDR solutions providers might run Intel’s models with the default configuration. More advanced vendors can add indicators from their own research to the ML inference configuration. Intel will deliver updates to partner vendors as new threats emerge.EDR providers with Intel TDT-enabled solutions include Crowdstrike, Microsoft, Trend Micro, Eset, Acronis, and Check Point. EDR solutions that are not Intel TDT-enabled should work as before with the new vPro systems but without the extra boost. “It’s always faster and more productive to do things in hardware than to try and simulate the same thing with software. With AI, that’s even more so,” says Gold. “AI-accelerated threat detection is a major advance over just looking at code and trying to see if it’s bad, as many antimalware solutions do. AI looks at the behavior and makes a judgment on the risk involved. That’s a major improvement over signature-based solutions.”Similarly, Intel TDT-enabled EDR solutions will run normally on non-vPro 13th-generation systems. “If the app sees a component (in this case vPro), it can leverage that component. If the component isn’t there, it still works but perhaps not as fast or as effectively,” says Gold. As systems with hardware-enabled threat detection are deployed, most EDR solution providers will likely take advantage of it to enhance their own capabilities. “In the same way we see products being changed when you can employ accelerators generally (e.g., when you have GPU and not just a CPU to run for graphics, games, HPC, etc.), the hardware enablement means vendors can leverage those assets without having to try and create them themselves,” Gold says. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe