Intel has introduced its 13th Generation Core processor line, which the company claims is the first to build threat detection into hardware. In combination with endpoint detection and response (EDR) platforms from Intel partners, the new vPro processors promise a 70% reduction in attack surface compared to four-year-old PCs. Windows 11 systems can also take advantage of vPro\u2019s memory encryption to provide better virtualization-based security.In tests conducted by SE Labs and commissioned by Intel, the vPro platform had 93% efficacy at detecting top ransomware attacks, a 24% improvement over software alone. Other tests conducted by IDC showed that vPro\u2019s virtualization security could result in a 26% decline in \u201cmajor\u201d security breaches and 21% fewer impactful security events while improving security team efficiency by 17%.These test results, all conducted on individual systems, suggest a boon for security teams protecting user devices. However, it will take time before organizations can fully realize the benefits of hardware-based threat detection. \u201cIt\u2019s fairly common for large organizations to have a \u2018rolling replacement\u2019 philosophy \u2013 replacing one-third [of their devices] per year over a three-year period as an example,\u201d says Jack Gold, founder and principal analyst at J.Gold Associates. \u201cSo those devices on older technology will not be as well protected, but the new devices will be and that is an advantage for those users and the organization as a whole.\u201dHow Intel vPro\u2019s hardware-based threat detection worksAt the heart of the vPro security features is Intel\u2019s artificial intelligence-based Threat Detection Technology (TDT). It works with security solutions, adding a hardware-assisted detection layer. Intel TDT uses CPU telemetry and machine-learning (ML) heuristics to detect attack behaviors that leave a \u201cfootprint\u201d on CPU performance monitoring units (PMUs), including ransomware and crypto-jacking. The technology is intended for EDR vendors to incorporate into their solutions.The three core capabilities are:Advanced Platform Telemetry identifies indicators of compromise (IoCs) of known malware and attacks. It uses data from Intel\u2019s PMU, a component of the processor that measures instruction cycles, cache hits and misses, and other performance data. Intel trains the ML models on a representative set of platforms for each vPro generation, enabling Intel TDT to distinguish malware behavior from legitimate workloads. The PMU telemetry training data is collected from simulators that emulate the behavioral patterns of, say, ransomware encryption algorithms and techniques to avoid behavioral detection. Real-world samples supplement the behavioral data then telemetry data from benign workloads are added so Intel TDT can distinguish between normal and malicious activity.Accelerated Memory Scanning (AMS) detects indicators of attack (IoAs). When triggered by a specific behavior, the AMS engine scans the memory of the suspect process to look for shellcode, unique strings, patches, and other signs of malicious activity. \u201cAMS is especially well suited to catching polymorphic malware and file-less attacks that are using dual-use tools,\u201d according to a report from ABi Research commissioned by Intel. \u201cThese tools are legitimate software applications that can be subverted to conduct cyberattacks (such as Cobalt Strike\u2026) or drop fileless attacks like ransomware that can also execute in memory.\u201dAnomalous Behavior Detection (ABD) monitors applications during runtime for potentially malicious behavior using telemetry data from the CPU and machine learning. Deviations from normal behavior are flagged in real-time as suspicious. \u201cThe ML used is based on a continuous learning algorithm that allows ABD to update its models through controlled incremental training,\u201d the ABi Research report read. \u201cThis continuous learning process can be managed and augmented by the EDR solution, with security ISVs importing additional telemetry into a base model for an app\/process.\u201dThreat actors will undoubtedly look for ways around the protections that Intel TDT provides. Should that happen, the new vPro platform is updatable. It comes with Intel Active Management Technology and Intel Endpoint Management Assistant (Intel EMA), which allows for remote discovery and repair across an organization.Intel TDT and EDRAntivirus and EDR solutions providers might run Intel\u2019s models with the default configuration. More advanced vendors can add indicators from their own research to the ML inference configuration. Intel will deliver updates to partner vendors as new threats emerge.EDR providers with Intel TDT-enabled solutions include Crowdstrike, Microsoft, Trend Micro, Eset, Acronis, and Check Point. EDR solutions that are not Intel TDT-enabled should work as before with the new vPro systems but without the extra boost. \u201cIt\u2019s always faster and more productive to do things in hardware than to try and simulate the same thing with software. With AI, that\u2019s even more so,\u201d says Gold. \u201cAI-accelerated threat detection is a major advance over just looking at code and trying to see if it\u2019s bad, as many antimalware solutions do. AI looks at the behavior and makes a judgment on the risk involved. That\u2019s a major improvement over signature-based solutions.\u201dSimilarly, Intel TDT-enabled EDR solutions will run normally on non-vPro 13th-generation systems. \u201cIf the app sees a component (in this case vPro), it can leverage that component. If the component isn\u2019t there, it still works but perhaps not as fast or as effectively,\u201d says Gold.As systems with hardware-enabled threat detection are deployed, most EDR solution providers will likely take advantage of it to enhance their own capabilities. \u201cIn the same way we see products being changed when you can employ accelerators generally (e.g., when you have GPU and not just a CPU to run for graphics, games, HPC, etc.), the hardware enablement means vendors can leverage those assets without having to try and create them themselves,\u201d Gold says.