Controlling the Risks of Cloud-Enabled End-Point Security Products

A relatively new feature in Antivirus products has led to an evolution of most traditional Antivirus products: Cloud connectivity.

Many vendors such as CrowdStrike, Symantec, and Palo Alto use their cloud platforms to enable end-point security agents, servers, and devices to obtain real-time threat intelligence data. This connectivity allows its users to make an informed decision on suspicious file or network activity and if possible, to automatically contain a compromised system in its earliest stages.

Without the benefits of a distributed cloud platform, such a service was previously hard to maintain for vendors. Before cloud connectivity, threat intelligence lists would need to be downloaded by every customer individually, and the delay between scheduled updates would mean the data in production was always at least slightly behind the data the vendor had made available.

Imagine a suspicious, outgoing network connection over Telnet to an IP address in a country, which cannot be explained by normal business operations. A Next Generation firewall or a host-based IDS agent could quickly look up the IP or domain in a cloud-based database for any background information. If the vendor has marked the IP as suspicious or even malicious, the connection can be dropped straight away.

The next step in cloud-based threat intelligence is to share sanitized findings of suspicious activity with the vendor, to the benefit of other customers using the same platform.

The latest trend in this area is the addition of Sandboxing. No longer are only certain artifacts such as IP addresses and domains sent to the cloud for analysis, now entire suspicious files can be uploaded. When such a sample file is uploaded, it can be detonated inside the vendor’s isolated cloud platform, or if needed, it can be manually analyzed by a team of malware specialists. This means an (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Frank Siemons. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/VIq7WrAJuUU/