Story image

Sophos' Intercept X dives into deep learning for security

01 Feb 2018

Next-generation endpoint security provider Sophos is taking advanced deep learning neural networks to the fight against malware through the release of a new detection tool called Intercept X.

According to the company, deep learning takes machine learning to the next level by being able to learn the entire observable threat landscape. It is also able to process many millions of samples for a faster prediction rate and fewer false positives.

According to Enterprise Strategy Group senior validation analyst Tony Palmer, traditional machine learning models still depend on expert threat analysts for training; they also get more complex and slower as more data is added.

“These models may also have significant false positive rates which reduce IT productivity as admins try to determine what is malware and what is legitimate software,” Palmer explains.

He notes that Sophos’ approach to the deep learning neural network creates correlations between observed behaviour and malware.

 “These correlations result in a high accuracy rate for both existing and zero-day malware, and a lower false-positive rate. ESG Lab analysis reveals that this neural network model scales easily, and the more data it takes in, the smarter the model becomes. This enables aggressive detection without administrative or system performance penalty.”

According to a recent Sophos survey, end users and IT managers are still getting to grips with the concept of deep learning.

56% of respondents said they do not know the difference between machine learning and deep learning, which means they are unable to fully understand the security options available to them.

“Predictive protection is the future of IT security. Sophos has taken a huge step forward by bringing deep learning neural networks into the industry leading exploit and ransomware protection of Intercept X,” comments Sophos senior VP and GM of products, Dan Schiappa.

“Being able to protect against the next unknown attack instead of waiting for it to arrive will change the way IT operations in every organization can protect their users and assets. Intercept X can bring the most advanced next-generation protection to any organisation, regardless of their current strategy.”

Sophos designed its product to include anti-exploit technologies such as anti-ransomware prevention, as well as ‘active-hacker’ migitations like credential theft protection.

The company says that hackers are increasingly focused on credential theft because anti-malware strategies are improving.

Intercept X is deployed through Sophos Central, a cloud-based management platform. It can be installed alongside endpoint security from any vendor.

A quick look at new Intercept X features:

Deep Learning Malware Detection

  • Deep learning model detects known and unknown malware and potentially unwanted applications (PUAs) before they execute, without relying on signatures
  • The model is less than 20MB and requires infrequent updates

Active Adversary Mitigations

  • Credential theft protection – Preventing theft of authentication passwords and hash information from memory, registry, and persistent storage, as leveraged by such attacks as Mimikatz.
  • Code cave utilisation – Detects the presence of code deployed into another application, often used for persistence and antivirus avoidance 
  • APC protection – Detects abuse of Application Procedure Calls (APC) often used as part of the AtomBombing code injection technique and more recently used as the method of spreading the WannaCry worm and NotPetya wiper via EternalBlue and DoublePulsar (adversaries abuse these calls to get another process to execute malicious code)

New and Enhanced Exploit Prevention Techniques

  • Malicious process migration – Detects remote reflective DLL injection used by adversaries to move between processes running on the system
  • Process privilege escalation – Prevents a low-privilege process from being escalated to a higher privilege, a tactic used to gain elevated system access

Enhanced Application Lockdown

  • Browser behaviour lockdown – Intercept X prevents the malicious use of PowerShell from browsers as a basic behaviour lockdown
  • HTA application lockdown – HTML applications loaded by the browser will have the lockdown mitigations applied as if they were a browser
Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.