Advanced Threat Protection: Detection & Prevention

by Joe Chow
 
 
What is Advanced Threat Protection?
 
Advanced threat protection (ATP) is a proactive security solution that defends against attacks by malware. One of its important goals is to prevent any malware from reaching and running in the protected devices. Usually, ATP deploys on cloud where files from  the internet are scanned and run in a remote dummy machine (sandbox) before allowing the files to be sent to the devices. Different ATP solutions may employ different approaches and may consist of a variety of components including endpoint agents, network devices, email gateways malware protection systems, and a centralized management console.
 
Using the traditional malware scanning software technology, malware is often found by checking its file signature against a list of known malware’s signatures. If there is no known signature to compare against the malware, devices can be infected even if they have been installed with a malware scanning software.  ATP solutions, on the other hand, work proactively with their remote components which act as a wall and sandbox to protect devices and minimize the damages.
 
How ATP works?
 
ATP solutions usually work by applying the following:
 
  1. Early detection

    One of the common methods used in ATP solutions is to employ a sandbox. With this method, files received from an outside source are sent to a remote ATP sandbox machine (virtual machine or dedicated appliance) for testing before they are allowed to reach the protected devices. In the sandbox machine, the behaviour of the files is analysed to see if they bear the characteristics of a malware.

     
  2. Protection

    Apart from threat detection, ATP solutions should provide certain means of protection to defend against threats such as having the ability to halt attacks in progress or mitigate threats before they breach other machines.

     
  3. Response

    By continuously monitoring and tracking, ATP solutions can quickly respond to incidents of threat attacks and provide useful data such as the severity of the attacks for administrators to analyse. With this data, administrators can take appropriate actions to stop further damages and mitigate the threats accordingly.
The benefits
 
The major benefit of adopting an ATP solution is the ability to handle and respond to new and zero-day attacks that traditional malware scanning technology fails to achieve.
 
ATP solutions also take a proactive approach to security by early detection of threats before they can actually reach the protected devices. This prevents and controls any spreading of known threats.
 
Since ATP service providers are usually able to access a global community for threat information sharing, their defence mechanisms are constantly updated.
 
The trade-offs
 
When using ATP solutions, files are checked before users can run them on their devices. Depending on the network condition and the ATP solutions used, this usually may not take long. However, if the files are big or the network is congested, the wait time could be longer than the users can afford. 
 
Since the data collected from ATP solutions can be enormous, continuous monitoring and analysing these data in real-time by the administrator could be time consuming and may involve a lot of manpower, thus many responding actions could be costly.
 
Conclusion
 
Information security is often the highest priority for large enterprises. An ATP solution is therefore essential to protect critical and sensitive enterprise data. As mentioned before, ATP solutions can help to detect threats promptly and allow administrators to respond quickly, however, ATP solutions are still unable to block all threats since hacking methods are changing so rapidly. More importantly, users’ education and knowledge on how to protect their data is more crucial.