The evolution of malware prevention
In a mobile-first, cloud-first world, people stay productive and connected using a variety of devices. While there is incredible value in so much connectivity and productivity, there is a corresponding growth in risk as people increase their exposure to cyber security threats. While security has always been a priority for Microsoft, this new world requires a new approach to, and a large investment in, threat prevention, detection and response. Windows Defender Antivirus, along with many other features that are built into Windows 10, are at the frontlines and must constantly evolve to protect customers against today’s threats and those that will emerge tomorrow.
Traditional, signature-based approaches to malware detection simply do not scale to the cyber threats customers face. Next-generation detection solutions, like Windows Defender Antivirus, protect customers through data science, machine learning, automation and behavioural analysis that are guided by expert threat researchers. These next-gen methodologies are required to deliver effective threat prevention in an era of unprecedented attacker activity.
Data science and machine learning has long been a pivotal component of Microsoft. Microsoft Azure and PowerBI are examples of the kinds of products that enable customers to empower themselves with data to gain actionable insights. Behind the scenes of these products is a powerful cloud infrastructure for big data and machine learning algorithms.
Microsoft also has a unique ability to correlate signals from vast domains, such as consumer and corporate e-mail services, online search and web browsing, on top of malicious and suspicious signals. These signals are collectively processed to deliver protection through Windows Defender Antivirus and Windows Defender Advanced Threat Protection (ATP), either locally or through their cloud services.
Combined, these domains leverage threat data from over a billion devices, 18 billion search result pages scanned by Bing, 300 billion authentications and 200 billion e-mails scanned for malicious content each month.
Microsoft’s unique insights into the threat landscape, informed by trillions of signals from billions of sources, create an Intelligent Security Graph (ISG) that it uses to shape how it protects all endpoints, better detect never-before-seen attacks and accelerate its response. The ISG is powered by inputs Microsoft receives across its endpoints, consumer services, commercial services and on-premises technologies. All that uniquely positions Microsoft to personalise its protection and identify anomalies that often represent new threats.
iSSC Group CEO, Emil Henrico, says: “Microsoft Defender is a seamless integration to the current platforms our customer use. The attack simulator in Defender for 365 assists our customers in educating their staff about e-mail attacks and has saved them a lot of time and effort.”
Although some prevalent malware can attempt to infect tens of thousands of customers, it’s more likely that a new malicious file will affect very few.
What is behind this predictive ability to block at first sight? Here are some of the Microsoft techniques:
- Lightweight, client-based machine learning models block attacks and flag suspicious activity for additional analysis by the cloud protection system.
- Computationally intensive cloud-based machine learning models deliver verdicts based on signals sent from the client within milliseconds, but can also request a file for additional analysis and return a block or allow verdict to the client within seconds.
- Local behavioural analysis tracks malicious actions in memory and across processes to stop file-based and file-less attacks.
- High-precision ‘traditional’ anti-virus on the client efficiently detects common malware, often through generic or heuristic methodologies, and excludes common clean programs from unnecessary scanning and performance impact.
Microsoft’s protection client often blocks or allows activity based on local classifiers, heuristics and behavioural or contextual clues. This analysis happens instantly and allows the client to block 97% of the malicious activity customers encounter. If the malicious intent remains questionable after assessment at the endpoint, a query containing rich metadata is sent to the Windows Defender Antivirus cloud protection system. Numerous models assess the current attack activity, while combining data from its global network of protected clients and its ISG, which correlates threat activity across all defence services.
The cloud protection system usually issues a verdict within milliseconds based only on this metadata. If this lightweight cloud analysis is insufficient to reach a determination, the sample is requested for deeper analysis and further processing. This fully automated deep analysis delivers precise assessments back to the client, but also has the benefit of providing immediate protection against similar threats on devices around the world based on the automated analysis of that one sample. This analysis process and the protection it generates takes only seconds to complete.
Windows Defender Antivirus customers experience around 90 billion potentially malicious encounters per day that need a verdict. Does an activity represent something malicious? Or is it benign? On any given day, around 97% of these verdicts are made by the client. The remaining 3% of these encounters, around two to three billion queries per day, are processed by the Windows Defender Antivirus cloud protection system.
While many decisions can be made on metadata in the query alone, a small percentage of samples are requested for further processing and automation. Along with data from industry partners, Microsoft processes around 4.5 million files and data points per day through its automated systems. Traditional processing and signature generation simply could not scale to cover the sheer number of encounters.
Traditional, signature-based anti-virus doesn’t predict. It can only make exact or, at best, fuzzy matches to threats that have already been seen before. It is reactive by nature. It’s imperative that next-generation anti-virus systems can instantly analyse and predict an attack at first sight – possibly the only time that a threat will ever be seen. Expert systems, like machine learning models, must exponentially amplify protection from a limited number of samples to protect customers from millions of never-before-seen malware.
Currently, for every sample analysed by a Microsoft expert, Microsoft protects against an average of 4 500 other malicious samples through its next-generation anti-virus technologies.
Traditional methods of analysing and detecting can’t scale, but that doesn’t mean human analysis isn’t important. On the contrary, next-generation anti-virus protection relies on accurate labels from expert analysis to accurately train performant models.
Microsoft’s approach leverages this expert analysis, along with all its data from the Microsoft Security Intelligence Graph, to amplify protection through machine learning, automation and behavioural analysis, which are delivered through client- and cloud-based protection. On average, a manual investigation amplifies protection against other threats to 12 000 customers.
Windows Defender Antivirus is just one key component in the fight against malware and other types of threats. Windows Defender Advanced Threat Protection (Windows Defender ATP) can help customers to detect and respond to advanced attacks that might get past your primary defences. These features combined provide a secure and full-featured suite of solutions to help customers achieve the security profile that today’s modern threat landscape and customer demand.
“iSSC works with customers to establish an appropriate cyber security defence solution by running security assessments on the customer’s environments. This provides us with a score and we share this with customers to show them how to improve and enable future sets in the current platform. It also allow us to up-sell and enable the Defender suite,” says Henrico.