HIPS

Question

Hi, 
 
 signature-based and machine learning scanning are there and why still hips ( behavioural approach ) required ? 
 and what is synchronised security 
 Thanks

jak · Accepted Answer

Signature and machine learning both really classify files. Machine learning may take a million known good and bad files and create some sort of model that alows it to score files it hasn't seen. Maybe it gives the newly seen file a score of how malicious it appers to be based on what it has learned. You then still need to draw a line where you would block a new file from executing. Once you do let something run, you can then still observe its behaviour for characteristics that might suggest it's malware or at least worth closer inspection. This is HIPS, for example, the process is running, it copies itself to the temp location, and sets up a run key in the registry to ensure it run at each boot. These behaviours triggers rules which build to cause a file to be blocked, process terminated, etc... Synchronised security is a way for the Endpoint products to share information with another component in the system E.g. the Firewall. The firewall does a reasonable job of classifying traffic, be it browser, voip, etc but if is made easier if the client shares information with the firewall, to say, that traffic came from this process for example. It's realy about sharing intelligence from all angles to build up a better picture. The FW can block a endpoint from talking to a good endpoint, for example, if the health of the client is questionable. etc.. Videos for synchronished security 
 https://www.youtube.com/watch?v=6cx3lw8reBY 
 https://www.youtube.com/watch?v=eP53l3aoSso 
 https://www.youtube.com/watch?v=Ul9GOoWnwGk Regards, 
 Jak