Updates for your security solution are so 90s. You don’t even need them if you use a so-called “next-gen” solution that can protect and learn everything directly on your endpoint, right? Well, not exactly. The truth is that without regular updates your endpoint is left standing alone against an entire army of cybercriminals. And it will only be a matter of time before you are spotted as easy prey.

Emerging cybersecurity vendors criticize their established counterparts for depending on regular updates. As an alternative, they offer to protect business clients via a machine learning (ML) algorithm that acquires all the necessary data on their clients’ local machines and in their security environments, resulting in one “perk”: No updates necessary. But is that really an advantage?

Solutions that protect systems locally can be very effective and relatively successful in countering threats. However, this is only true for:

  1. a) Specific environments with very limited functionality; or
  2. b) Systems that are strongly averse to change or are – partially or totally – isolated from connections to the outside world.

Not every company operates in the narrowly focused way that a production line does. On the contrary, the vast majority of endpoints in small, medium and large companies need to communicate with contractors, clients and potential partners, as well as with each other; this requires near-constant connection.

So even if the security algorithm is good at learning from the user and his network, without updates it can have difficulty correctly identifying incoming external data as clean or malicious. This can lead not only to an increase in the rate of false positives, but in the worst case scenario, to a “miss” – an infection caused by mistaking malware for a clean item.

Updates to the detection database are the way to correct such errors and avoid unnecessary false alarms.

Where updates come into play ...

By opting for a regularly updated solution from an established security vendor – such as ESET – business endpoints connect to a worldwide network (in our case, ESET LiveGrid®). Based on data from its tens of millions of nodes, ESET’s protection systems combine human oversight with the latest technologies to provide real-time updates to our whitelists and systems, which can then properly label suspicious or unfamiliar items with a high degree of accuracy.

There are other benefits too.

In addition to lower false positives rates, updates also reduce company-side hardware demands. Since any of the analyzed samples may already have been evaluated by other endpoints in the global network, they don’t require reevaluation.

In addition, the updated solution can use the data to create a reliable threat database stored in the cloud. By sharing with all recognized endpoints, this can protect users from a wider array of malicious items than a ML algorithm that only learns from a very limited number of machines.

By contrast, solutions that rely solely on local information will probably cause an error at some point. However, without human supervision or an updated database to compare itself to, this error will become a part of the learning material of the algorithm and remain in the system forever. Which is beneficial – but only to attackers.

Purely machine learning solutions make decisions based on features extracted from malicious items. If a sample is too dissimilar from all the previously evaluated materials, the algorithm doesn’t know what to extract – and becomes practically blind. On the other hand, solutions that leverage updates can cover extraction methods and samples, whenever machine learning cannot do so on its own.

No test, no cry

To add to the confusion, post-truth vendors avoid independent testing. Without exposing their non-updated solutions to real world scenarios, there is no proof that these products can deliver what their makers promise. The often-declared excellent results come only from well-crafted artificial scenarios, where the algorithm only has to cope with known malware sample sets.

At present, the vast majority of existing malicious items are not designed to pass under the radar of these so-called “next-gen” products, particularly since the number of computers running them is still relatively small. But this situation can change rapidly.

To update, or not to update? That is not the question

Ignoring updates means ignoring the real world and the way it works. Adversaries are well funded and just as creative as their peers in the cybersecurity industry, so underestimating their ability to find new workarounds for current solutions can lead to very damaging results.

Updated systems know what they are up against and do not count only on what has already been seen. By recognizing the global context, adopting multiple protection technologies, and adding both proactive and machine learning elements to their solutions, ESET as an established vendor constantly strives to achieve an equilibrium that is as close as possible to perfect detection with the lowest number of false positives.

ESET provides real-time updates for whitelisting and protection whenever users connect to LiveGrid®. To learn more about these features as well as our technology, see the other blog posts in our series.

The whole series:

  1. Editorial: Fighting post-truth with reality in cybersecurity
  2. What is machine learning and artificial intelligence?
  3. Most frequent misconceptions about ML and AI
  4. Why ML-based security doesn’t scare intelligent adversaries
  5. Why one line of cyberdefense is not enough, even if it’s machine learning
  6. Chasing ghosts: The real costs of high false positive rates in cybersecurity
  7. How updates make your security solution stronger
  8. We know ML, we’ve been using it for over a decade

With contribution of Jakub Debski & Peter Kosinar