Hardware-Based Threat Detection: A Technology Ripe for Productization

Hardware-based threat detection is not an emerging technology, but one that is becoming increasingly visible today. A number of factors are underlying the importance of defense in depth technologies, not the least being the damaging software supply-chain attacks in trusted programs (e.g., SolarWinds and Kaseya) that have surfaced in the last few years. This is compounded by an increasingly hostile cyberthreat landscape where political discord (pitting the West against Russia and China) is enabling more brazen cybercriminal enterprises to flourish.

But beyond the Fear, Uncertainty, and Doubt (FUD) narrative, there are important breakthroughs in technology development around edge compute that are driving better endpoint processing capabilities, notably the use of Artificial Intelligence (AI) for detecting host-based threats, and better use of co-processors to offload continuous monitoring and Machine Learning (ML) processes.

Hardware-based threat detection generally leverages host-based Intrusion Detection Systems (IDSs), in that they are processor-based behavior monitoring systems capturing and analyzing processor telemetry data to determine if unusual activity is malicious or not. These systems can be knowledge or anomaly based. Endpoints that leverage Central Processing Units (CPUs) have been making use of such hardware-based detection mechanisms for some time.

Intel’s Threat Detection Technology (TDT) is a good example. It uses a combination of CPU telemetry and ML heuristics to detect malware. And it does this in a zero-trust way, so that all processes (including those from legitimate applications) undergo such monitoring on a continual basis. The two key innovations are: 1) it offloads some of that processing capability (e.g., telemetry data monitoring) to an integrated Graphics Processing Unit (GPU); and 2) the technology uses continuous learning algorithms to update the models (e.g., control-flow models) after deployment.

This type of CPU-based threat detection technology can significantly enhance Endpoint Detection and Response (EDR) technologies, which has tended to evolve up the stack with Extended Detection and Response (XDR), when it should also be providing equal value to the threat detection capabilities available today within processors. Any defense in depth strategy would be remiss if it did not consider the hardware on equal par with the rest.

Technologies like Intel’s TDT are mature, well-tested, and effective. Their true value is in the information they can feed to other EDR and Security Information and Event Management (SIEM) tools, and this is increasingly becoming apparent to the broader cybersecurity industry. EDR and network security vendors are competing in a highly saturated and aggressive market where differentiation is key; hardware-based threat detection is ripe for productization.

Endpoint devices, such as PCs and laptops, are today’s target devices, both on desktops and in server rooms. Cloud-based infrastructures and Internet of Things (IoT) deployments are the next step. AI-based cybersecurity offerings are already coalescing around the former market, but the focus is more on leveraging these application frameworks in infrastructure-focused processors for data and network security like Data Processing Units (DPUs) (e.g., NVIDIA Morpheus and Marvell OCTEON), rather than CPU-based TDTs.

The other emerging market will be around other edge devices, notably the IoT. While there is a growing market around firmware hardening and runtime protection, the future demand will be on runtime monitoring, including reporting and recording deep root cause analysis to Systems-on-Chips (SoCs), analysis of telemetry data on security events gathered from payloads, publishing alerts to SIEM tools/IDSs, analytics systems to detect command injection and access manipulation. A service-based model using cloud-based analytics and AI frameworks is the natural extension to runtime monitoring. This also creates new revenue opportunities for hardware-based threat detection, not the least because of these devices’ limited ability to integrate resource-intensive solutions on-device. A number of companies are focused on this market (e.g., RunSafe Security and Sternum), but they are focused mainly on constrained devices, so the capabilities are still limited. Secure Microcontroller Units (MCUs) are the most likely candidates for hardware-based threat detection, and their increasing prominence and use in the IoT market will intersect eventually with the maturing landscape in CPU-based threat monitoring. The market remains very much open on that front and the advantage will be significant for the first movers in that space.