Using such technology is different to deploying such technology to the client. All vendors have used such systems for a long time, internally. Ai/Sandboxes/ML are typical deployments for AV vendors to analyze samples. But that then generates signatures that go to QA then eventually get deployed. Many AV vendors use the same systems - there is a whole layer of products above the AV vendors like Lastline (check lastline.com ).
Some of the f-secure stuff is like old school IPS where it looks across the entire enterprise for anomalies and that is cool. But it is not the same as ATP/NGAV/AEP.
Here's a comparison of how Sonicwalls ATP works...
- user downloads a file of interest (executable, pdf, office doc, etc)
- file is hashed and compared with a local database/known verdicts, then cloud database. If it is a known good file it is allowed through, if it is a known bad file it is blocked
- local and cloud AV signature based scan occurs, if bad then it is dropped <- this is at less than a second
- unknown verdict results in the file being submitted to the cloud
- multivendor AV scan engine (65 vendors, including f-secure) scans the file. if it is bad it is blocked <- this is at 4 seconds
- unknown verdict results in the file being passed onto 3 sandbox engines (Lastline, VMRay, and Sonicwalls own)
- file is analyzed and a verdict passed back <- this is at 2-4 minutes
- if the file is bad then depending the device config it is either blocked or alerted on
- if the file is bad then it is flagged for further analysis so that a signature can be created, qa'd and released within 24 hours
This is done on either the network (firewall), and/or via email security systems as well. Their PC client uses a combo of this and sentinel one.
This catches malware for which no signature/behaviour exists in traditional av engines. Globally they catch around 800 new unique malware per day (as in send it to any traditional av vendor like f-secure and it comes through as clean).
