Prioritizing Remediation of Enterprise Hosts by Malware Execution Risk
Defending an enterprise network requires making prioritization decisions daily; one is deciding which compromised hosts to remediate (reimage). We study the utility of endpoint monitoring data to perform this prioritization, with the driving goal being to minimize "regret" as measured by future (next-week) malware execution on hosts whose remediation was deprioritized. Leveraging data gathered by the vendor of a major endpoint protection product, we show that it is possible to prioritize remediation by training a classifier that predicts imminent malware execution. Perhaps surprisingly, while it is possible to train on data collected across an array of enterprises to which endpoint protection is deployed, at least in the case of the endpoint protection vendor (itself a major, worldwide company), predictive performance for a single enterprise can be superior when training is restricted to the enterprise itself. Another advantage of the single-enterprise training set is the ease of combining different views of the hosts, such as via file-based and network-based monitoring, which can further improve the prediction of malware execution.