Devices must remain secure, regardless of where they are being used in today’s work-from-anywhere business model. Software-based security alone is not enough to defend data and IT infrastructure against increasingly sophisticated threats. Hackers can bypass software-based security to exploit vulnerabilities at a lower layer, meaning at the firmware, BIOS, OS, or hypervisor level. This rapid evolution of the cyber threat landscape requires organizations to use a multilayered approach to strengthen the systems security chain, including both hardware- and software-based technologies, starting from the root with platform silicon.
Three Levels of Systems Protection
Humans are the weakest link when it comes to PC security. Phishing, weak passwords, and human error are significant vulnerabilities when it comes to cybersecurity. Adopting procedures and training that educate employees on security best practices is a recommended PC security strategy. At the same time, organizations can rely on hardware-level security to help protect their PCs with confidence.
A comprehensive cybersecurity strategy considers three levels of protection:
- Foundational security below the OS level helps verify trustworthiness of devices and data from boot-up through operations.
- Workload and data protection protects data through accelerated encryption and trusted execution for hardware-isolated data protection.
- Advanced threat protections help augment endpoint security solutions to identify threats that use sophisticated evasion techniques.
Combined, these three levels ensure systemic protection for PCs and their data.
Survey Results Indicate Security Strategy Investments Are a Priority
PCs are the third-highest source for breaches, according to a Verizon investigative report1. And according to a report by Forrester2, businesses understand the importance of cybersecurity but struggle to implement hardware-based solutions: 80 percent of ITDMs believe that managing the complexity of hardware-based security is a challenge.
Security strategy is now a mandate for organizations. Ponemon Institute independently conducted a survey of 1,406 individuals in the United States, Europe, the Middle East, Africa, and Latin America who influence decision-making around security technology investments for their organizations. Key findings from the study, sponsored by Intel, include:
- 53 percent of respondents say their organizations refreshed their security strategy because of the pandemic.3
- Of the 36 percent of organizations using hardware-assisted security solutions, 85 percent say hardware- and/or firmware-based security is a high or very high priority in their organization.3
Silicon-level Security Protects Up the Stack
Each layer of the stack is only as good as the one below it. Investing in sophisticated security technologies at every layer, from firmware to BIOS to data, means better protection up the stack for IT operations. Protecting your PCs depends on the next-lowest layer of protection. By using hardware-based security features built into the silicon level, you can secure data and maintain device integrity based on a trusted foundation.
At the firmware layer, malware can gain highly privileged access to the system and is difficult to detect using software. Intel® Device Protection Technology, also known as Intel® Boot Guard, and Intel® Platform Firmware Resilience (Intel® PFR) can help verify trusted startup, block interference, and recover to a known state if compromised.
At the BIOS, OS, and hypervisor layer, Intel® Trusted Execution Technology (Intel® TXT) helps attest that these operations have not been compromised.
Virtualization uses software to create an abstraction layer over computer hardware that allows the hardware elements of a single computer—such as processors, memory, storage, and more—to be divided into multiple virtual computers, commonly called virtual machines (VMs). This enables a more modern architecture to run business applications and provides for additional hardware-security-enforced isolation capabilities. You can help protect user access credentials, workspaces, applications, and data in hardened enclaves as well without impacting the user experience. You can:
- Run virtual machines for security-based isolation with application compatibility across different operating systems running on the same PC with the many capabilities featured in Intel® Hardware Shield.
- Use Windows Defender Credential Guard and Application Guard with Intel virtualization capabilities to help protect against OS kernel‒level malware and browser-based attacks.
- Complement virtualization with hardware-based encryption to help protect data at every layer.
Intel works with major endpoint security software ISVs, including ESET, Microsoft Defender, and CrowdStrike so that Intel vPro® advanced threat protection is built into their solutions with little configuration required. For example, CrowdStrike used the Intel® TDT Accelerated Memory Scanning capabilities to detect fileless attacks to memory that are now being used as an entry point in 72 percent of all attacks4. The 7x5 boost in performance delivers a broader scanning capability that uncovers early indicators of attack before an attack payload can execute.
For recovery from successful attacks, Intel vPro manageability solutions enable a more reliable firmware update and recovery feature so that ITDMs are willing to patch systems more frequently in the field.
For advanced threat protections, bolster antivirus software to catch threats using techniques that are extremely difficult for security software alone to uncover. Intel® Control-Flow Enforcement Technology (Intel® CET) on 11th Gen systems forward is designed to help defend against return-oriented programming (ROP) attacks to system memory. Intel® Threat Detection Technology (Intel® TDT) defends against ransomware and malicious crypto mining with minimal impact on performance.
A PC powered by Intel vPro® Enterprise for Windows includes the unique capabilities of Intel Hardware Shield built in to deliver one of the highest levels of hardware, software, and data protection right out of the box. This technology has three groups of security technologies: below-the-OS security, application and data protections, and advanced threat protections. It will launch in a trusted state, lock down memory in the BIOS when software is running, and help prevent planted malware from compromising the OS.
Altogether, Intel® hardware-enabled security boosts protection and enables the ecosystem to better defend against modern cybersecurity threats and improve software resilience.
Start with a Root of Trust to Build a Chain of Trust
Security is only as strong as the layer below it. By starting with a root of trust based in the silicon—like Intel delivers—security architects can help create a trusted foundation for computing. Strengthening security features at each layer can make the entire system more secure, which creates a chain of trust through all layers of the IT stack. This helps minimize the impact to system performance, while enabling secure and efficient compute. Investing in security technologies is critical in working toward an operational zero trust strategy for today and tomorrow.
Connection Cybersecurity Services help manage fleets directly using these built-in security and manageability features for detection and response for customers.
For more on PC security, listen to this podcast with Rhett Livengood, Director of Digital Business Enabling at Intel.
1. Gabriel Bassett, C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup, “2022 Data Breach Investigations Report”, Verizon, 2022, https://www.verizon.com/business/resources/T4e0/reports/dbir/2022-data-breach-investigations-report-dbir.pdf.
2. The Forrester Research, Inc., “The Total Economic Impact™ Of Intel AI Report”, June 2021, https://www.intel.com/content/www/us/en/artificial-intelligence/documents/total-economic-impact-of-intel-ai-report.html.
3. Ponemon Institute LLC, sponsored by Intel, “Security Innovation: Secure Systems Start with Foundational Hardware”, April 2022, https://download.intel.com/newsroom/2022/corporate/secure-systems-hardware-study.pdf.
4. CrowdStrike, “2022 Global Threat Report”, 2022, https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf.
5. Jenny Mankin, “CrowdStrike Falcon Enhances Fileless Attack Detection with Intel Accelerated Memory Scanning Feature”, March 3, 2022, https://www.crowdstrike.com/blog/falcon-enhances-fileless-attack-detection-with-accelerated-memory-scanning/
Intel® technologies may require enabled hardware, software, or service activation.
No product or component can be absolutely secure.
Your costs and results may vary.
© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.