CIS Safeguard 10.7: Use Behavior-Based Anti-Malware Software

CIS Safeguard 10.7: Use Behavior-Based Anti-Malware Software

By Steve Gold
Posted in Security
On June 09, 2026

Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation

In Terminator 2: Judgment Day, the T-1000 is terrifying precisely because it looks like anything. It can morph into a police officer, a floor, a person you trust. A security system checking for a "known bad" appearance would have no chance, because the T-1000 has no fixed form. The only way to catch it is to watch what it does: it hunts, it pursues, it kills. The behavior gives it away, even when the appearance doesn't.

That's the exact problem behavior-based anti-malware is built to solve.

What Is CIS Safeguard 10.7?

CIS Safeguard 10.7 is part of CIS Critical Security Control 10 – Malware Defenses, and it applies to organizations in Implementation Group 2 (IG2) and above. The safeguard requires organizations to:

"Use behavior-based anti-malware software."

Traditional, signature-based anti-malware works by comparing files against a database of known threats. If the malware is on the list, it gets flagged. If it isn't, because it's new, modified, or deliberately obfuscated, it walks right through.

Behavior-based tools work differently. Instead of asking "have I seen this before?", they ask "what is this actually doing?"

Why It Matters

Attackers have known about signature-based detection for decades. Modern malware is specifically engineered to evade it, using polymorphic code that changes its signature with every infection, fileless techniques that never touch disk, and living-off-the-land tactics that abuse legitimate system tools like PowerShell and WMI.

By the time a new threat makes it into a signature database, it may have already compromised thousands of organizations. Behavior-based detection closes that window.

The two primary techniques at work:

  • Heuristic analysis, identifies threats by analyzing behavioral characteristics rather than matching code. If something is attempting to escalate privileges, disable security tools, or enumerate the file system in an unusual way, that's suspicious, regardless of whether it's on a known-bad list.
  • Sandboxing, executes a suspicious file in an isolated environment and watches what it tries to do before allowing it anywhere near a production system.

Together, these approaches catch threats that signature-based tools were never designed to detect.

How to Implement Safeguard 10.7

  1. Audit your current endpoint protection tools. Determine whether your existing anti-malware solution includes behavior-based detection. Many legacy tools are still primarily signature-based. "Next-gen" is a marketing term, verify the actual detection methods in use.
  2. Deploy an endpoint detection and response (EDR) solution. Modern EDR platforms are built around behavioral detection. They monitor process activity, network connections, file modifications, and registry changes in real time, and flag deviations from expected behavior.
  3. Enable sandboxing for suspicious file analysis. Whether built into your endpoint platform or part of an email/web gateway, sandboxing adds a critical layer before unknown files execute in your environment.
  4. Tune your behavioral detection rules. Out-of-the-box behavioral rules generate noise. Work with your security team or managed service provider to calibrate thresholds to your environment, reducing false positives without creating blind spots.
  5. Ensure coverage across all endpoints. Behavior-based tools are only effective where they're deployed. Gaps in coverage, unmanaged devices, cloud workloads, remote endpoints, are exactly where attackers look for footholds.
  6. Integrate alerts into your SIEM or SOC workflow. Behavioral detections are most valuable when they're correlated with other signals. A behavioral alert on an endpoint combined with unusual outbound network traffic is an incident waiting to be investigated.

Back to the T-1000

The heroes in T2 don't defeat the T-1000 by consulting a "known Terminator" database. They survive by studying its patterns, what it wants, how it moves, what it can't help doing. That behavioral understanding is what gives them a fighting chance.

Your security stack needs the same capability. Signatures describe threats from the past. Behavior-based detection gives you a shot at catching what's in front of you right now.

Final Thoughts

CIS Safeguard 10.7 is a recognition that the threat landscape has outpaced signature-based detection. Malware authors are not standing still, and neither should your defenses. The question isn't whether behavior-based tools can replace traditional anti-malware, it's whether you can afford to operate without them.

Know what's on your endpoints. Know what it's doing. Because in security, as in science fiction, it's the behavior that exposes the threat, not the face.

Resources

Here's a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security.

Looking for even more detail? Here you go. If this still doesn't satisfy your curiosity, DM me.

CIS Control 10 – Malware Defenses Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

CIS Safeguard 10.7 – Use Behavior-Based Anti-Malware Software Use behavior-based anti-malware software.

Shameless Marketing Information

Gotham Technology Group offers endpoint detection and response (EDR) and managed security services to help organizations implement behavior-based malware defenses. Reach out to learn how we can help you move beyond signatures.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.