With an increasing number of IT executives concerned about the impact and legal ramifications posed by the threats of advanced malware and a decreasing level of confidence in their ability to combat or detect these threats, Endpoint Detection and Response (EDR) solutions have quickly become essential for businesses looking to manage cybersecurity risk.
What Does Antivirus Do?
Antivirus software helps protect your computer against some malware by using a singular approach to identify known malicious programs. Antivirus software looks at files, and in some cases, sections of code within these files to match against a known signature. Antivirus looks for known threats and monitors the behavior of all programs, flagging any suspicious behavior. Antivirus also:
- Antivirus looks for “known bad” or signatures. Programs that exactly match the signature of previously identified viruses.
- Antivirus software in some cases, sections of code within these files to match against a known signature.
- Antivirus software typically performs a full scan on installation and then scans any file when accessed.
- Antivirus can be configured to completely overlook files and folders, so it is critical that it be configured correctly
- Antivirus is completely reliant on the definition provided by the vendor.
Why is this a problem?
This sounds great until you realize that less than 10% of all malware is categorized as a virus and that there are categories of malware that antivirus simply cannot detect and/or stop. The majority of malware today is considered a hybrid (typically a combination of trojans and worms) designed specifically to evade detection by antivirus, firewalls and other common approaches to prevention.
Over half of the malware today is fileless, meaning they exploit and spread in memory only or using other “non-file” OS objects such as registry keys, APIs or scheduled tasks. A new category of malware, modular malware, is even more dangerous because it detects characteristics specific to your environment and evolves its functionality to be much more robust, evasive and effective. Antivirus is simply a one-trick-pony and cybercriminals know it.
How is malware detected?
Because most malware today leverages hybrid approaches, security tools must also use a hybrid approach to detection. Effective solutions like the best Endpoint detection and response (EDR) solutions don’t rely on a single approach, but instead, utilize multiple methods for detecting malware and malicious actions within your environment such as:
- Signature-based detection – (Does the file match anything known to be bad) the same approach as antivirus
- Heuristic-based detection – (Does the file look similar to anything known to be bad) looks at the files to see if they have suspicious properties. In some cases, they may even decompile the code to examine sections for suspicious properties. This method is typically effective at detecting polymorphic viruses (a group of viruses that constantly change and adapt). This method is considered fast and practical, but not optimal or perfect.
- Behavioral-based detection – (Does the file behave similarly to any known attack) This type of detection evaluates an object based on its intended actions before it can execute that action. This entails multiple dimensions that include how it interacts with other systems, your data, the patterns of traffic it generates and so on. This method is heavily reliant on elements like Machine Learning, Advanced Correlation Engines, Behavioral Biometrics and because of this, requires time and resources to fully leverage. This analysis is typically done on the back end, in a cloud environment to avoid impacting the performance of your systems.
- Sandbox detection – This method is similar to Behavioral-based detection, but this method takes the approach even further by detonating the object in a safe environment to see exactly how the object will act when run. Some forms of advanced malware utilize sandbox evasion techniques which emphasize the need for a multi-pronged approach to detection.
- Data mining techniques – This method utilizes statistical analysis methods which looks for anomalies in the pattern of data usage that do not conform to normal user behavior or align with known malicious activity such as an intrusion. One such method is “Long Tail Analysis” which operates under the premise that the most frequent events are the least useful and the least frequent events are this most useful. This method then focuses on rare events, items or observations that may indicate suspicious activity.
What are some other benefits of EDR?
- Visibility – Real-time visibility across all your endpoints allows you to view adversary activities, even as they attempt to breach your environment, and stop them immediately. Without visibility, you can’t have prevention.
- Protections for the devices that are important to your organization. Most organizations rely heavily on mobile devices but lack any protective measures. Our EDR works on all systems, including mobile devices.
- Threat Database/ Threat Feeds – With multiple detection mechanisms in place, threat intelligence is more important than ever. Ensuring a constant stream of current threat TTPs is critical to the efficacy of any EDR.
- Behavioral Protection – More than being able to determine what is good, but also what is good for your organization is critical for spotting anything that doesn’t ‘behave’ like it should in your network.
- Machine learning that aligns Insight about your network with the Intelligence of threat TTPs, helps ensure the best possible fit for your organization.
- Fast Response – when bad happens, does the tool have the capabilities to detect it and stop it NOW
- Cloud-based Solution – a flexible design that leverages all the resources needed without impacting your systems while also protecting your systems wherever they go.
The threats to your organizations extend beyond malware. Why not use an effective tool like EDR that can help combat:
- Misuse of legitimate applications (PowerShell, WMI, MSHTA)
- File-based attacks (Microsoft Office, Adobe PDF, etc.)
- Unwanted software (browser toolbars, PUPs)
- Insider threats (malicious employee, compromised credentials, accidental release of data)
- Suspicious user activity
If you have questions around your business’ cybersecurity, a great first step is a Security Posture review. Our team of cybersecurity experts will take an in-depth look at your processes and technology to reveal any potential gaps along with steps on how to remediate and make your business more secure. Learn more about the Security Posture review here or give us a call at (877)901-2022.
Delano Collins is the Vice President of Corsica Cybersecurity, LLC, a security solutions provider specializing in monitoring, audits, assessment and incident response.With a background in the banking industry, a former CIO, ISO and more than 25 years of experience in the technology sector, Delano has spent his career specializing in cybersecurity, compliance and secure network design.