Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.
Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.
Signature-Based Antivirus Software
Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective property. With signature-based detection, traditional antivirus products can scan a computer for the footprints of known malware.
These malware footprints are stored in a database. Antivirus products essentially search for the footprints of known malware in the database. If they discover one, they’ll identify the malware, in which case they’ll either delete or quarantine it.
When new malware emerges and experts document it, antivirus vendors create and release a signature database update to detect and block the new threat. These updates increase the tool’s detection capabilities, and in some cases, vendors may release them multiple times per day.
With an average of 350,000 new malware instances registered daily, there are a lot of signature database updates to keep up with. While some antivirus vendors update their programs throughout the day, others release scheduled daily, weekly or monthly software updates to keep things simple for their users.
But convenience comes at the risk of real-time protection. When antivirus software is missing new malware signatures from its database, customers are unprotected against new or advanced threats.
While signature-based detection has been the default in traditional antivirus solutions for years, its drawbacks have prompted people to think about how to make antivirus more effective. Today’s next-generation anti-malware solutions use advanced technologies like behavior analysis, artificial intelligence (AI) and machine learning (ML) to detect threats based on the attacker’s intention rather than looking for a match to a known signature.
Behavior analysis in threat prevention is similar, although admittedly more complex. Instead of only cross-checking files with a reference list of signatures, a next-generation antivirus platform can analyze malicious files’ actions (or intentions) and determine when something is suspicious. This approach is about 99% effective against new and advanced malware threats, compared to signature-based solutions’ average of 60% effectiveness.
Next-generation antivirus takes traditional antivirus software to a new level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by ML and AI as well as threat intelligence to:
- Detect and prevent malware and fileless attacks
- Identify malicious behavior and tactics, techniques and procedures (TTPs) from unknown sources
- Collect and analyze comprehensive endpoint data to determine root causes
- Respond to new and emerging threats that previously went undetected.
Countering Modern Attacks
Today’s attackers know precisely where to find gaps and weaknesses in an organization’s network perimeter security, and they penetrate these in ways that bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:
- Memory-based attacks
- PowerShell scripting language
- Remote logins
- Macro-based attacks.
To counter these attackers, next-generation antivirus focuses on events – files, processes, applications and network connections – to see how actions in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors and activities; once identified, the attacks can be blocked.
This approach is increasingly important today because enterprises are finding that attackers are targeting their specific networks. The attacks are multi-stage and personalized and pose a significantly higher risk; traditional antivirus solutions don’t have a chance of stopping them.
Explore IBM Security QRadar Solutions
Endpoint Detection and Response
Endpoint detection and response (EDR) software flips that model, relying on behavioral analysis of what’s happening on the endpoint. For example, if a Word document spawns a PowerShell process and executes an unknown script, that’s concerning. The file will be flagged and quarantined until the validity of the process is confirmed. Not relying on signature-based detection enables the EDR platform to react better to new and advanced threats.
Some of the ways EDR thwarts advanced threats include the following:
- EDR provides real-time monitoring and detection of threats that may not be easily recognized by standard antivirus
- EDR detects unknown threats based on a behavior that isn’t normal
- Data collection and analysis determine threat patterns and alert organizations to threats
- Forensic capabilities can determine what happened during a security event
- EDR can isolate and quarantine suspicious or infected items. It often uses sandboxing to ensure a file’s safety without disrupting the user’s system.
- EDR can include automated remediation and removal of specific threats.
EDR agent software is deployed to endpoints within an organization and begins recording activity on these endpoints. These agents are like security cameras focused on the processes and events running on the devices.
EDR platforms have several approaches to detecting threats. Some detect locally on the endpoint via ML, some forward all recorded data to an on-premises control server for analysis, some upload the recorded data to a cloud resource for detection and inspection and others use a hybrid approach.
Detections by EDR platforms are based on several tools, including AI, threat intelligence, behavioral analysis and indicators of compromise (IOCs). These tools also offer a range of responses, such as actions that trigger alerts, isolate the machine from the network, roll back to a known good state, delete or terminate threats and generate forensic evidence files.
Managed Detection and Response
Managed detection and response (MDR) is not a technology, but a form of managed service, sometimes delivered by a managed security service provider. MDR provides value to organizations with limited resources or the expertise to continuously monitor potential attack surfaces. Specific security goals and outcomes define these services. MDR providers offer various cybersecurity tools, such as endpoint detection, security information and event management (SIEM), network traffic analysis (NTA), user and entity behavior analytics (UEBA), asset discovery, vulnerability management, intrusion detection and cloud security.
Gartner estimates that by 2025, 50% of organizations will use MDR services. There are several reasons to support this prediction:
- The widening talent shortage and skills gap: Many cybersecurity leaders confirm that they cannot use security technologies to their full advantage due to a global talent crunch.
- Cybersecurity teams are understaffed and overworked: Budget cuts, layoffs and resource diversion have left IT departments with many challenges.
- Widespread alert fatigue: Security analysts are becoming less productive due to “alert fatigue” from too many notifications and false positives from security applications. This results in distraction, ignored alerts, increased stress and fear of missing incidents. Many alerts are never addressed when, ideally, they should be studied and acted upon.
The technology behind an MDR service can include an array of options. This is an important thing to understand when evaluating MDR providers. The technology stack behind the service determines the scope of attacks they have access to detect.
Cybersecurity is about “defense-in-depth” — having multiple layers of protection to counter the numerous possible attack vectors. Various technologies provide complete visibility, detection and response capabilities. Some of the technologies offered by MDR services include:
- Endpoint protection platform
- Intrusion detection system.
Extended Detection and Response
Extended detection and response (XDR) is the next phase in the evolution of EDR. XDR provides detection and protection across various environments, including networks and network components, cloud infrastructure and Software-as-a-Service (SaaS).
Features of XDR include:
- Visibility into all network layers, including the entire application stack
- Advanced detection, including automated correlation and ML processes capable of detecting events often missed by SIEM solutions
- Intelligent alert suppression filters out the noise that typically reduces the productivity of cybersecurity staff.
Benefits of XDR include:
- Improved analysis to help organizations collect the correct data and transform that data with contextual information
- Identify hidden threats with the help of advanced behavior models powered by ML algorithms
- Identify and correlate threats across various application stacks and network layers
- Minimize fatigue by providing prioritized and precise alerts for investigation
- Provide forensic capabilities needed to integrate multiple signals. This helps teams to construct the big picture of an attack and complete investigations promptly with high confidence in their findings.
XDR is gaining in popularity. XDR provides a single platform that can ingest endpoint agent data, network-level information and, in many cases, device logs. This data is correlated, and detections occur from one or many sources of telemetry.
XDR streamlines the functions of the analysts’ role by allowing them to view detections and respond from a single console. The single-pane-of-glass approach offers faster time to value, a shortened learning curve and quicker response times since the analysts no longer need to pivot between windows. Another advantage of XDR is its ability to piece multiple sources of telemetry together to achieve a big-picture view of detections. These tools are able to see what occurs not only on the endpoints but also between the endpoints.
The Future of Antivirus Software
Security is constantly evolving, and future threats may become much more dangerous than we are observing now. We cannot ignore these recent changes in the threat landscape. Rather, we need to understand them and stop these increasingly destructive attacks.
Security Consultant, IBM
Fahad Ahmed is a contributor for SecurityIntelligence.