The Evolution of Cybersecurity: Ideal Endpoint Protection (Part 2)

The first part of The Evolution of Cybersecurity series, titled What Poor Endpoint Protection Entails, covered why antivirus (AV) software should not be relied upon for endpoint protection. In fact, the senior vice president for information from Symantec claims that the majority of attacks go undetected by traditional AV. The first takeaway is that common forms of AV are ineffective against encryption. The AV doesn’t have the key to access the file, and as such, it may not be analyzed, leaving the system vulnerable. The second takeaway is that AV must be configured independently for each unique device, including fax machines and printers. This may require significant manual labour if the devices are not linked, and automatically updated, via the cloud. Therefore, it can be costly and is often neglected.

This entry in the series will detail what is required for ideal endpoint protection. Specifically, endpoint detection and response (EDR), managed detection and response, (MDR), and extended detection and response (XDR) will be referenced. First however, it is important to discuss Next Generation Antivirus (NGAV). What this brings to the table over its predecessor is that it searches for all indicators of suspicious or malicious behaviour as opposed to only detecting content contained within files that is already known to be a threat. In other words, NGAV pays attention to the actions of items, and compares their attributes to how the software understands typical malware to act. It turns out, looking at how items will act is a step in the right direction. NGAV deals primarily with prevention. This form of endpoint protection leverages artificial intelligence, machine learning, and predictive modeling techniques to find matches. Therefore, previously unseen malware can be identified as a hazard and dealt with accordingly. An additional feature of NGAV is that it is cloud-based, and as such the deployment is streamlined and time-saving. What’s very important is that updates to NGAV can roll out immediately to combat new developments and techniques used by hackers in real time. This form of endpoint protection is effective against malware, file-less attacks, ransomware, and more. Additionally, there is still some incentive to utilize EDR.

EDR is incredibly effective, dealing primarily with detection, and is beneficial to supplement with NGAV. This solution uses AI as an analysis tool which compiles system-level data on endpoint behaviour. In summary, it accurately determines the intent of items by monitoring all of the endpoints of a network to figure out if something larger is going on. This introduces a whole new story to threat detection. Following active analytical techniques, if it is understood an item will act in a suspicious way it is flagged. Then, contextual information is used to supplement the AI engine’s decision regarding how to treat the file of concern. Of which, the file may be granted access, or blocked, and in the event an intrusion did partially occur the endpoint security solution will suggest certain practices to restore the affected device. For reference, notable EDRs are Sentinel One and Huntress, which are renowned for ensuring protection against ransomware. EDR generates loads of data, and it is fantastic for successfully recognizing an unknown item as a threat, even if the item has never been identified before.

As discussed previously, EDR presents itself as a helpful tool for threat detection and gathering related data. It acts as a safety net for NGAV, as it considers all the endpoints to a network, and supplements its threat detection with contextual data. The data which EDR gathers is concerned with processes, connections, interactions, exchanges of information, the end-user, and more. However, configuring and successfully operating an EDR is quite demanding. Likewise, the data is so high in quantity that additional steps must be taken to ensure it is properly managed. Given the fact that these tasks are so rigorous, it is commonly outsourced towards a third party provider, known as a Security Operations Center (SOC). Therefore, an MDR is essentially an EDR coupled with an SOC supervising the activity and data collection. They organize and summarize the data so as to make it interpretable and to provide insight. Furthermore, they specialize in investigating threats, isolating them, examining networks, and remedying systems all while keeping in communication with you. When things act unexpectedly or things go wrong, their job is to answer the necessary questions regarding why they occurred that way. Many times, these questions take the form of, how far did the intrusion reach, or what failed which allowed for this to happen? Clearly, employing a third party provider for MDR is desirable because many small to medium sized businesses do not have resources for the full-time security specialists who are experienced with such tasks.

Lastly, XDR introduces telemetry—where data is automatically collected and shared across the various connected security measures. For instance, endpoint, firewall, email, server, network, and user data are all agglomerated and analyzed automatically to improve the detection and remediation of threats. This is commonly coined as a “holistic” approach to endpoint protection, where activity between the various facets of digital infrastructure is correlated. The primary benefit is that XDR is more capable of identifying the most critical threats from a large sample of suspicious items. In doing so, it shows which threats should be prioritized—a task which is very difficult to do manually when thousands of threats are identified at once. Furthermore, it provides operators with a plethora of instruments for analysis, which helps break down the steps in which the threat may have gained access (or at least attempted to). In the end, XDR is extremely time-saving. Furthermore, it improves EDR in the sense that threats are now identified outside of managed endpoints.

Multi Part Series: The Evolution of Cybersecurity Part 1: What Poor Endpoint Protection Entails Part 2: Ideal Endpoint Protection Part 3: The Need for Multi Factor Authentication Part 4: The Risks of Working from Home – A Zero Trust Approach Part 5: Running Virtual Penetration Tests Part 6: Is Your MSP Keeping You Secure?

Featured Download