Cybersecurity Blog | Ingalls Information Security

Critical Control: Deploy Better Endpoint Protection & Detection Tools

Written by Jason Ingalls | Apr 3, 2019 4:00:00 AM

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-Point Guide, click here to sign up and get the entire guide for free!

This week, we'll discuss the current situation with legacy anti-virus endpoint technology, some ways that malware is currently able to defeat it, and how the advanced endpoint protection that we use is effective.

A few years ago, a senior Vice President for a big anti-virus firm stood up and admitted that existing antivirus products work less than half of the time against malware4. This was under-reported, but it's something that we, as Incident Responders, had known for some time. There continue to be serious gaps in legacy antivirus product capabilities due to how they work, and how much the malware ecosystem has evolved over the last few years.

To the credit of legacy AV providers, new capabilities in the form of add-ons to their product lines appear regularly. If you can afford the entire product suite that many well-known providers offer today, you'll get good protection that can defeat most malware today. However, the cost of the entire suite is more than most small businesses can afford or should even pay for when there are more effective solutions that are targeted at malware prevention. These next-generation antivirus software products are known in the cybersecurity industry as Advanced Endpoint Protection (AEP) software, and they have a few things that set them apart from legacy solutions:

  • AEP solutions are able to identify and stop malware that evade traditional antivirus;
  • AEP technology can catch malware before it is executed, where most legacy AV can't see it;
  • AEP allows for advanced endpoint management and includes options for device management and system lockdown, which typically a service add-on for legacy AV product suites
  • AEP solutions often include Endpoint Detection & Response tools. EDR allows for the investigation of suspicious activity above and beyond a legacy AV tool will provide, which is just a notification that it quarantined or deleted malware
  • AEP solutions can also stop advanced, file-less malware that leverages scripting language as well as memory injection attacks that legacy AV misses.
  • AEP solutions leverage advanced machine learning (a form of Artificial Intelligence) to identify malware, even if it's been signed by a certificate that was stolen but unreported.

Replacing Legacy Antivirus with Advanced Endpoint Protection

Most Advanced Endpoint Protection requires a deployment process that can be difficult without subject matter expertise. AEP solutions typically get deployed in "learn mode" so that they don't lock down critical business functions. Switch AEP solutions to "block mode" once anything that would have been blocked has been determined to have a legitimate business purpose and whitelisted, and scripts are moved to a directory. Additionally, certificate-based whitelisting can be leveraged to reduce risk of whitelisted directory execution of malware, and other advanced options may be brought to bear to prevent all but approved peripheral devices from being plugged into USB ports, for example. Only in extreme cases, such as an active ransomware attack that has defeated traditional AV, should AEP solutions be "slammed in" in full block mode. "Slamming in" AEP in full block mode allows rapid containment of ransomware files in order to get containment and remediate the environment before restoring from backup or decrypting ransomed files. The rule of thumb for using AEP is that a trained and qualified service provider should be used to deploy AEP solutions to minimize the risk of outage to the organization that is deploying it. Another reason to rely on qualified pros to implement AEP is that a misconfiguration or lack of full coverage creates a significant risk that the AEP solution will miss malware.

Integrated Advanced Endpoint Protect, Detection, and Response

Advanced Endpoint Protection can be thought of a high security lock on the doors to your data; the computer endpoints that user work from. Like a lock on a door, Advanced Endpoint Protection is designed to keep malware and hackers from being able to get into sensitive operating systems and networks. One of the biggest advantages of AEP is that it can alert investigators of suspicious activity while it holds hackers and malware at bay, allowing security operations staff the ability to investigate using Endpoint Detection & Response modules, check logs, and generally remove the threat before it is able to defeat AEP and other security controls. Just like any lock can be defeated given enough time, AEP should not be solely relied upon to keep an organization safe. Integrating AEP and EDR technologies with a Security Operations Center monitoring solution is akin to having a building alarm system and monitoring company detect when a lock on a door gets forced and ensure that security response teams (e.g. the police) respond to an attempted break-in. This kind of solution is what an internal Security Operations Center (SOC) or an outsourced Managed Detection Response (MDR) solution provides for organizations, and we'll discuss how AEP, EDR, and SOC/MDR integrations provide effective cybersecurity risk management in the last section of this guide.

Interoperability between Legacy AV and AEP Solutions

Many clients who come to us for our MDR service directly have purchased legacy Antivirus products for multiple year contracts. Some of them come to us as breach victims who realize that the antivirus they paid for didn't stop the malware that cost them thousands in bitcoin ransom and days to weeks of downtime while they recovered and restored their data. Most of our MSP partners are already offering some time of endpoint protection; however, most realize it makes more sense for us to manage deployment and maintenance of endpoint protection tools so because it's our specialty.

Regardless, we are happy to install our AEP solution in tandem with the legacy AV by whitelisting each app in the other app's console. We can also help transition quickly to AEP only, which can reduce overhead on endpoints with multiple agents and declutter the security controls in place.

In summary, Advanced Endpoint Protection is the new way to provide effective security controls that can operate at the speed of malware to prevent execution, protect endpoints, and allow security team members to investigate and resolve security incidents on endpoint computers. They should be carefully deployed and monitored as part of an overall risk management strategy, and by doing so can be highly effective at protecting endpoints from malware, attacker lateral movement, and other risks.

 

Join us next week when we discuss Email Security, and why this critical business communication system is a favorite attack vector for advanced hackers and spear phishers. Thanks for reading!

This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!