Ryan Higgins, Internal Account Manager, explores how businesses should enhance their cyber resilience in a post-pandemic world and why traditional antivirus might not be enough.
The world as we know it changed dramatically in the wake of the coronavirus pandemic; many businesses were forced to transition their workforce to their homes or put them on furlough. Or, in a lot of cases, even both. The speed of this change gave rise to another pandemic. One which is far less publicised but potentially just as dangerous to your business. Cybercriminals across the world saw the opportunity to exploit security weaknesses and went on the hunt. And businesses must respond.
One of the most frequently overlooked parts of a network’s security is the endpoint itself. Many people believe that because they have antivirus software, they’re completely protected. This could not be more wrong.
There are various forms of malicious software and billions of registered signatures stored in huge datacentres, but there are also countless zero-day threats that have not yet been registered. These will simply walk past the antivirus software like it does not exist. Penetration methods and the wider threat landscape continue to evolve. At the same time, hackers constantly find new ways of breaching company’s datacentres or locking them out of their systems before holding them to ransom. To keep the hackers at bay, businesses must therefore evolve their cyber resilience to ensure they are protected.
But what is the best approach for you? Let’s explore traditional antivirus and endpoint detection & response (EDR).
Antivirus solutions have been around for a long time, but the way they work hasn’t altered fundamentally. Antivirus is a piece of software that works on a traditional signature-based system; if the antivirus recognises the signature of a registered virus, it will not allow it into the network.
This is where zero-day threats can present a problem for traditional antivirus tools. A zero-day threat is a piece of malicious software that has just been created. This silent assassin has no recognised signature and so cannot be detected by a traditional antivirus platform.
EDR is the next stage of evolution in endpoint security and cyber resilience. Traditional antivirus software cannot defend against malware unless samples have already been obtained, allowing signatures to be generated and updates to be distributed to users. By the shady nature of cybercrime, a malware’s signature is generally only registered once it has already breached a company. Because of this, signature-based protection relied on by traditional antivirus is ineffective against zero-day viruses.
EDR is designed to detect these zero-day threats and will either move the virus into a quarantined sandbox or simply not allow the software to enter the network at all, depending on the vendor.
To further the comparison between traditional antivirus and EDR, let’s use a real-life analogy. Every time we leave our homes, we lock the door and head out. Now imagine if, just as you’re about to leave, a complete stranger walks up to you and asks you for the house keys. Would you give this stranger the keys to your home? No. Why not? You can’t know whether they have any bad intentions, so you can’t trust them. Your antivirus is a little more friendly however, and instead will roll out the welcome mat for the stranger, in this case a new, unrecognised virus.
An EDR platform will react in different ways to zero-day threats, depending on which vendor supplies it.
Entry will be completely denied whether the software is good or bad, because it hasn’t been classified so does not have a known good signature or known bad signature. The software is pulled away from the network and is sent to the virtual labs for testing. If it’s found to be known as safe, it is allowed back through the network.
Think of this like the bouncer at a bar not letting someone in because they don’t have their ID. That someone goes and gets their ID then comes back to prove they’re not on the barred list, so they are now allowed in.
If further checks reveal the software to be malicious, a copy of the signature is created, and the virus is destroyed without ever coming into your network.
Your EDR might also move the software into a sandbox – essentially a virtual duplicate of your environment – to let it run inside this simulation and see how it behaves. If the software behaves itself and is non-malicious, it will be allowed into the actual network. However, if this software acts maliciously in the sandbox, it is destroyed or removed from the network.
Looking back at our stranger analogy, sandboxing is like handing a person the keys to a virtual replica of your home and watching how they act. Will they be kind enough to go clean the dishes and put your washing away? Or are they about to try to make off with your TV?
I suppose the big question must be, “Why doesn’t everyone already have Endpoint Detection & Response in place to protect their network and the business as a whole?”
Usually a business won’t have EDR as part of their cyber resilience strategy for one of three reasons:
The most common reason tends to be the cost of this advanced technology. However, people put off by this rarely think about the cost of not having robust cyber resilience, particularly when you consider 60% of small businesses fold within six months of a cyber attack. There are a number of questions that should be asked when contemplating the cost of an EDR upgrade:
The point here isn’t to frighten anyone into a fire sale of upgraded security platforms. As part of our mission to help clients succeed, we want to educate and enable you to act today to secure tomorrow.
Speaking from personal experience, a lot more clients are asking for advice on strengthening their security posture by upgrading their platforms to EDR solutions. And while an EDR solution is certainly effective, there are a lot of options for protecting yourself out there.
If you take one thing away from this article, it is to know we have many weapons in our arsenal for the war against cybercrime. Each organisation’s needs are different, but to not act at all is – to paraphrase the Bard – to risk being once more into a breach, dear friends.
Ryan Higgins is an Internal Account Manager at Millgate. To discuss which security methods are right for you, contact our advisers on 0114 242 7310 or request a callback.
For further information on protecting your business and your people while they’re out of the office, read our handy checklist on securing remote access.
Microsoft 365 has moved your favourite productivity apps into the Cloud; empowering employees to work from home seamlessly and safely on multiple devices. However, with so many different subscription plans,...
Small businesses have varying levels of IT requirements. Knowing when to invest in infrastructure or contact IT service providers can be a tricky decision. After all, a solution is only...
DDoS attacks are nothing new. In fact, they represent one of the oldest forms of cyber-attack and often play a broader role in the strategies used by cybercriminals. In this...