It’s late at night the day before an important deadline. You are rushing to complete a project that you have been diligently working on for months. You run into a snag and run a quick Google search for some software to help you complete your task. You find some software and click download. Next thing you know your computer is frozen from a virus. You notice a particular name that seems odd so you run another Google search from your phone and discover it is a new strand of malware and that the best course of action is to re-install your operating system. All the hard work you have put in is gone, as the latest changes to the project were not saved. You think to yourself, “what could I have done differently? I have an antivirus program installed on my machine, why was this not caught?”

 The harsh reality is that standard antivirus programs are not enough in today’s threat landscape.

In order to adequately protect oneself at an enterprise level, one needs an Endpoint Detection and Response (EDR) tool.

Why is my Antivirus Not Enough?

Most traditional AV providers use signature-based algorithms to prevent malware from being installed on your machine. This means that it identifies the file based off a unique pattern or hash (a mathematical algorithm to generate a unique set of numbers and letters) of the file. For a more in depth explanation of hashing, read this SentinelOne article. For a while, this type of detection worked because new signatures could continuously be generated for files and be blocked, but as always, the threat actors adapted and began heavily obfuscating their code so that the hash generated for the file was not the same as its unobfuscated counterpart leading to it bypassing AV solutions entirely.

What is EDR?

EDR stands for Endpoint Detection and Response. It’s the current generation of protection for endpoints (you may also have heard of XDR which is an attempt to expand the capabilities of EDR, but frankly, the product is in it’s infancy). EDR allows cybersecurity and IT professionals to not only identify threats, but it also allows them to respond. These solutions gather telemetry data constantly from endpoints and rather than using a signature-based solution to detection, it uses a heuristic (or behavioral) approach. These solutions don’t focus on the hash of a file or if the file in unique to the device, it’s monitoring how the file behaves to determine whether it’s malicious or not. A good example is a spreadsheet sent over email with macros enabled. Now the spreadsheet itself may not be malicious, but what if the macro is? The file is detected by the EDR solution and the analyst is able to respond. These solutions are also continuously enriched with the latest threat intelligence. Threat intelligence is essentially a digestible version of the latest threats, threat actors, and their various tactics. Often threat actors are creatures of habit and they follow a specific set of steps in each cyber-attack. The EDR solution will gather this intelligence and incorporate it into the platform. They also will generally include some sort of proactive threat hunting component, actively seeking out potential threats rather than waiting for them to become active.

Why Does Any of this Matter?

A natural thought is: how does this apply to my company and me? The facts is that threat actors are continuously evolving. They are finding new and creative ways to breach environments and you and your business are no exception. This ingenuity creates a headache on the defensive-side as we are often playing a cat-and-mouse game of staying ahead of attackers. A good EDR solution helps to bridge that gap. Instead of an analyst spending their day perusing threat intelligence feeds to gather malicious hashes to input, they can spend their time on other important security tasks, such as vulnerability management.

Another key takeaway here is that no tool is a magic bullet. The people that use the tool are just as important as the tool itself. Without proper training, the alerts could go unnoticed or be inadvertently marked as a false positive, when it is in fact a legitimate threat. Any tool (especially EDR) is only as effective as its wielder. Keep that in mind as an EDR solution is considered.

Within cybersecurity, if you are not evolving, you are dying.

A traditional AV solution is not good enough in 2023. If you are concerned about your current cyber security posture and would like to discuss with Dean Dorton’s Cyber Security Professionals, feel free to reach out using the contact information below.

Jordan Johnson | Cyber Security Consultant