In a previous post, I explained the basics of Endpoint Security. This post will show you how to utilize Endpoint Security to build a strong defense against cyber threats.
You can use a castle’s defense system as an analogy for your defense against cyber threats. Defense specialists in the Middle Ages set up different defense mechanisms, commonly known as layers:
- Moats and Water Defenses (1)
- Outer Curtain Wall (2)
- Turrets, Towers, and Look Out Points (3)
- Castle Defenders (4)
- Spying on your (possible) enemies (5)
Le Mont-Saint-Michel, a tidal island and mainland commune in Normandy, France, is a fitting example of strong castle defense. The commune’s position, on an island just a hundred meters from land, made it accessible at low tide to the pilgrims to its abbey but defensible as an incoming tide stranded, drove off, or drowned would-be assailants. The island remained unconquered during the Hundred Years’ War. During this war, a small garrison fended off a full attack by the English in 1433.
Traditional antivirus software – Moats and Water defenses (1)
Classic antivirus solutions compare malicious signatures (bits of code) to a regularly updated database. A team of supplier antivirus specialists does the updates you have selected, and the specialists do this every time they identify a new malware signature. A classic antivirus solution is the most basic form of defense. It is only suitable for private users because this defense only detects half or even less of all digital attacks. Organizations need to equip themselves better than just using antivirus software only.
Next-generation antivirus (NGAV) – Outer Curtain Wall (2)
A traditional antivirus solution only detects half or less of all digital attacks. With this, you run into a big problem: in many cases, you have a gap between the release of a piece of malware into the world and when it becomes identifiable by your traditional antivirus program.
Today, attackers know where to find gaps and weaknesses in a network, and they penetrate these networks, efficiently bypassing traditional antivirus software. You can do this by using advanced tools to target vulnerabilities that leverage:
- Memory-based attacks
- PowerShell scripting language
- Remote logins
- Macro-based attacks
As previously stated, classic antivirus solutions only focus on signature file- or definition-based threats. Because of a very narrow scope, these solutions cannot detect any of these newly evolved techniques of cyber threats because these techniques do not introduce new files to the system. In addition, attackers are targeting individual networks instead of mass attacks. This approach means cybercriminals formulate new strategies involving multi-stage, personalized attacks that sideline classic antivirus solutions by completely bypassing their detection mechanisms. If you only defend your castle with a moat or another water defense, attackers can enter your castle quickly by crossing your “Moat/Water defense” at low tide or when you are not quick enough to raise your drawbridge.
Next-generation antivirus (NGAV) software is a preventive measure in battling cyber threats and closes the gap between newly formulated attack strategies and classic antivirus solutions. It is your Outer Curtain Wall in addition to your Moat and Water Defense. NGAV uses more advanced endpoint protection technologies. NGAV goes beyond file-based malware signatures and probing because this technique uses a system-centric, cloud-based approach. NGAV uses predictive analytics, driven by machine learning and AI, and combines this with threat intelligence into a better defense mechanism against threats of malware:
- It detects and prevents malware and file-less non-malware attacks.
- Identify malicious behavior, tactics, techniques, and procedures (TTPs) from unknown sources.
- It collects and analyzes comprehensive endpoint data to determine root causes.
- Responding to new and emerging threats that previously went undetected
NGAV is a massive upgrade from traditional antivirus solutions and will do a much better job in your defense against sophisticated attacks. Staying in the castle analogy, in addition to your Moats and Water defenses that an enemy can cross, no system is entirely bulletproof. NGAV is also not wholly bulletproof: there is always a risk that specific attacks will pass your NGAV. EDR is complementary to NGAV and fills possible bulletholes in your NGAV.
Endpoint Detection & Response (EDR) – Turrets, Towers, and Look Out Points (3)
EDR compliments NGAV. As stated before, prevention is insufficient in the battle against cyber threats: you must always assume that a part of the attacks will go through your defense system and successfully penetrate the network. Never be complacent and stay vigilant: the speed of the development of new attacking tools is insane.
When an attack passes your first line of defense, your conventional security (antivirus solution) will not see an attack happening. Because an antivirus solution doesn’t detect this attack, it leaves attackers free to dwell in the environment for days, weeks, months, or even years. To counter this, you can stop these “silent failures” by detecting and removing an attacker quickly from your network: the Turrets, Towers, and Look Out Points of your castle.
Endpoint Detection and Response (EDR) solutions can prevent “silent failures.” EDR provides continuous and comprehensive real-time visibility into what is happening on endpoints. Continuous monitoring enables you to be more accurate in identifying suspicious and unauthorized activities, preventing many of these suspicious behaviors outright and enabling the capabilities to respond and remediate advanced malicious threats more quickly and better than ever before.
EDR provides a top-down approach to data collection, which in turn powers machine learning, predictive analytics, and behavior monitoring with a complete picture of the environment of your entire network (on-premises, hybrid, and complete cloud). Combining all these tools helps you to monitor events and to identify patterns that may be suspicious, turning them into attack visualizations. Because of this, a system administrator and an incident responder can easily consume this information.
When new attacks appear, the system admin or incident responder can contain the identified threat, fending off the attack and leaving the attackers empty-handed.
Managed Detection and Response (MDR) – Castle Defenders (4)
You cannot detect all attackers by automated systems only. The most sophisticated attacks require the expertise of well-trained security professionals: the Castle Defenders. These well-trained security professionals learn from incidents, train in the latest cyber threats, and educate the other employees: the “citizens” that live in your castle.
Big organizations have an internal security team to do this, but smaller organizations do not have the luxury of an internal cybersecurity team. Fortunately, smaller organizations also can implement Managed Detection and Response without the necessity of having a security department on their payroll. External suppliers offer MDR as an external security service, comparable to hiring a security company that guards a physical building. You can compare the benefits that an external supplier of MDR offers with the assistance of a security team on payroll. The difference is that you only pay when you use the service. Managed Detection and Response has the following components:
- Round-the-clock Network Monitoring: 24/7/365 monitoring is essential to ensure that your organization is prepared to respond to any cyber threat. This round-the-clock monitoring is a core component of Managed Threat Hunting.
- Threat Detection and Response: Managed Threat Hunting’s primary focus is on threat detection and response. In that case, an internal security team or MDR service (if outsourced) goes beyond the threat detection provided by a managed security service provider (EDR), who places the responsibility for threat remediation on the client (your company), including investigation and handling of the incident.
- Threat Hunting: as stated before, some attacks may slip through the cracks of your defense system. Threat hunting is an initiative-taking approach to cybersecurity in which threat hunters (internal security team members or external MDR employees) search for undetected intrusions within an organization’s environment. This component is essential to minimize the cybersecurity risk of an organization.
- Security Systems Management: effective cybersecurity requires an array of cybersecurity solutions you need to configure appropriately. It would be best if you also managed these configurations properly. Managing configurations is the responsibility of your internal security team or the MDR team. If you outsource this, this responsibility is in the hands of the service provider instead of being a task that an organization needs to manage and maintain the required expertise internally.
If you outsource MDR, a critical component that needs structural attention is still open: training/educating your employees. An external service provider can organize simulated phishing attacks, penetration tests, and structural cybersecurity training.
Threat Intelligence Integration – Spying on your enemies (5)
Organizations must understand the threats to stay ahead of attackers as they keep evolving. Sophisticated adversaries and advanced persistent threats (APTs) can move quickly and stealthily. Because of this, your organization needs up-to-date and accurate intelligence. This way, you can automatically tune your defense, resulting in a precisely tuned defense system.
You can integrate a Threat Intelligence Integration solution in your defense to be able to investigate all incidents. With this solution, an organization can gain knowledge in minutes and not in hours or even days. Because time is the most crucial factor: the difference between minutes and hours can also make a difference in thousands or even millions of euros in damages, a robust Threat Intelligence Integration solution can save an organization a lot of costs in case of a security breach.
A Threat Intelligence Integration solution generates custom indicators of compromise (IoCs) directly from the endpoints. This setup enables an initiative-taking defense against future attacks. In addition, you need to include a human element: expert security researchers, threat analysts, cultural experts, and linguists. This team of experts will be able to make sense of emerging threats in various contexts. Threat Intelligence Integration solutions are (like MDR) very cost intensive if an internal security team manages this. Smaller companies also have the option to utilize this form of defense by outsourcing this, and you can do this by integrating an Advanced Threat protection system.
Final Thoughts
It is up to you to decide what defense systems you want to use to defend your castle. You can do this by executing an assessment in which you define the cost/benefit ratio.
My advice is: do not be cheap on this. A state-of-the-art defense system will save your organization money in case of a cybersecurity attack, and worst case, it can lead to the downfall of an organization.
I prefer living in a castle with defenses like Le Mont-Saint-Michel instead of a court with only a moat. The long history of Mont-Saint-Michel began in 708 when Bishop Aubert erected the first sanctuary on Mont Tomb in honor of the Archangel. Le Mont-Saint-Michel still exists, and people are still visiting this architectural masterpiece. Contrary to Le Mont-Saint-Michel, castles protected by only moats are long gone or in ruins. Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep me in the loop if I upload a new post, do not forget to subscribe to receive a notification by email.
