Antivirus is Dead. Long live EDR!
Computer security is a constant battle with an ever changing landscape. Protection strategies that were top of the line are now no longer effective. This is now true of Antivirus software. In the past many organization’s only type of security was Antivirus and a firewall. However, new malware and ransomware techniques in use by the bad guys render Antivirus ineffective, and worse, provide a false sense of security. This is where a new technology called Endpoint Detection & Response (EDR) comes in. You may also see the terms MDR or XDR which are types of EDR deployments and/or feature sets.
Why Antivirus Can’t Protect You Anymore.
So why do we need EDR exactly? To understand the answer you first need to know how standard Antivirus software works. The oversimplified version is that when a program is run or downloaded the AV software will scan it to see if it is a known threat, such as a virus or malware. If the scan sees something it recognizes it will delete or quarantine the file. If you look closely at that process you may see the two big problem already.
- What if the threat was not previously known?
If the Antivirus does not recognize the threat then it allows it to run. That is not good. These types of threats can be new viruses, malware that has been obfuscated, or threats leveraging zero-day exploits (new, unpatched, security bugs in software such as Windows, MacOS, Adobe, Office, Zoom, etc.).
- What if the threat does not a use a malicious file to infect the machine?
If there is nothing to scan then, you guessed it, it runs (still not good). These are known as Fileless attacks and may also be referred to as Living off the Land (LOTL). This is a fairly new and evolving threat methodology and can be executed in various ways. Examples include Memory-only threats (Duqu worm), Windows registry resident malware (Poweliks), Powershell / Macro based tools (exploit kits), and various other technical methods I will not go into (DLL injection, DotNetToJScript technique, Reflective loading, etc.).
As you might have guessed, once malware gets past the Antivirus software it’s game over. Your computers, data, and network are now open to attack.
Detecting & Stopping Unknown Threats
EDR fills the gaps in Antivirus’s blind spots and then some. While Antivirus just scans for known threats, EDR also looks for malicious behaviors in applications and running processes utilizing a technique known as Machine Learning (a type of Artificial Intelligence). It does not need to know if a program is a threat, but acting in a threatening manner. In this way it works based on how real world threats are determined. Police don’t keep a list of known offenders in their pocket, but identify the bad guys based on what they are doing and how they are acting.
Assume You Will Not Prevent All Attacks
When you get a new car you know it is just a matter of time before someone scratches it. You can park all the way in the back lot and you will still have someone dent it. Computer security should be thought of in the same manner. It is not a matter of if you will be breached, but when. Antivirus products are useless once an attack successfully executes but EDR has the ability to detect an active infection, kill it, and more importantly, reverse any changes made to the system. Not only does this limit the damage being done, it also saves an enormous amount of time on the IT side as computers no longer need to be brought offline to perform an erase and full reinstall of the computer and applications. In addition many EDR products can automatically disconnect an infected device from the network to help limit the spread of worms, ransomware, and hackers trying to move through your network.
Only Wireguided Includes the Worlds #1 EDR with it’s Managed Services
Wireguided makes the security of our clients our #1 priority (as well as great customer service!). We are constantly evaluating new security solutions and evaluating new threats so our customers are always protected. With this in mind we are now including the worlds #1 EDR / XDR software with our Managed Services Plan, SentinelOne Singularity XDR. No other MSP offers this level of protection to their customers. If you would like to know more about EDR and how Wireguided can help your organization please click here to contact us.