Don’t let hackers overtake enterprise anti-virus defences

12 October 2022

Simon Crocker, senior director - systems engineering, Palo Alto Networks

Simon Crocker, senior director - systems engineering, Palo Alto Networks

The sudden surge of remote workers combined with the increased complexity of endpoint attacks is putting pressure on security teams to re-evaluate their approach to enterprise anti-virus. Quite simply, established anti-virus solutions need to be re-imagined and hardened to withstand the sharp rise in attack sophistication and frequency.

When reviewing anti-virus strategies there is an alphabet soup of jargon such as “next-gen antivirus” (NGAV), “endpoint protection platforms” (EPP), and “endpoint detection and response” (EDR).

The reality is that none of these are providing all the specific capabilities needed to protect an enterprise’s endpoints against modern threats.

One thing that doesn’t change is that prevention is the bedrock of cybersecurity. Detection and response to attacks are futile without consistent, coordinated prevention.

For example, even the best EDR still detects attacks only after the damage has happened. This puts your security team into a reactive posture, expending operational overhead to understand and assess the attack to then invest even more resources to clean up the damage. In this respect, an EDR is akin to the collision sensor in an airbag that saves lives. This is all very good, but would it not have been better to stop the accident happening in the first place.

So, a better course for modern enterprise anti-virus solutions is a prevention-first approach that deploys the cybersecurity equivalent of both crash avoidance and deterrence.

To achieve this, it is important to understand how attackers currently operate and target endpoints. Many attackers today blend two primary attack methods: targeting application vulnerabilities and deploying malicious files. These methods can be used individually or in various combinations, but are different in nature:

Exploits are the results of techniques designed to gain access through vulnerabilities in an operating system or application code.

Malware is a file or code that infects, explores, steals, or conducts virtually any behaviour an attacker wants.

Ransomware is a subset of malware that holds valuable files or data for ransom, often under encryption, with the attacker holding the decryption key.

When evaluating solutions, the key characteristics to consider are:

1. Malware Analysis
The diversity, volume, and sophistication of threats makes effective threat prevention challenging. There is also the challenge of detecting never-before-seen malware and exploits in addition to identifying known malicious content.

To confront these sophisticated, targeted, and evasive threats, endpoint protection must integrate with shared threat intelligence to learn and evolve its defences. Further, integrating cloud-based threat intelligence with endpoint protection creates deeper analysis to rapidly detect potentially unknown threats. Machine learning on the endpoint should be able to rapidly assess a file to identify suspicious characteristics, as well as perform deeper dynamic analysis and bare metal sandboxing as needed to prevent even more evasive malware.

2. Ransomware Prevention
Ransomware has been around for years but new attacks by groups like REvil have shown that traditional prevention solutions are not enough. Attackers are using much more sophisticated, automated, targeted, and highly evasive techniques. As a consequence, preventing ransomware involves applying a “defence-in-depth” set of capabilities on the endpoint to detect and shut down ransomware in multiple stages of the attack lifecycle.

3. Exploit Prevention
Thousands of new software vulnerabilities and exploits are discovered each year, requiring diligent software patch distribution by software vendors on top of patch management by system and security administrators in every organisation. Addressing vulnerability exploits is the primary reason patches are applied.

Enter Extended Detection and Response (XDR)
To operationalise this approach, it is better to deploy endpoint protection and detection capabilities as features of a holistic extended detection and response (XDR) platform that applies machine learning to a centralised data stream to provide full visibility into attacks across data sources and coordinate prevention across enforcement points.

One key benefit of XDR is how it reduces the pressure on security and network teams. When dealing with cybersecurity, organisations spend a huge amount of time collecting the right security data and making sure it’s in the correct format to use for analytics. They may also need to source data from multiple sources to determine which users, devices, processes, or applications are associated with specific events. XDR automates this through alert stitching—correlating related alerts from different data sources into security incidents—dramatically reducing the volume of disparate alerts analysts must face each day.

With lower alert volume, security teams can move much faster. Leading XDR solutions can close the security coverage gap through seamlessly integrated endpoint protection, detection, and response with a minimal footprint, no dependency on signatures for prevention, a cloud-based management interface, and extensive data collection for event and alert logging. This gives security operations teams the visibility they need for prevention-first operations without negatively affecting endpoint administration.

XDR takes prevention capabilities to a higher level than established approaches to enterprise anti-virus. The great advantage of XDR for security teams is how its full-scale visibility and powerful analytics gives them the weapons to fight sophisticated attackers.