In this blog, Matt Riley, Sharp UK’s Director of Transformation & Security, explores the reasons why anti-virus alone isn’t good enough anymore. Read on to learn more.
Anti-virus has been the mainstay in protecting laptops and desktops for the last 20+ years. There are dozens of recognised anti-virus solutions in the marketplace but they all have one core problem, they are reactive.
Anti-virus software primarily focuses on identifying and mitigating known malware and viruses. It relies on signature-based detection, which means it looks for patterns or signatures of known malicious code in files and programs. Anti-virus software is generally designed to prevent infection and remove common types of malware. Due to this signature-based approach, it can struggle to detect new or evolving threats that do not match existing signatures.
There are four main reasons this is a problem:
- Threat
Threat actors and hackers are looking to exploit businesses that are unprotected against new and evolving threats.
- Vulnerability
Anti-virus is a very reactive approach to protecting laptops, desktops and laptops. Considering those platforms are the largest service area for attack, it's not very safe. It also can take a significant amount of time for a mitigation to be put into place.
- Likelihood
SMEs are targets for threat actors and ransomware is an ever-growing problem. One key aim of the threat actors is to install malicious software via social engineering and three billion phishing emails are sent each day.
4. Impact
Direct costs such as ransoms, data loss and GDPR fines can add up as well as Indirect costs such as downtime and reputational data.
The next generation for the protection of laptops, desktops and tablets is Endpoint Detection and Response (EDR). EDR solutions are more advanced and proactive. They not only detect known malware but also focus on identifying and responding to suspicious or anomalous behaviours on laptops, desktops, and tablets.
EDR tools use a combination of behaviour-based detection, machine learning, and threat intelligence to identify both known and unknown threats. EDR aims to provide more visibility into the activities happening on endpoints and respond to potential threats in real-time.
EDR solutions go beyond detection and often include response capabilities. They can quarantine or isolate compromised systems, contain threats and investigate incidents. When you also pair an EDR with a security team (known as Managed Detect and Response – MDR) you double down on the protection by dramatically reducing the likelihood of an attack.
A common example that compares traditional anti-virus and EDR with a security team (MDR).
Scenario
A team member falls for a phishing email and unintentionally downloads malware to their desktop computer. This is a new piece of malware, just written by a criminal gang, and hasn’t been seen before by anti-virus companies. It is designed to release its payload, ransomware, at 3am when everyone is asleep.
What happens with an anti-virus solution?
The desktop antivirus does not recognise the malware as a threat as it does not have a signature for this malware in its database. The malware can spread across the network infecting the company's servers with nothing to stop it. When everyone returns to work in the morning, their entire network is encrypted and the only way the hackers will release the data is by paying them a ransom.
What happens with MDR?
The desktop EDR software spots that the device is doing something odd. It identifies that files are being encrypted and the device is trying to write to the server. This behaviour is not normal and it isolates the device automatically from the network preventing further spread. The security team are notified of this isolation and can assess if this still poses a threat to that business and, if it does, they can take immediate action. When everyone returns to work the following morning they are none-the-wiser that they were potentially a victim of a cyber-attack and the affected device can be permanently cleaned of the threat.
Where MDR is used, the business is better protected from the direct and indirect costs of the cyber-attack. Nothing will ever be 100% secure but you dramatically reduce the likelihood that the vulnerability of reactive protection is exploited.
Sharp can provide clients with an MDR solution called Total Endpoint Security.
