Many antivirus software providers claim that their product will protect you from digital woes. This is only partly true, so it is important for entrepreneurs to realise that an antivirus solution alone is not sufficient to protect against, for example, ransomware or a hack.
An antivirus programme alone will not protect your company against cybercrime. "It's a bit like riding a motorbike with just protective trousers, but without a helmet and in your T-shirt," says Cas Bilstra, cybersecurity specialist at Eye Security. He explains that traditional antivirus software is very good at intercepting known malware. The characteristics of known viruses and other malware are kept in a database and the antivirus programme can recognise any software that meets one of these characteristics. "Then the programme will send a notification that malware has been detected. However, this is not enough, we know from experience."
Static versus dynamic
Viruses and malware are no longer the biggest threats to organisations. Cybercriminals have improved and expanded their attack tactics and methods in recent years. "That's why having only a traditional antivirus solution is not enough to fully protect your network nowadays," says Bilstra. "Antivirus software works in a static way and can only compare against a malware database. Antivirus programs are not able to detect deviations in behaviour and patterns on the network. Commands that are normal in one situation indicate a hacker in other situations. This distinction is difficult for an antivirus programme to make." And therein lies the crux according to the cybersecurity specialist. "The time between the entrance of a hacker into your systems and any consequential damage is crucial to be able to limit the impact of a cyber incident. An antivirus solution only notifies you the moment that impact is noticed, or in other words, when the hacker rolls out the ransomware. By then you are too late. It's all about noticing hackers before they have an impact on business operations."
Behavioural analysis on company network
Specialists have been pointing out for some time that it is no longer a question of whether an organisation will be affected by cybercrime, but when. "What matters is that you manage to minimise the impact of an attack," Bilstra explains. "That means that you have to realise at a very early stage that there are things happening on your network that shouldn't be there. “An EDR solution helps detect and investigate suspicious activity on endpoints such as laptops and servers. In addition, it makes it possible to actively react and intervene in the event of malware or cyber attacks.” An EDR can analyse the behaviour of computers on the network. It distinguishes itself from an antivirus solution that only looks at one local machine. If an EDR solution detects a deviation from the regular pattern, an alarm is immediately sent out so that specialists can intervene and ensure that any compromise does not cause any damage. So it is possible that you will not experience any negative consequences, despite a hack."
Detection and response
Besides behavioural analysis there are a number of other important differences between antivirus and EDR." For example, an EDR contains protection against deinstallation," Bilstra explains. "That means that if a hacker is on your system and wants to sabotage the EDR, the software automatically reports something suspicious is going on. This allows you to quickly find out that an intruder is on your network." Another advantage of EDR over antivirus is that telemetry is collected in a central location. "By that we mean programs that are run or installed, files that are viewed, websites that are looked up, commands that are executed on the system et cetera." An antivirus programme runs locally and so cannot compare information with other systems, as an EDR can. "It is therefore better equipped to detect deviations faster, based on all the information and data that is continuously collected. For example, when an export is made of the passwords stored on the computer. Or when abnormal commands are executed on a number of computers simultaneously or shortly after each other. Finally, such a system contains a response capability, as the name suggests. This means that via an EDR solution, systems in the network can immediately be isolated when suspicious behaviour is detected. In this way, it prevents a potential attacker from penetrating deeper into the network."
Clarifying complex notifications
In the most ideal situation, there would be an EDR solution that could make perfect choices autonomously. Unfortunately, this is almost impossible: programmes that are often used by hackers can also have legitimate use cases, and the same applies to commands that are executed. Criminals also often use software built for legitimate use (such as remote management software) to maintain access to compromised systems. That is why, as an organisation, you need a cybersecurity partner who is able to interpret the reports from EDR solutions and determine whether abnormal behaviour or risky software originates from legitimate activity or not. Interpreting reports from security systems is specialist work that not every IT department has the right people for. "That's why it's so important to work with specialists who can do this and who are also available 24/7. Not only are people better at assessing whether certain behavioural anomalies are legitimate or malicious than computers, they can also intervene more efficiently the moment an intruder is actually on your systems." And that is where the greatest opportunity to limit the impact of an attack lies. "The quicker you detect an attack, the quicker you can get rid of hackers and minimise the impact on business operations."
Rapid detection is crucial
Assessing security alerts is complex because it requires contextual expertise in cybersecurity. "This requires knowledge and experience. We see that many system administrators, but also company’s IT partners, are mainly generalists with broad IT knowledge. To outwit cybercriminals, it is necessary to have very specialised security knowledge." Bilstra explains that the EDR solution Eye implements at customers ensures that cybersecurity specialists have relevant information about the customer's network and what is happening on it at all times. "This allows us to detect and assess anomalies quickly. When an attack actually occurs, we can use this information to act immediately and drastically reduce the impact. The first four hours of an attack are crucial. When we have the right tools and information at our disposal, we can quickly repel attacks before they have any impact on the business."
Antivirus alone is insufficient
Bilstra gives an example of a European technology company that was using an antivirus solution from a reputable vendor. "This turned out to generate various reports, including, incidentally, false reports. Because of these many false alerts, an antivirus product is often not allowed to intervene on its own and no one pays attention to the alerts that come out. This allowed the attackers to go ahead and spread ransomware on the company network. At that moment we were asked to help, but by then the damage had already been done and we had yet to start collecting information to determine what had happened and which systems were affected. In the end, this company had to pay millions to rebuild its systems and the company was down for a week." The cybersecurity specialist reiterates: "It is almost impossible to ensure that attackers do not get into your systems. Only by noticing them when they are inside, but before they do damage can you take targeted action to prevent impact. You'll not succeed in this with just an antivirus solution."
Security Specialists from Eye Security have observed a rather large phishing campaign using a few interesting tactics that we would like to share.
At the 10th of May, our Security Operation Center got an alert about a blocked Powershell execution on an Exchange server at one of our new customers.
Sending a phishing email has a high chance of success, especially with new employees. Read our tips.
Discover how attackers are actively exploiting a remote code execution vulnerability found in the logging package log4j2 used in most Java applications.