Introduction
With the drastic increase in computer attacks in recent years and more particularly in recent months due to the health crisis, terminals or endpoints have become prime targets for hackers because they constitute an ideal entry point into business networks.
A terminal is a remote computing device that communicates with a network to which it is connected. The most common endpoints are desktop computers, laptops, smartphones or tablets as well as servers and IoT.
The protection of all terminals is therefore more critical than ever within companies and many new solutions (Next-Gen AV, EDR, XDR, etc.) are now available to fully protect them.
Source: kaspersky.org
The limits of traditional antivirus
A traditional antivirus is based on virus signature analysis of a file. The antivirus will compare the signature of a file with those of its database in order to determine if a file is malicious or not. To this analysis by signature is added the heuristic analysis which allows the antivirus to try to interpret the behavior of a file and the actions it performs.
The evolution of computer attacks is such that now more than a third of the computer attacks recorded in 2019 were of the “Fileless” type. That is to say computer attacks that do not involve the installation of malicious programs on the targeted terminal but simply the diversion of a legitimate program.
According to Symantec, between the first half of 2017 and the first half of 2018, malicious use of PowerShell increased by 661%. If this type of attack has become so popular, it is mainly because these attacks make it possible to circumvent the protection of terminals with only traditional Antivirus. Effectively the triggering of an antivirus scan occurs when writing a new file to disk.
However, these attacks do not require the installation of software or files and only exploit legitimate applications. This is why these attacks do not trigger any scans from traditional antivirus. Added to this are the difficulties encountered by antivirus publishers in generating new signatures in the face of the ever-increasing number of new strains. Every day, the AV-TEST Institute registers more than 350,000 new malicious programs (early launch anti malware) and potentially unwanted applications (PUAs – Potentially Unwanted Applications). Indeed the time that a signature is created, it is necessary that the threat is recognized, analyzed then transmitted to all the antivirus editors to be added to their database.
Traditional antivirus also lacks a crucial functionality in the analysis and treatment of security incidents, that of correlation. Attacks are analyzed locally item by item and not globally. So going back to the origins of the attack takes too much time for analysts. In addition, these analyzes and alerts induced by the antivirus do not provide context, making it difficult to trace the source of incidents, identify the cause and react quickly enough.
Let’s take the example of an infection by a malicious program whose signature is known to the databases. The antivirus scan will be triggered when the malicious file is already on the pc, the antivirus will not make any connection between the events preceding or following the appearance of this file and thus it will be difficult to determine the origin of the attack as well only the impacts without having to analyze all the logs of the station concerned. Moreover, if the attack happens to be widespread, each workstation must be investigated individually since the antivirus will not provide any correlation between the various infected workstations.
Traditional antivirus seems, at first glance, to have become completely obsolete as the only endpoint protection system. However, it retains a certain usefulness since it is not uncommon to see the use of malicious programs or flaws dating back several years. It nevertheless makes it possible to benefit from a first line of defense on the terminals but remains insufficient to protect against new types of attacks.
New Detection Solutions
As seen above, conventional antivirus software is no longer sufficient to guarantee effective protection against today’s computer threats. What solutions do companies have that enable effective security of terminals in their IS?
Next Generation Antivirus
Next-Generation Antivirus (NGAV), intended to replace traditional Antivirus, is based on a totally different approach. NGAVs, in addition to integrating the same functionalities as a traditional antivirus, detect and block threats proactively even before they are executed on the targeted terminal. They must also be easy to deploy on a large computer base, consume few resources and protect terminals not connected to the Internet.
One of the major developments in this technology is the addition of Machine Learning algorithms. These algorithms can detect any suspicious activity before they are executed. Based on the user’s usual behaviors as well as several TTP (Tactics, Techniques & Procedures) databases, these algorithms are able to detect malicious or unusual behaviors and act accordingly. In addition, no longer based solely on file signatures, these antiviruses are able to detect so-called “fileless” attacks based on behavioral analysis related to legitimate programs (PowerShell, Windows RDP, etc.), but also all variants already known malware (early launch anti malware).
Then, the protection offered by these antiviruses operating both online and offline since there is no need, unlike a classic antivirus, for an Internet connection to update the database of threats. In addition, the Machine Learning algorithms will adapt to the behavior of each terminal and thus offer personalized protection according to the terminals. This improvement makes it possible both to overcome the inertia induced by the time of adding a malicious signature to the database of classic AVs, to offer effective protection for all agents installed offline and finally to be able to automate all app whitelisting and blacklisting actions.
However, despite all these new features, it would be utopian to think that Next-Generation Antivirus can block 100% of threats automatically and without human intervention. This is why NGAV is generally not used alone to provide endpoint security. Moreover, the NGAV does not overcome one of the problems of these predecessors, namely to offer an overview of the threats common to several terminals.
Endpoint Detection and Response
Endpoint Detection and Response or EDR, have become in less than ten years the flagship solutions of many security software publishers. These solutions, often combined with an NGAV, allow an in-depth analysis of threats on endpoints.
Unlike antiviruses, EDRs make it easier for analysts to investigate. Indeed, they provide the context of an attack in particular via the enrichment of events (chronology of events, business context – service, user, location, process executed, etc.). In addition, EDRs centralize all information relating to threats taking place on the perimeter. This centralization makes it possible in particular to cross-functionally correlate the events relating to all the terminals in the computer park.
The EDR is therefore more in line with Threat Hunting logic, often embedding an NGAV within it. It allows you to investigate more finely all the threats that have not been deleted and/or detected by the antivirus. In addition to these Threat Hunting capabilities, the EDR makes it possible to act remotely directly on the terminals concerned by blocking a process, by investigating (capture of volatile memory, search for IOC, etc.) or by isolating them from the information system if the threat requires it.
According to several security software vendors, the most effective solution for protecting endpoints is to combine an NGAV and an EDR. The NGAV would ensure the preventive part by eliminating a maximum of threats. As for EDR, it gives analysts advanced investigative capabilities on terminals, providing visibility into one of the weakest links in a company, the gateway to many attacks.
Conclusion
The increasingly numerous and increasingly sophisticated computer attacks require growing attention from anyone wishing to protect their Information System. Antiviruses seem at first glance to have become obsolete as they only allow the detection of known threats present in the publisher’s database. Moreover, they do not provide any context as to the origin of the infection, nor do they facilitate the investigations of analysts.
From this observation were born several new innovative solutions such as NGAVs and EDRs to detect new and so-called “fileless” threats. These solutions also provide a lot of information that makes it easier for analysts to remove threats completely. However EDR and NGAV are not the only viable options to protect an IS, more recently XDR (eXtended Detection and Response) have emerged. Like a 2.0 version of EDRs, XDRs not only protect endpoints but use multiple sources (mail servers, network traffic, cloud) to perform more efficient and reliable detection.
