Why You Should Consider Upgrading Your Legacy Antivirus

In our most recent post, we covered a short history lesson on Antivirus. It is important to understand history, lest be bound to repeat it. There are certain events that take place in the course of history that stand out. In the timeline of cybersecurity, the fourth generation of antivirus (AV), also known as endpoint detection and response (EDR), is one of those events.
In future posts, we will cover the effect of COVID-19 on organizations and the risks it places on their data. That being said, it is ever more critical to protect your organization’s data where it meets the human. This most often occurs at the endpoint, making your choice of AV/EDR all that more critcal. You should think about the types of data that your organization uses. Is the data personally identifiable information (PII) of your customers? Is the data trade secrets about your latest product offering that is going to give your company the upper hand against competitors? Are you able to understand where that data sits, how it is used, and most importantly, making sure that it is protected to the fullest extent possible?
The good news is that there have been significant improvements not only in AV/EDR technologies themselves, but delivery and consumption options have dramatically changed, often times removing barriers and pain points associated with Gen 1-3 AV/EDR products. First, we will cover service providers. A key question is: Does your organization provide cybersecurity as a core competency of your business? As an executive, driving value for your stakeholders (shareholders, board of directors, employees, etc.) is priority above all else. One question that many executives need to consider is if the business is performing functions that do not directly drive benefit to the business’s value proposition. An example of this could be going to market for a financial accounting function. Unless you are in the business of performing accounting, it makes sense to look for efficiencies and expertise in the market. This is true for the cybersecurity services function.
Specific to AV/EDR, there are a number of managed security service providers (MSSP) that have significant technology delivery capability, as well as incident response expertise. Instead of the “roll your own” approach by keeping the function in-house, you have the opportunity to “buy up” through engaging with reputable MSSPs that bring not only expertise and technology, but battle tested and hyper focused experience. You can focus on the bottom line in your organization at the same time you improve your cybersecurity capabilities and significantly reduce risk. An added bonus is that the MSSP will always be looking for a competitive advantage of having the latest and greatest AV/EDR platform available to their customers. This takes you out of the technology refresh procurement cycle where you are forking over significant capital every three years, just to feel protected.
You should take a hard look at your AV/EDR. If you are Gen 1-3, you have a ways to go to reduce your risk. You don’t have to go through the pain of procurement and forking over that big check. We recommend you take a “bottom line” approach by concentrating the efforts of your existing staff on inwardly focused and elevated business problems. Let the innovations of the market drive a better product and set of services to your door.

Endpoint Protection – How did we get here and why does it matter to you?

In the expansive realm of cybersecurity, you have schools of thought that will tell you that their domain is THE MOST IMPORTANT area in the vast sea of domains. The network practitioner or the application security guru will tell you that it is their area that requires the most resources and attention. To a hammer, everything looks like a nail. You will hear me say it over and over again: The absolute highest risk area in technology, no matter the context, is where technology meets the human. We all know that humans are inconsistent and able to be easily manipulated. There is a reason that Spear Phishing attacks have increased 667% since the end of February 2020. The bad guys target the most vulnerable aspects of the technology ecosystem. The human meets the keyboard at the endpoint. This is where the action happens. Protection at this critical intersection has developed rapidly over the years and can be confusing. To provide clarity, let’s take a look at how endpoint protection has evolved over the years.

“Back in the day,” endpoint protection came in the form of antivirus (AV) software (Gen 1). It was installed on each endpoint and updated regularly with “signatures” that were a representation of known viruses and malware. It didn’t take too long for the bad guys to adapt. They found that these signature definitions were easy to avoid by making small changes to the code that make up their malicious payloads. Also during this time, traditional antivirus relied on a server inside your four walls as a central repository that provided updates to the endpoints, as well as to report on compliance. This will become obsolete as mobile and cloud computing emerge.

As attack methods and technology evolved, defenders were offered a new option for protecting their endpoints: Next-Generation Antivirus, or NGAV (Gen 2). This is the first time that machine learning (ML) and artificial intelligence (AI) make an appearance in endpoint protection. This level of protection is based on the premise that speeding up the process of recognizing viruses and malware is done by training ML and AI algorithms with all available versions and permutations of the same. In other words, you cut the cycle time between discovery, research, and inoculation. The Achilles heel of NGAV has been that the bad guys are also very sharp. They now employ ML and AI to morph their malicious code faster than the NGAV can keep up.

As the antivirus category of tools matured, it gained functionality. In the third generation (Gen 3), the features of the previous two generations were layered with detection and response capabilities. These characteristics allowed security teams to be alerted immediately when a device had a potential infection and possessed built-in tools that manually and/or automatically respond to the threat. This class of security tools became known as Endpoint Detection and Response or EDR. These Gen 3 tools greatly reduced the risk of an malware infection by providing security responders with a set of tools that allowed for quick response and remediation. One issue still remained: the bad guys were still able to morph their malicious software faster than Gen 3 AV/EDR could identify and respond. Ultimately, Gen 3 AV/EDR was still looking for the bad software needle in the haystack of a device operating system.

A new set of of AV/EDR products have come to the forefront within the last year. We call them Gen 4, even though they haven’t been officially anointed as such (We are looking at you Gartner). Gen 4 has a radically different approach to how they solve the problem of detecting and eradicating malicious software. Instead of attempting to identify and recognize known malicious programs, Gen 4 AV/EDR is coded in a manner that uses the operating system as its known point of reference. Since operating system processes are mapped and known, all other processes, files, and programs are treated as suspicious by the Gen 4 AV/EDR. This evolution in AV/EDR has led to a more effective and responsive means to protect data where it is most vulnerable. From a performance perspective, Gen 4 AV/EDR is light years ahead of its previous generational siblings. With low computing resource overhead and a minuscule footprint, the impact of cutting edge protection has never been so considerable.

Why does it matter to you? With the rapid changes in the AV/EDR space, it is easy to get lulled into a comfort zone with your current AV/EDR solution. The companies that make Gen 4 AV/EDR are being quite aggressive when it comes to distribution and gaining market share. They want to get as much spread as possible in the near term. MSSPs are adopting Gen 4 at a rapid pace also, making it available to potential customers as a service at highly competitive costs. With the technological developments and subsequent aggressive pricing, it is incumbent upon you to take a look at this new technology and significantly reduce your overall risk.

BAMCIS Insight Quick Hit: EDR Defined

by David Malicoat, CEO and Founder

What is EDR? Why are cybersecurity companies talking about it every chance they get? What does this have to do with me? These are a few of the questions I will answer in this quick hit blog post.
EDR is defined as Endpoint Detection and Response. Quickly, a bit of history. “Back in the day” there was antivirus software that depended on defined signatures to recognize computer viruses and malware. Basically, a signature is like a fingerprint of the malicious computer code. The bad guys quickly figured out that they could defeat signature based security tools by changing their code ever so slightly, but not change the function. This gets them past the signature based antivirus tools and gains them the ability in wreaking havoc on your company’s computers. Not good.
In 2013, a Gartner analyst by the name of Anton Chuvakin coined the term endpoint detection and response. He was speaking of a set of tools that could use basic machine learning and behavior analysis to track system events and identify anomalies. The concentration of these tools was not only the ability to detect malware that evades traditional antivirus tools, the tools also have a response capability built in. This response capability can be manual human intervention or automatic. The EDR tool can be programmed to take specific actions in case it identifies potential malicious behavior, such as quarantining a malicious file or blocking network access to a malicious process. Even further, EDR can prevent the spread of malicious code. Once identified and blocked on one endpoint, the EDR tool communicates with its central console, updating all other endpoints in the ecosystem of the details of the malicious code.
EDR is important to you as a business leader because it provides the most robust protection of your data assets that is available today. You may think that it is expensive, since it is the best available, but that is not necessarily the case. There are service providers that can furnish these centrally managed tools and can put together a highly affordable package of full-service EDR deployment and management for daily pocket change per device. You don’t have to add headcount or take on the training and effort required to deploy a new tool. Finally, with remote work here to stay, EDR steps up the protection of your data assets that are not centralized in an office. Most service providers deploy their EDR solutions in the cloud, giving them the ability to manage and respond to any issues regardless of the location of the endpoint.

Where Do Risk Frameworks Fit Into the Cyber Resiliency Framework?

By David Malicoat, CEO and Founder, BAMCIS Cybersecurity

I recently wrote a white paper on cyber resiliency, titled Solving Cybersecurity’s Achilles’ Heel, A Cyber Resilience Framework for Technology. You can find it here: https://bamciscyber.com/cybersecurity-white-paper. In the paper, I cover a new mental model for weaving resiliency into the cybersecurity ecosystem. When I came up with the Cyber Resilience Framework (CRF), I admonished myself for creating yet another framework related to the cybersecurity community. There are plenty out there and it quickly becomes an alphabet soup. Then I trended back the other direction. Cyber Resilience represents a distinctly different thought process and encompasses much more than the scope of the standard cybersecurity frameworks. You may be thinking that most standardized cybersecurity frameworks already address resiliency. I agree. They do. Unfortunately, the frameworks themselves tend to stay buried in the cybersecurity function as a tactical tool. They do not natively enable broader engagement with the business.
The CRF is a wide ranging framework that interfaces with Enterprise Risk Management (ERM) influencing through Cybersecurity Risk Management (CRM). It includes governance, architecture and solutions, all the way through operations. It is intended to advance the concepts of resilience throughout the organization, particularly the technology function. The CRF is based on four foundational pillars:

1. Design components and systems to be difficult to attack
2. Minimize the impact when the attack comes
3. Allocate resources proportional to the importance of the assets being secured
4. Continuously deliver critical capabilities to the business

This post is not meant to be a criticism of standardized cybersecurity frameworks. I believe them to be invaluable and are responsible for a heightened maturity level of cybersecurity practice wherever they are adopted. Further, virtually all of them contain components that guide practitioners to a more resilient stature. Overall, standardized cybersecurity frameworks such as the NIST CSF, ISO 27002, COBIT, HITRUST, and others are a good place to start for organizations that are finding their footing when it comes to cyber risk. These frameworks provide solid guidance and address the 80/20 rule for most organizations. I believe cybersecurity professionals need to understand the intricacies of the businesses they serve to fully anticipate potential risk scenarios. By design, standardized frameworks are generalized and therefore do not address this need.
Using the NIST CSF, let’s look at some examples of cyber resiliency reinforcing principles. I am declining to cover the obvious examples that are the functions of “Respond” and “Recover.” These functions contain the vast majority of the traditional concepts related to Business Continuity (BC) and Disaster Recovery (DR), which have long been associated with resiliency. I will note that the use of automation in the Respond and Recover functions will provide you a decided advantage when addressing the four foundational pillars. Let’s discuss two examples of cyber resilience contained elsewhere in the NIST CSF.

Example 1.
Function: Identify.
Category: Asset Management.
Sub-Category: ID.AM-5 – Resources (e.g., hardware devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value.
This concept reinforces CRF Foundational Pillar #3. Not all data systems are created equal. If your business holds customer data, payment card data, or research and development outcomes of your organization’s next product, the security controls applied to these systems and their corresponding network architecture need to be the most robust you can muster. On the other hand, if you are holding public website data or queued social media posts, your security controls and level of effort should be dialed down according to the lowered criticality of the data. This concept also means that you need to know where your data sits and its level of criticality. Utilizing this sliding scale of protection vs. criticality allows you to focus your security budget, avoiding the costly “one size fits all” approach.

Example 2.
Function: Detect
Category: Security Continuous Monitoring
Sub-Category: DE.CM 1-8 (All)
The concept addressed by this category is simple: if you don’t perform monitoring on all your devices (network, server, endpoint), you are running blind. It is extremely difficult to respond to an event that you had no idea ever took place. In the not too distant past, this meant blowing your security budget on expensive tools and high priced talent to run them. This is no longer the case. There are developments in security tools that provide them multi-tenant capabilities and an entire ecosystem of service providers embracing these developments. You have the ability to go to market to seek monitoring services that are highly cost effective with a high level of customer service.

Cybersecurity frameworks are important and can be critical to your success. But you have more to do. You must reach into your organization and understand how it operates. This understanding allows you to prioritize your risk response and focus your budget accordingly. Don’t fear reaching outside the norm to explore services that support your cyber resilient posture.

Download our recent white paper, "Solving CyberSecurity's Achilles' Heel".

Thank you! You will receive an email withing 24-hours.