August 30, 2017

Why antivirus is the walking dead

Davitt PotterBy Davitt Potter
Sr. Engineering Manager, Cybersecurity
Arrow Enterprise Computing Solutions

 

In a previous article, we discussed how traditional antivirus is dying…

…I’d say that’s still true. It’s time to look at new endpoint detection methods – specifically, new methods like “next-gen” AV and EDR/IR. Uh oh, more acronyms! EDR/IR means “endpoint detection and remediation/incident response.” It’s the next step after a system is compromised, breached or “pawned,” as it were.

Why is this important?

More advanced attacks mean better skills and harder to remediate issues. Traditional AV lets you know you’re infected. Like a zombie, it’s a little late after you’ve been bitten. We want to see it coming. If you DO get an infected machine, though, we want to study it and see how it behaved. How did it beat us? How did it slip past? Today’s EDR/IR is useful in that capacity, giving the ability for forensic techs and analysts to have copies of unknown malware, potential destructive information, or plain old “weirdness,” and to be able to either “snapshot” a machine, or capture information for legal hold, reverse engineering and potential tracking of an attack.

Further, EDR allows for capture of disk information, memory information and network information before, during and after compromise. This allows for sharing with vendors, forensics experts and the greater internet community (quite a lot of Open Source information exists for security!).

Do you always need a full EDR/IR suite?

No. In many cases, having a modern behavior-aware endpoint—“next-gen,” or however you want to refer to it—is the first solid line of defense. If an IoC (indicator of compromise) is found, the SOC teams can then bring in the full EDR/IR teams. Think of it as having lots of people with their eyes peeled, and then calling for backup if they’re attacked.

Newer EDR/IR software can do both; however, it can sit resident, waiting and watching, defending from day to day “bad things,” acting as a standard advanced malware defense, and then, if called upon, can be leveraged as a full EDR/IR suite. There are direct integrations with newer firewalls, security analytics toolsets and network capture suites as well. With these tools, advanced response workflows can be created, eliminating the guesswork and panic that comes with an incident. We’re rapidly approaching the point where workflows become highly automated, only asking for human intervention in outlier or unique cases, or where critical assets are involved (not a good idea to nuke and reimage your primary domain controller…).

Hear Davitt Potter explain it to you himself!

The reality is that traditional AV, like a shambling zombie, is easy pickin’ for an attacker with anything sharper than a baseball bat. Having advanced detection and response technologies—with human oversight—is how we keep the infected hordes out of our sanctuaries.

Ask Davitt Potter at Arrow about Next Generation AV, EDR/IR, security analytics and advanced SOC design.