Imagine you’re in charge of the physical security of a large office building. Your job is to keep bad people out. Excited about your duties, you enact a variety of security measures.
- You develop ID badges for employees and a vetting process for guest admittance that includes another employee authorizing access, a digital sign-in process, and a database with the guest’s picture, information, and reason for visiting.
- You create security checkpoints at all entryways where people must show their badge, go through a metal detector, and sign in as a visitor if they are a guest.
- You install gates around your office’s parking lot, with a security person at each gate monitoring people going in and out. They must have an ID or guest permission to access the parking lot.
- You install security cameras, put exterior lights in place, and hire security guards to watch for people entering your building in an unauthorized manner.
For a long time, you’re feeling great. You’ve got excellent security in place vetting each person that goes in and out.
Yet, one day you fail. Bad people get inside. In fact, an investigation uncovers that bad people have been inside your organization for many months. During that time, they stole company information that cost your company millions of dollars.
How did this happen? After all, you were doing all the right things. Right?
By Focusing on the Outside, You Failed to Detect Threats from the Inside
Your biggest physical security blind spot was an inability to detect bad people who had already infiltrated your office building. You focused only on vetting people entering and exiting your building, and you assumed that anyone who followed your processes was a “good” person.
- What if a person created a fake ID badge and looked legitimate upon your inspection?
- What if an employee let in bad people, authorizing them as guests?
- What if a person lied about themselves, sounding legitimate to a security guard?
- What if a stolen badge is used to enter a parking lot gate?
- What if there is an entryway without a security checkpoint (such as a delivery area) where people are entering and exiting outside of your vetting process?
At this point, you might be asking, “What does the physical security of an office building have to do with cybersecurity tools?” It serves as a non-technical illustration of how antivirus software fails as a standalone tool in today’s cybersecurity environment and why it’s critical to use better tools that help you detect cyberattackers already lurking inside your systems.
The Failure of Antivirus Parallels Your Physical Security Failings
Antivirus software works similarly to how you were physically securing your building by:
- Examining the “definitions” of known viruses and malware that seek to enter your servers and computers. Antivirus checks the “ID badge” of programs and only lets in “employees” and “authorized guests.”
- Keeping out viruses, malware, and other unwanted programs. Once recognized as a “bad person,” the antivirus software kicks out the virus or malware.
- Scanning your servers and computers for known viruses and malware, similar to how security cameras, lights, and guards watch for bad people.
However, just as in your physical security failings above, antivirus can fail in the following scenarios:
- The virus or malware is not on the list of “bad people,” so the antivirus software thinks it’s OK.
- A cyberattacker uses antivirus-approved programs and applications for malicious purposes. For example, it could make Windows 10 or Microsoft Word do bad things to your computer.
- A cyberattacker gets you to click on a malicious link or file, tricking you into approving a virus or malware. Because you “approved” it (like an employee letting in a guest), it gets past your antivirus software.
Let's be clear. Antivirus software is still important—just like you still need security checkpoints, gates, and cameras. But you also need a deeper strategy for detecting and expelling any threats that happen to get inside.
This is where something called “managed detection and response” and “endpoint detection and response” comes into play. Let’s define both terms and then see how you could have kept your physical security job by applying these additional principles.
What is MDR and EDR?
These might sound like cybersecurity buzzwords and jargon to you, so let’s break these terms down. MDR and EDR are fancy terms that refer to some important security strategies.
- Managed detection and response (MDR): MDR is a strategy where a security team will proactively look for cyberthreats across your servers, computers, and entire IT network—specifically looking for threats that may have already gotten inside your systems by watching for behavior and activity that looks suspicious. Once identified as a possible threat, the team takes action against the threat. When you hear about MDR, it’s usually describing the 24/7 work of a security team actively monitoring IT systems for threats.
- Endpoint detection and response (EDR): EDR is an MDR tool focused on a single “endpoint device”—a fancy name for a specific server or computer. For example, if a threat is found on your computer, an EDR tool can cut your computer off from your organization’s network—preventing further spread of a dangerous virus. An EDR tool can be deployed, run in an automated fashion, and enhance the level of security protection for an organization at a low cost. (Also, like MDR, a 24x7 security team monitors your endpoints for active threats.)
To use our physical security example again, you may have kept your job if:
- You had ways of noting suspicious employee behavior. For example, a supposed employee with a valid ID badge who works 9-to-5 on the seventh floor uses their badge to get into a room on the fourth floor where they stay from 4pm to midnight each day using another employee’s computer. It may be valid, but you check to make sure this employee is not doing anything wrong.
- You used anti-fraud techniques to ensure that badges, guest information, and gate codes were not being abused—better detecting fake badges and looking for anomalous guest information.
- You required that employees must provide clear business reasons why a guest is invited onto the building premises. Guests are also verbally vouched for by an employee and escorted by them at all times so that they do not get free reign of the building once inside.
- You immediately deactivate stolen badges and those from employees no longer with the company.
- You gather intelligence about how people may bypass your security checkpoints, hold people accountable for weak security, and shore up any gaps when they’re found.
Applying these principles to cybersecurity is the essence of MDR and EDR. For smaller organizations, EDR is an important tool and detection technology sufficient to advance the level of your current protection. EDR enhances the increasingly necessary cybersecurity requirement of ensuring that attackers do not go undetected inside your systems for a long period of time, steal information, and cause damage.
Why These Advanced Cybersecurity Tools Now?
“OK,” you might say. “I understand why these tools are important. But why now? I’ve been all right so far. Isn’t antivirus good enough for my small organization? Is a cyberattacker REALLY going to enter my network, stay there for many months, and execute a sophisticated plan? C’mon. I’m too unimportant of a target.”
Actually, you are the perfect target. Consider the following statistics…
- According to IBM’s 2020 Cost of a Data Breach Report, “The average time to identify [a breach] was 207 days and the average time to contain [a breach] was 73 days, for a combined 280 days.” That’s a long time for a cyberattacker to be inside your systems.
- Accenture reports that cyberattackers target 43% of their attacks on smaller organizations “but only 14% are prepared to defend themselves.”
- According to Microsoft, “Threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”
Nation states may focus on more selective targets, but they still attack government agencies and businesses whose information may be of value to them. A likelier scenario for your organization is an attack rooted in a cybercrime ring that operates similar to a Mafia-esque business, or amateur hackers using sophisticated tools to deploy ransomware and conduct cyberattacks. They may not have selected you as a target for any personal reason. Instead, they use tools to scan organizations for security vulnerabilities. When they find a ripe target, they attack—with the goal of holding your information for ransom, finding credentials and sensitive information to sell on the black market, and sometimes simply cyber-vandalizing you for a variety of reasons.
What EDR Will Do
Specifically, EDR goes beyond antivirus software to:
- Help prevent attacks before they harm your system: By detecting malware and potential cyberattacks already inside your system, EDR can prevent an attack from taking place.
- Offer real time protection against malware that antivirus misses: Antivirus may not spot malware because it doesn’t think of it as a threat. EDR looks at the behavior of programs, identifies malicious activity as malware, and stops it in real time.
- Identify and contain incidents more quickly than traditional antivirus: It may take a while for antivirus software to update its library of malware knowledge. EDR can identify incidents more quickly because it looks for bad behavior. Then, it can contain the malware or damage from an attack. When an incident does occur, the scope of the damage will likely be much smaller and your recovery time much faster.
- Prevent attackers from moving across your network to other devices: Once inside your systems, cyberattackers can leap from computer to computer, spreading malware along the way. EDR can automatically isolate and disconnect infected devices.
- Help you more proactively analyze, plan, and act upon potential threats to your network: EDR is simply more proactive than antivirus software, which tends to be reactive. By staying on top of possible threats, analyzing anomalous behavior, and shutting down infected devices, EDR gives you more control over countering a cyberattack—instead of helplessly watching a disaster unfold.
Most cyberattacks, including ransomware attacks, over the past several years would have been avoided if the breached organization used EDR. For a low cost (and no upfront or installation costs), you will greatly reduce the likelihood of a cyberattack surprising and devastating your organization.
VC3 is strongly encouraging EDR for all clients, and we feel this tool is important enough to embed in our managed services solutions moving forward. It’s that important. Otherwise, as cyber threats continue to evolve, you will increasingly run the risk of falling prey to a cyberattack that may escape your detection if you only use traditional security tools. Think of how you may use multi-factor authentication as part of your password policies and procedures. You’re not getting rid of traditional passwords—you’re adding an important security tool that makes your passwords even more secure.
Similarly, you’re not getting rid of antivirus and traditional security—you’re adding to it, evolving to get ahead of increasingly sophisticated cyberattackers who will only grow more dangerous during the 2020s. EDR helps you stay ahead of these attackers.
For VC3 clients, we will begin our EDR roll out on June 1. It will take several weeks to roll it out to all clients. The incorporation of this tool into your environment will occur with minimal disruption. Because this is so important, we are waiving deployment costs to get this critical update out fast. With the cybersecurity landscape so dangerous today, EDR is a critical technology to have in place as protection.
If you have any questions about this feature or want to talk about your cybersecurity needs in an ever-changing, ever-evolving environment, reach out to us through the form below.