5 Things Everyone Gets Wrong About Anti-Virus

It shouldn’t be news to anyone that cyber threats are on the increase, and the requirement to have an effective security solution has never been more pressing as advanced hacking techniques continue to proliferate in the wild.

With the market awash with vendors making bold claims and news stories making even bolder headlines, it can be hard to separate the fact from the fiction. If you’re new to endpoint security, here’s the five basic things to ensure that you get right about the options available.

1. Viruses Aren’t the Only Threat

Security threats have evolved beyond all recognition from the early days of the computer virus, but most security solutions still carry the term “anti-virus” in their name, which is really something of a misnomer in the modern threatscape.

The reality is that cyber attacks take many different forms that have nothing to do with being a virus, and they can range from the indiscriminate to the highly targeted. These include ransomware, spear-phishing, drive-by attacks and both software and hardware vulnerabilities that can lead to loss of customer and corporate data.

And don’t fall into the trap of thinking your business is too small to be targeted. Attackers are now weaponizing machine learning to produce highly-targeted campaigns, at low cost to themselves.

Also, don’t forget that threats can come from within; disgruntled employees know the weaknesses of your system better than any outsider. Good endpoint security needs to be able to detect bad behaviour no matter the point of origin.

2. Malicious Files Aren’t the Whole Story

Most people think that security software works by scanning files on the local computer and deciding whether they are malicious or not. Like the term ‘anti-virus’, that’s a bit of an old-fashioned way of thinking about it. Although there are still legacy AV programs that primarily work in that way, even they will usually offer some additional functions such as blocking malicious websites or detecting excessive use of resources typically used by ransomware and crypto-miners.

However, for truly effective protection, you should be looking at security solutions that do more than that. Today’s cyber criminals are able to leverage fileless attacks, change DNS settings to re-route your network traffic and inject code into legitimate processes. A legacy AV solution that primarily focuses on scanning for malicious files is, like last week’s soup, well past its sell-by-date.

3. Trust is a System Weak Point

As we hinted in the previous point, untrusted software is not the only danger on your endpoint. Even first-party and established software brands can be leveraged to breach your system.

While MS Office Macro attacks have a long history, Macro-less attacks such as DDE can exploit vulnerabilities that will bypass many security solutions because they appear to be coming from trusted applications. Similarly, most businesses will likely have a need for legitimate PowerShell operations, and yet PowerShell-powered attacks are becoming increasingly common. You need a security solution that’s smart enough to allow PowerShell to maintain your productivity, but also able to ensure that it can tell the difference between malicious and legitimate behaviour.

Modern malware can also run without interference on many systems running AV solutions if it is able to operate with system-level privileges, whether through a privilege escalation vulnerability or other methods of infection. This is because many AV packages take the wrong approach by granting trust by identity, rather than by behaviour. When security solutions take this kind of “whitelisting” approach, the endpoint is left vulnerable to supply chain attacks and fake certificates.

4. There’s Power in Simplicity

Security software doesn’t have to be hard to use, and you shouldn’t have to be a security expert to manage it. Unfortunately, a lot of security software gives business owners just that impression, overcomplicating things with diagnostic tools and components that require specialist training courses to master. Be sure to choose an endpoint solution that minimizes maintenance tasks, presents a clean, easy-to-understand interface and provides one-click remediation.

You want a solution that anyone in your team can quickly learn and operate. It’s important for business continuity that knowledge of your security solution is not tied to specially-trained members of staff. Who knows how long before they move on, taking their expert knowledge of your security solution with them?

5. Security is a Mindset, Not a Product

Probably the biggest thing you can get wrong about AV software is believing that it can solve all your security issues in one fell swoop. Threats come in many shapes and forms: from indiscriminate ransomware attacks to disgruntled employees. What’s your plan of action when (don’t think “if”) a breach occurs? How will you respond? Failure to have a response plan in place could mean greater damage to your customers, your data and your reputation.

This is why you need an endpoint solution that can be part of your entire response plan. A cross-platform solution like SentinelOne can provide deep visibility into even encrypted traffic across your network,  one-click remediation and rollback, and a single, holistic agent that’s simple to use.

Our Takeaway

Ignore the stereotype of sophisticated cybercriminals targeting billion-dollar businesses. Most attacks are opportunistic and target not the wealthy or famous, but the unprepared. According to a 2018 SentinelOne survey of US companies, 56 percent suffered a ransomware attack in the last year. Given that the majority of organisations will be hacked over their lifetime, it is imperative that organisations have the necessary tools to spot and stop an attack quickly and effectively.

This is why you need an endpoint solution that can be part of your entire response plan. A cross-platform solution like SentinelOne, provided by Custodian360 can provide deep visibility into even encrypted traffic across your network, one-click remediation and rollback, and a single, holistic agent that’s simple to use.

 

This blog was first posted by Migo Kedem

Gartner’s New Buzzword

Gartner have a new buzzword, Endpoint Detection and Response (EDR). We want you to find the solutions that enable you to deliver it and deliver it profitably!

EDR – is the acronym for Endpoint Detection and Response which is one of the hottest topics for 2018 in the industry. 2017 saw the real emergence of EDR but 2018 is shaping up to dwarf last year.

Industry analyst Gartner, spawned the concept in 2013 has concluded that a more proactive approach is now needed, no longer can we simply attempt to block attacks, we must provide early and effective detection to minimise dwell time and damage and quite simply, this is what EDR provides.

EDR allows service providers, resellers and IT companies to climb the value chain by adding this solution to their portfolio and providing a valuable new layer of protection to customers’ security infrastructure.

All of this is great, but it only works of your chosen EDR is rapid to deploy, easy to use and manage and most importantly, profitable.

How do you make EDR profitable?

Complexity jumps straight out as a consideration; most solutions require multiple agents, and this adds a huge overhead into your management of the solution on your customers behalf. If they are managing themselves then it’s likely they won’t have the resource need to manage to solution.

Most EDR solutions, because of the way that they work are very “noisy”, huge amounts of alerts are generated, and these then have to be sifted through by a human. As has always been the case with other ground-breaking solutions, this makes them useless because of the time it takes to get to the right alerts.

It sounds as though all we are offering here is a complex and noisy solution. Unless this becomes a tick box on a compliance form will it ever offer value to you or your customers?

It’s a simple answer, and that answer is yes. Many new players are releasing their versions of EDR but the market leader is still SentinelOne and as their MSSP Partner Custodian360 simplifies the solution even more.

Custodian360: Giving you the tools and resource to provide value

Custodian360 is the only way to obtain SentinelOne as a fully managed service.

What does this mean for you? It means you can deploy the market leading EDR solution to your customers with no need to “skill up” or recruit new staff to manage a deluge of alerts every day or setup your own SOC to manage operations. Once the single agent is deployed, your job is done and Custodian360 take over operations entirely.

There are a number of features that Custodian360 provide and some of these are critical elements in any EDR solution:

  1. Rapid Deployment – Cloud Based Console up and running in minutes.
  2. Simple – There is only one agent, not many.
  3. Ease of use – A single console shows you everything you need to know.
  4. Automated Mitigation and Remediation – No need for you to manually intervene. Our analysts do that for you and remediate threats whenever necessary ensuring downtime is kept to an absolute minimum.
  5. Compatibility – Works with all Operating Systems and can co-exist with existing AV solutions.
  6. Artificial Intelligence and Machine Learning – Enables the agent to learn to identify false positives to reduce alerts and focus is given to real and dangerous threats.
  7. Automated Reporting and Alerting – Configure once and receive your reports monthly or weekly along with notifications of all alerts if required.

But do customers even want EDR?

I don’t think we’d be exaggerating if we said that customers’ demand for EDR is about to go stratospheric.

An EDR article in eSecurity Planet describes the growth in EDR as “explosive” and they report that Gartner’s forecast “is for almost 50% annual growth for EDR at least through 2020, putting it way out in front of most areas of IT”.

From this it’s a small step to work out the market value, again, according to Gartner’s EDR Estimates of some $1.5 billion – very likely when you consider that out of some 711 million devices that can make use of EDR, only 40 million currently do!

“Alert Fatigue” is already a well used term but a recent global EDR survey found that 72% of respondents report that their teams already suffer “alert fatigue” so if you can take away that fatigue for them and provide an effective and market leading solution, you can see why they will want to buy.

The message from the market is clear: for service providers, resellers and other IT partners, EDR is a revenue boost waiting to happen.

Just make sure you choose to sell solutions that are actually usable!