When I started looking into buying a house, realizing how much items like furniture and appliances cost, not even counting the cost of my own belongings, really gave me pause: how can I protect all of this stuff I have? You usually have an arrangement of items to keep thieves out, such as locks for doors, alarm systems to stop and alert on happenings, and then cameras to watch for suspicious activity. Ironically, all these types of controls are present in our computers and draw some serious parallels. In a previous article on Zero Trust, we explain how our house is locked up with preventative controls such as passwords and various other controls. However, that still leaves us with our alarm and camera system. How can we tie these back to cybersecurity on our systems?
In order to dive in, we should understand two different terms: Antivirus and Endpoint Detection and Response (EDR for short). Many people are familiar with antivirus in the sense of Mcafee or Norton, but few are as familiar with offerings on EDR or what it entails. Starting with antivirus, the sole purpose of it is to detect when a virus is running and try to alert on or stop the process. By feeding our antivirus a list of programs to look for or in some capacity suspicious behavior to monitor for, we can stop or at the least identify when a malicious program is executing. While many companies will have bold claims that it can stop all malware, this is not true in practice. Many programs have moderate success at blocking malicious actions but there is a reason why prestigious organziations still employ an incident response team to respond to these threats even though they have antivirus. In theory, this seems like all we would need to do to prevent malware is antivirus, so how can EDR add on to this?
EDR has a different goal, which is to gather and report on as much information as possible from what is happening on the computer. These include items such as network connections, open processes, or login times for users. While the antivirus was only monitoring for what a file was doing, an EDR agent was gathering data on how many times that program tried to reach out to the internet or if it was making registry changes in the background. While in a traditional sense the antivirus agent is the only one taking an action, the EDR agent is invaluable in helping to get to the bottom of what actually happened. On top of this, EDR can enable a security expert to hop in and perform tasks such as banning processes or isolating a computer from the network to prevent further infection. An antivirus alert alone would not give responders the information they needed to identify what happened, nor the ability to eradicate an active threat.
Understanding the difference between antivirus and EDR, we can now determine that our antivirus tool is more preventative in nature, and EDR is more focused on response. Therefore, when applying these tools to our virtual house, our antivirus becomes our alarm system. It may stop 50% of attackers who could get scared and run out of the house, but our most committed and advanced robbers are going to have studied that window alarm system and be able to thwart its alarming capability, entering unnoticed. This brings us to our camera system, which would be EDR. Our cameras were on the exterior, interior, and everywhere in between. Watching more areas than a thieve can hide from, we can now see which window they entered and determine what is actually happening. Better yet, when we pair the EDR tool with an on call team, we can now be alerted when a break in is taking place and have an operator locking the doors -or isolating the computer- to prevent further damage.
As a businessowner, it would make sense that you would have that alarm system since its easier to justify stopping a break in rather than understanding one. However, antivirus can give a false sense of security, since any detected programs are, well, detected, and any undetected ones are never alerted on. How would you know if someone was to bypass your alarm system? You wouldn’t, and they would continue to do so again and again until something changes. At this point, the business owner may feel like they should install those secuirty cameras, but it can cost money to install, maintain, and watch. If you are busy running a business, there simply isn't time in the day to do this.
Analyzing the cost of a control against the risk it mitigates is a common approach to determining if its worth taking those next steps into that new technology. Going back to our house analogy, if we have a house in a relatively safe neighborhood and don’t have anything worth several thousands of dollars that can be easily stolen, we can likely get away with just that alarm system. However, if we run a business out of our house or have valuable possessions that can be easily stolen, having cameras to log and alert on activity can be invaluable for peace of mind, investigation, and even for insurance coverage (Yes, you can’t escape insurance even in the cyber realm). Furthermore, some may even be able to justify the price of constant monitoring to ensure eyes are ready to lock down the house at a moments notice even when they aren’t home. If the cost losing the data or not knowing where it went is higher than the cost of the tool, you have a strong case to vouch for its use.
Antivirus and EDR can seem confusing, but when you take a step back and throw their basic ideas into real-world scenario sit becomes evident that each serve a different purpose. Antivirus helps to prevent basic break-ins with its focus on prevention and alerting features, but when the thieves are motivated enough to bypass the alarm systems, they will always find an opening. We can then employ a camera system, or EDR, to allow a team of on-call professionals to lock the doors during the invasion and use the logs to dust for prints after the fact. Thieves would love to have antivirus be their only obstacle, but with a little risk vs cost analysis from the business, some thieves may find themselves in a little over their heads with businesses employing EDR.