If you are disappointed that your expensive antivirus (AV) software isn't working and you've fallen foul of ransomware, you are not alone.
This was obvious from audience responses during a talk by Jeremy Matthews, Regional Manager Panda Security Africa at the ITWeb Security Summit last week.
Matthews explains that the current situation is brought about by three key factors: increasingly sophisticated malware, the limitations of traditional AV, and the changing corporate IT environment. These form the ingredients for the perfect storm: the detection gap.
* Back in the 90s we were dealing with around 100 variants of malware a day, now statistics indicate that there are over 200 000 per day. Malware is relatively freely available with "make you own malware kits" accessible to anyone who can pay for them, supporting the creation of thousands of unique samples.
* The traditional blacklisting philosophy of AV, based on what is known, worked well in the 90s. However given the sheer volume of variants and the challenge of trying to stay ahead of new variants, conventional AV alone is not enough.
* In the past few years organisations have moved from having relatively closed networks with clearly defined perimeters, to Cloud technologies, Mobile and BYOD, resulting in increased complexity and risk.
This dynamic has created a detection gap, where we see large amounts of malware sitting on the network, with 2% remaining on the network for up to three months before being detected - a concept known as dwell time. A clear indication that the traditional AV model is no longer effective.
According to Matthews, hope lies in a new security model: endpoint detection and response (EDR), which involves the monitoring of running processes on the endpoint, looking not just at malware but also policy violations and anomalous behaviour in goodware. By monitoring these actions, we are able to contain incidents, control the processes and block them where necessary. EDR allows for full visibility, the ability to investigate, and enables remedial action to restore endpoints to their original state, so that organisations can get back to business.
According to Gartner, EDR technology has four key characteristics:
* Detect security incidents;
* Contain the incident at the endpoint;
* Investigate security incidents; and
* Remediate endpoints.
Gartner, Market Guide for Endpoint Detection and Response Solutions, Peter Firstbrook, Neil MacDonald, 16 December 2015
The benefits of this technology can be seen in Panda Security's EDR offering Adaptive Defense, which offers robust protection by classifying all running programs and only allowing goodware to run. Malware is completely blocked from running on the network, and any unknown programs are blocked until an investigation is completed by Panda's Labs. By leveraging the cloud and big data, Adaptive Defense has little impact on IT resources and with its SIEM integration is able to provide IT staff with additional forensic information on all processes and network activity on the endpoint.
A key insight in the Gartner report on EDR indicates that traditional AV still plays a role, particularly in terms of remediation. Panda has an offering combining EDR with its Endpoint Protection (EPP) technologies: Adaptive Defense 360, which provides additional capabilities such as remediation, centralised device control, and web filtering. Matthews says that this is an ideal solution giving users a complete integrated offering with the best of both worlds.
Panda Security is hosting a Webinar on Securing the Endpoint with EDR 1at 10h00 on 8 June - register here.
Share