Using only signatures as the basis for detecting malware became a less-than-optimal approach. In response to the growth of malware variants and evasion techniques, solution providers developed additional tools for the endpoint protection arsenal, including heuristic analysis, behavior detection, and sandboxing. These developments resulted in new product classes and market names for endpoint solutions, such as next-generation antivirus (NGAV) and endpoint protection platforms (EPP).
What ensued was a decades-long game of cat and mouse between attackers and defenders as developers observed and documented attacker techniques and imported them into endpoint protection products. Attackers then developed more novel methods, and the cycle repeated. Heuristic and behavioral analyses attempted to predict new malware patterns based on old ones, but attackers incorporated encryption, fileless (in-memory) execution, firmware injection, and living-off-the-land techniques to defeat the predictions.
Many solutions also incorporated sandboxing, which is a method of safely executing potential malware (sometimes in the cloud) to see how it behaves before allowing it to run on an endpoint. Attackers found ways to escape those sandboxes too, and some even used the sandboxes as part of their attack chain to help exfiltrate data out of target networks.
Endpoint security solution providers have gotten wiser, and in addition to incorporating past techniques and research to prevent malware from running, they have expanded more holistically into endpoint detection and response (EDR) and, most recently, extended detection and response (XDR). These solutions go beyond simply stopping malware, and they do a better job of alerting security teams when – not if – anomalous activity is detected.
Refocusing and reevaluating
Several aspects of business and life during the COVID-19 pandemic seem to have pushed many organizations into a type of survival mode, and understandably so. The shift to remote work environments, disruptive technology changes, and high-impact and high-profile security events have, for some organizations, led to a tyranny-of-the-urgent mess.
However, lessons learned from breach research data show that, just by paying a reasonable amount of attention to primary controls, organizations can significantly improve their defensive postures. Useful questions organizations can ask themselves include:
- Are we still using a traditional, signature-based antivirus?
- How long has it been since we evaluated our endpoint security approach?
- Did we define exceptions or configure settings years ago and not revisit them?
- Do we know where our gaps in antimalware coverage are?
It’s not enough to confirm, year after year, that antivirus software is installed, gets updated, and periodically scans the network. As the threat landscape and controls evolve, so too should the measures used to evaluate those controls. Organizations need to identify an individual who pays attention to the changing landscape and updates their control set accordingly. These changes should also cascade down to audits and security assessments to make sure the controls mature to a higher standard.
Strengthening endpoint protection now – not later
To stay abreast of threats, organizations should reevaluate their antivirus controls and ditch any mentality that leads to complacency – including check-the-box compliance. Regular, comprehensive risk assessment and threat evaluation along with updates to corresponding internal control structures should be business-as-usual activities.
When it comes to their endpoint security controls and strategies, organizations should take a proactive approach, challenging themselves to network with other companies and professionals, learn about solution provider products, and hire trusted consultants and auditors who can help them navigate the muddy waters of cybersecurity. Consultants can help organizations move toward a cloud-based solution, choose a particular EDR vendor, invest in the latest XDR platform, or take a moving target-defense approach that uses traditional antivirus software alongside a product that prevents sophisticated attacks from launching.
Endpoint protection has evolved past antivirus solutions, and so should organizations. Instead of waiting for a new cybersecurity insurance requirement, a breach, a change to some security standard, or an external compliance requirement to improve internal controls, organizations should be continually learning and making adjustments. Commensurate with resources and risk posture, the time to build an effective endpoint protection program is now.