Even advanced Antivirus solutions are no longer sufficient for preventative endpoint detection and response, according to one expert.
In international military parlance, tactical pre-emptive defense is considered as good as an all-out attack. Cybersecurity is not too different from that. In order to fend off any incursions and safeguard the home territory, it is crucial to be on one’s toes 24×7 and follow preventive protocols.
But with mushrooming micro-, small and medium enterprises in the country, Indian cybersecurity landscape is a different beast. A Data Security Council of India (DSCI) study states that enterprises in India spend close to 26% of their cybersecurity budgets on endpoint security and yet feel unprotected.
According to one industry player, mid-sized enterprises in India have historically been underserved by the cybersecurity market and have been left behind by cost-prohibitive tools and staff constraints.
Said Ajit Pillai, Regional Director (Asia-Pacific), Morphisec, added: “Organizations are reporting an increase in endpoint security risk while feeling insufficiently prepared to tackle new threats. This is in spite of spending a considerable amount of their cybersecurity infrastructure budgets on so-called next-generation anti-virus (AV) solutions that all block the same kinds of attacks—known, file-based, and fileless threats—where the indicators of compromise have been well-publicized in the market. The fact remains that these AV platforms have become commoditized.”
Why buy AV when it is free?
Pillai is a staunch believer in the ‘prevention-better-than-cure’ model, so his firm’s products for endpoints, servers, and cloud workloads employ patented zero-trust runtime security. The security solutions attempt to block threats even before they hit the intended targets. The approach strives to minimize the impact on users, performance, or IT teams, while conserving costs.
According to him, potential cyber threats do get scanned and identified by AV platforms. After which, most endpoint security providers quickly add the Indicators of Compromise (IOCs) to their platform in a reactive approach to cybersecurity.
In this approach, every single AV solution protects against the same known threats, regardless of the attack chain. Pillai pointed out that, when Microsoft already offers its free native tool, Microsoft Defender AV, that blocks the same types of attacks that major third-party solutions do, paying for third-party baseline protection against the same threats does not make much sense.
“AVs adopt a scan and remediate mechanism. Their engines (must) have prior knowledge of traditional attack vector prevention. They don’t employ telemetry or other latest techniques. Unfortunately, this works only against known attacks. Replacing NGAV with a proactive, offensive endpoint protection strategy shifts the balance of power to defenders. This is essential to achieve zero trust at runtime, especially for those organizations with lean security teams. Zero-trust defensive endpoint strategies are necessary because of threats such as SolarWinds,” Pillai explained.
Adding EDR security to free AV
As for the use of telemetry in cyber defense, Pillai recommends vertical-specific data transmission and feeds primarily for early detection of attacks. “Microsoft owns maximum amounts of telemetry because of the wide use of its Windows-based systems and networks. Once threats are detected, AI and ML could be used for remediation.”
He therefore recommends that organizations use the built-in Windows security tools instead of spending their budget on what is ultimately a checkbox solution for compliance. “As an alternative, we feel that enterprises of all sizes should focus on protecting their critical infrastructure from unknown attacks. The tool should enhance the visibility into and control over native Windows controls, which are protecting users from known attacks; and add enhanced protection from truly unknown threats to prevent breaches in real-time.”
Many recent cyberattacks employ techniques built in anti-sandboxing malware, said Pillai. “The threat vectors are constantly growing. Next-gen AVs necessitate intelligence to be fed into them, when hackers are getting more efficient in hiding their tracks. AVs spend a lot of time on detection, when the actual need is preventive security.”
Protecting extended corporate perimeters
Pillai noted that, with the anatomy of attacks changing drastically, trust (the former strategy) has eventually given way to zero trust as a core strategy. “Today, endpoints like laptops and home workstations have become extended perimeters of security networks. Hackers are getting more sophisticated, as witnessed through the memory-based attacks and supply chain attacks across the world.”
With this landscape getting more complex, Pillai believes that, in order to focus on prevention, we should analyze the tactics and not the techniques of attackers. Also, by treating attack elements as ‘moving targets’, he believes all attack vectors and threat types can be more effectively addressed—“no need for indicators, no waiting for patches or updates.”
In his philosophy, a prevent-first defense engine helps place defenders in good stead against the most advanced threats to the enterprise by providing a crucial, small-footprint memory-defense layer that deploys into the company’s existing security infrastructure with ease.
“This simple, highly effective, cost-efficient prevention stack is widely considered to be truly disruptive to today’s prevalent cybersecurity model,” Pillai asserted.