Brian Dudek and I had a short conversation about the Endpoint Protection space. Brian has been in the IT industry for 25 years with a slant toward data security. He is an Adjunct Professor at Davenport University creating data security curriculum. He is currently a Strategic Business Advisor providing guidance to IT leadership throughout West Michigan.
Josh:
All right, so, Brian, let's talk about endpoint protection and maybe walk us through how that's changed over the years. I mean, I remember 20 years ago, it was basically the antivirus scanning your PC looking for known file names and whatnot. It's much more sophisticated today. Maybe help me understand that.
Brian:
Yeah. So back about 20 years ago, antivirus was all signature based, which means that when a threat was found in the wild in terms of a virus or worm, the antivirus products would create a signature that would be released. It would take anywhere between 30 to 90 days for that signature to populate around the Internet to all the various antivirus products. The change has been moving away from the signature based antivirus to more behavioral based or A.I. based, which means that the software is taking in a lot more data and making comparisons. One key differentiator is that they are constantly scanning the files that you're opening and looking for anything anomalous that may happen - that is one data point. They also continue to use signatures which is another data point.
Josh:
Those 30 to 90 days before that signature made its way out to all the clients became a problem as some of the malware became more destructive. So they had to figure out some new ways of detection, that's where the live scanning comes in and things like that. Is that right?
Brian:
Yeah, that's correct. And also the fact that the people who are making these viruses and malware attacks had taken the original virus and they make some slight changes to it. So what that means is that the signature based stuff would not find the new version of the virus for another 30 to 90 days - the antivirus just couldn't keep up and that's why the behavioral based capability is so important.
Josh:
Some of the new software is also leveraging network controls - is that another data point?
Brian:
Leveraging network control is important as a data point for detection of malware activity as well as preventing further actions. Modern tools provide inbound firewall features to stop access to vulnerable services, application whitelisting and blacklisting to prevent certain executables access to the network, as well as complete isolation in response to a serious event. Those are things that have been adopted in the antivirus products these days.
Josh:
Ok, what about integration into for instance, Sentinel has a managed SIEM and SOC. I imagine the Endpoint Protection plugs into the SIEM - is there any automation there? Automatically detecting malware and taking action?
Brian:
Yep, that is true. And when you talk about tools like a SIEM, they have always been able to ingest these logs. There are safeguards put in place for the A.I. to shut the network connectivity down for a client system, but the best practice is always to have somebody (a person) looking at the events to determine if there is an issue or not. This is why a quality Security Operations Center (SOC) is so important - we aren't at a point where automation can completely run your data security systems.
Josh:
How has increased remote work changed the situation?
Brian:
What's a bigger problem is a lot of our clients, when people moved off site, started working remote they click on something and they click on a link or they're browsing Facebook at home and they don't have the web filtering at home like they used to when in the office. They don't have the firewall and intrusion protection infrastructure. So now all of a sudden, that antivirus product is the first, last and only defense that the laptop has. So that's the biggest challenge that we have right now is that organizations, when they sent users off to work, they didn't have multiple defense in depth for those client systems. So, yes, if they use their personal PC at home, that's another challenge in itself, too. And a lot of our clients were trying to figure out, OK, do we make them install another antivirus product? So there I mean, because if you're buying something for your company to use from a virus perspective, you can't quite put it on an employee workstation at home that you don't own. Right. So but but yeah. I mean, that's that's there has been a challenge. Sure.
Josh:
Is there anything else worth discussing, anything new coming?
Brian:
Really, the one thing that I want to reiterate is that everybody should be taking a look at what they currently have and evaluating if it's signature based or behavioral based. If it's a signature based product, which there are a lot of companies out there, then you may want to look into modern products that include more A.I. and behavioral capability. A lot of legacy antivirus products make it really easy to renew licensing so a lot of companies just go that direction and don't realize there is much more comprehensive security coverage available to them.
If
you are facing a challenge similar to this in your IT organization, we
are prepared to help get you moving in the right direction. Feel free
to reach out to me and we can get the conversation started.
No comments:
Post a Comment