Fortunately, we’ve seen rapid development in the endpoint security space over the past five years with the rise of next-generation antivirus (NGAV), endpoint detection and response (EDR) and endpoint segmentation tools. This is welcome, given that fileless attacks and self-propagating ransomware are common – and require more sophisticated tools to fight them.
These tools call on capabilities, often cloud-delivered, that are now table stakes in endpoint security. One key technique is sandbox malware analysis to execute potential malware in a virtual environment, to determine if a file is malicious or not.
More broadly, CrowdStrike defines NGAV as:
...a combination of artificial intelligence, behavioral detection, machine learning algorithms, and exploit mitigation, so known and unknown threats can be anticipated and immediately prevented.
Machine learning used to detect threats consists of algorithms that identify malware prior to execution with real-time evaluation of millions of file characteristics to determine if a file is malicious. Exploit mitigation helps prevent malware-less attacks targeting vulnerabilities.
Indicators of attacks or compromise are another technique often used today in endpoint security. They examine behaviors of both legitimate system activity and suspicious activities to detect series of events that indicate malware infection attempts or malicious activity.
Tools like EDR complement NGAV to offer deep endpoint visibility to detect any malicious files or processes and immediately contain them. Not only will EDR monitor files to track where they go and what they do, but it also looks at endpoint activity to alert on anything consistent with malware or ransomware like changes to processes, DLLs and registry settings and network activity.
Response capabilities include retrospectively removing files or isolating endpoints to prevent threats from inflicting further harm. EDR’s deep endpoint visibility also enables threat hunting to proactively search for indicators of attack or compromise and the ability to carry out detailed forensics.
What tools are most relied on today? Recent research indicates EDR is the most common at 73%, but respondents also acknowledge they have antivirus capabilities to block all known malicious files. The fact that the majority of respondents have EDR capabilities is likely because the endpoint security vendors they rely on for antivirus have added some EDR capabilities.