Choice of protection for end devices
As cyber threats become more complex, so does the need for the right endpoint solution. However, the market for endpoint security devices is saturated with many different solutions and so full of unsubstantiated marketing claims that it is becoming increasingly difficult for your organization to make an informed decision.
2022 has proven to be an expensive year for victims of cyberattacks. While organizations may choose not to disclose the costs associated with remediating cyberattacks, loss of consumer confidence will always be a risk after any major attack. That's why world-class protection is the foundation of any effective security strategy.
However, protection alone is not enough. Four out of five organizations admit that they lack information security specialists. With that in mind, usability is also important if struggling IT teams want to make the best use of security features. You must also assume that the threat will pass through your defenses and infect your organization accordingly. This includes a complete understanding of how threats enter the organization, where they have gone and what they have touched, so that you can neutralize the attack and fix any security breaches.
Endpoint security solutions, sometimes referred to simply as antivirus solutions, can include a variety of basic (traditional) and modern (next generation) endpoint threat prevention approaches. When evaluating security systems, it is important to look for solutions that have a complete set of methods to prevent a wide range of threats. It is also important to understand the threats you are trying to prevent. We talked about the nuances of protecting end devices with Rovshan Akbarov, Business Development Director at iTech Group.

— What endpoint threats are the most relevant today?

While the threat landscape is constantly evolving, I would like to share some key endpoint dangers to consider when evaluating different solutions:

Malware. When considering endpoint security, malware is often the main concern. Malware includes both known and previously unknown malware. Often, security solutions struggle to detect unknown malware. For example, SophosLabs detects about four hundred thousand unknown malware every day. Solutions should be able to detect packed and polymorphic files that have been modified to make them harder to identify.

Potentially Unwanted Applications (PUA):
PUAs are applications that are technically not malware, but are most likely not something you would like to run on your computer, such as adware. Issues related to PUA detection are becoming more important with the advent of cryptomining programs used in cryptojacking attacks.

Ransomware: Every year, a huge number of organizations are affected by ransomware. The two main types of ransomware are file encryptors and disk encryptors (cleaners). The most common are file encryptors that encrypt the victim's files and hold them for ransom. Disk encryptors block the victim's entire hard drive, not just files, or completely erase it.

Exploit-based attacks: Not all attacks are based on malware. Exploit-based attacks use methods to exploit software bugs and vulnerabilities to gain access and control over your computer. Charged documents (typically a Microsoft Office file that has been created or modified to cause damage) and malicious scripts (malicious code often hidden in legitimate programs and websites) are common tools used in such attacks. Other examples include browser-based attacks (the use of malware to infect the browser, allowing attackers to view and control traffic) and malicious traffic (the use of web traffic for criminal purposes, such as accessing a command and control server).

Adversary technologies: Many endpoint attacks involve multiple steps and multiple methods. Examples of active attacker techniques include privilege escalation (methods used by attackers to gain additional access to a system), credential theft (theft of usernames and passwords), and hidden code (hiding malicious code inside legitimate applications).

- And what methods of dealing with these dangers exist?

— I would note the existence of both traditional and modern methods. I will try to characterize both approaches and explain the difference between them. While the names may vary, antivirus solutions have been around for quite some time and have proven effective against known threats. There are many basic techniques that traditional endpoint security solutions have relied on. However, as the threat landscape changes, unknown threats, such as never-before-seen malware, are becoming more and more prevalent. As a result, new technologies entered the market. Users and organizations should look for a combination of both state-of-the-art approaches, often referred to as "next generation" security, and proven fundamental approaches. Some of their key features include:
Basic features:

Malware/antivirus protection: Signature-based detection of known malware. Malware engines should be able to check not only executable files, but also other code, such as malicious JavaScript found on websites.

Application Blocking: Prevent malicious application behavior, such as using a Microsoft Office document that installs another application and starts it.

Behavior Monitoring Systems/Intrusion Prevention Systems (HIPS):
This foundational technology protects computers from unknown viruses and suspicious behavior. It should include both pre-execution behavior analysis and run-time behavior analysis.

Web Protection: Search URLs and Block Known Malicious Websites: Blocked sites should include sites that can run JavaScript to perform cryptomining, as well as sites that collect user authentication credentials and other sensitive data.
Web Control: Endpoint web filtering allows administrators to control what types of files a user can download from the Internet.

Data Loss Prevention (DLP): If an attacker can go undetected, DLP capabilities can detect and prevent the last stage of some attacks when an attacker tries to exfiltrate data (get data out). This is achieved by monitoring various types of sensitive data.
Modern features:

Machine Learning: There are several methods of machine learning including deep learning neural networks, Bayesian method, clustering, etc. Regardless of methodology, machine learning malware detection mechanisms should be built to detect both known and unknown malware without relying on signatures. The benefit of machine learning is that it can detect malware that has never been seen before, ideally increasing the overall rate of malware detection. Organizations must evaluate detection rates, false positive rates, and the performance impact of machine learning solutions.

Anti-exploit: Exploit protection technology is designed to protect against attackers by preventing the use of the tools and methods they rely on in the attack chain. For example, exploits such as EternalBlue and DoublePulsar have been used to launch NotPetya and WannaCry ransomware. Exploit protection technology stops a relatively small set of methods used to spread malware and carry out attacks, fending off many zero-day attacks that no one knew about before.

Special work against ransomware: Some solutions contain methods specifically designed to prevent ransomware from maliciously encrypting data. Often, special ransomware methods also fix any affected files. Ransomware solutions should stop not only file ransomware, but also disk ransomware used in destructive wipe attacks that spoof master boot record.
Credential Theft Protection: Technology designed to prevent theft of authentication passwords and hash information from memory, registry, and hard drive.

Process Protection (Elevation of Privilege): A protection designed to detect when a privileged authentication token is inserted into a process for privilege escalation as part of an active attack by an attacker. This should be effective regardless of which vulnerability, known or unknown, was used to steal the authentication token in the first place.

Endpoint Detection and Response (EDR):
EDR solutions must be able to provide detailed information when looking for elusive threats, keeping IT security operations in tip-top shape, and analyzing detected incidents. It is important that the size and skill set of your team match the complexity and ease of use of the tool in question. Choosing a solution that provides detailed threat intelligence and recommendations makes it quick and easy to respond to a threat.

Advanced Detection and Response (XDR): XDR goes beyond the endpoint and server to include other data sources such as firewall, email, cloud, and mobile devices. It is designed to give organizations a holistic view of their entire environment, with the ability to drill down where needed. All of this information must be collated in a centralized repository, commonly known as a "data lake", where the user can make and receive business-critical queries.

Incident Response/Synchronized Security: Endpoint security tools should at a minimum provide an understanding of what happened to help avoid future incidents. Ideally, they should automatically respond to incidents without the need for analyst intervention to prevent threats from spreading or causing more damage. It is important that incident response tools interact with other endpoint security tools as well as network security tools.

Managed Threat Response (MTR): MTR provides 24/7 threat discovery, detection, and response by a team of experts as a fully managed service. Analysts must be able to respond to potential threats, look for indicators of compromise, and provide detailed analysis of what happened, where, when, how, and why.
— Why is it important to combine several methods for comprehensive endpoint protection?

"When evaluating endpoint security solutions, organizations should not just look for one core function. Instead, you need to look for a set of workable and robust features that spans both state-of-the-art techniques, such as machine learning, and basic approaches that have proven to work. It also requires the use of Endpoint Detection and Response (EDR) to investigate and respond to incidents. Relying on one dominant feature, even if it's the best in class, means you're vulnerable to a single point of failure. Conversely, a layered security approach that has a set of multiple strong layers of security will stop a broader range of threats. This is what we often refer to as "the power of the plus"—a combination of basic techniques, machine learning, exploit protection, ransomware protection, EDR, and more.
As part of your endpoint security assessment, ask different vendors what methods are included in their solution? How strong is each of their components? What threats are they designed to stop? Do they rely on only one basic technique? What if it fails?
An endpoint protection solution is only part of an overall security strategy. Organizations today must go beyond endpoint protection and must protect the entire environment. Ideally, one vendor provides solutions that work together to provide consistent security and policy enforcement throughout the organization. Working with a single vendor can provide better security, reduce administration, and lower costs.
Some specific technologies to consider along with endpoint security include full disk encryption, mobile device management, mobile security, secure mail gateway, virtual environment protection, and of course synchronized security across endpoints and network devices.
As cyber threats continue to grow in both complexity and quantity, it is more important than ever to have effective endpoint protection. Understanding the threats to block and the various security technologies available will allow you to make informed choices about endpoint protection and ensure your organization is best protected against today's attacks.

— What can Sophos offer in response to such market demands?

Sophos is a company with many years of experience in cybersecurity. It offers a wide range of solutions to protect every component of its customers' infrastructure. I will briefly talk about only one of them, which is responsible for the comprehensive protection of endpoints.
Sophos Intercept X is an industry-leading endpoint security solution that reduces the attack landscape and prevents it from being launched. Combining exploit protection, ransomware protection, deep learning AI and control technology, it stops attacks before they affect your systems. Intercept X takes a comprehensive, layered approach to endpoint security without relying on a single core security technique. In addition, Intercept X is the only XDR solution in the industry that synchronizes native endpoint, server, firewall, email, cloud, and Office 365 security. Customer gets a holistic view of your organization's environment with the richest data set and deep analysis to detect threats , investigation and response for both dedicated SOC teams and IT administrators.

Without going into deep technical details, here are just some of the highlights of the product:

  • Stops previously unknown threats with deep learning artificial intelligence.
  • Blocks ransomware and returns vulnerable files to a safe state.
  • Prevents the use of exploit methods implemented throughout the attack chain.
  • Reduces the attack surface with app, device and web controls.
  • Performs threat hunting and IT operations security hygiene with XDR.
  • Ease of deployment, configuration and maintenance, even in remote work environments.
  • Sophos provides 24/7/365 security as a fully managed service upon request.

— And what role does iTech Group play in the implementation of Sophos solutions by customers in Azerbaijan?

— The iTech Group company has been operating in the country's market for more than 20 years, having earned high trust from a large number of customers. One of the main postulates of our company is the attitude to customers not as customers, but as partners, together with whom we solve problems and actively participate in the implementation of each stage of the project.
iTech Group has been a partner of Sophos for more than a year, annually increasing the level of expertise and its own competencies. It is with great pleasure that we are ready to organize consultations together with the vendor, provide a demo and provide a full cycle of support for our customers.
+994 12 3101414
+994 51 2060960
Baku, Azerbaijan
Azadlig ave., 192E

Photo and video materials belong to iTech Group.

iTech Group 2024