It's no secret the security community is witnessing a boom in sophisticated techniques and attack campaigns. Some of the most advanced threats circulating in the wild today leverage polymorphic malware that changes its form based upon the environment in which it activates. As a result, signature-based detection solutions have a difficult time detecting those types of files, which means anti-virus is no longer enough for organizations to protect their computer networks. How can companies align their information security programs to defend against those more advanced threats? The answer is practicing malware detection and response at the endpoint. As Tripwire explains in its Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionals, anti-malware efforts centered around each network device, otherwise known as endpoint detection and response (EDR), embodies the realization that organizations can't prevent advanced malware from bypassing their security defenses. EDR recognizes the need for effective incident response plans, which includes the deployment of anomaly detection and visibility in tandem with signature-based technologies across all endpoints. Modern-day attackers leverage customized software and non-invasive techniques like social engineering to quickly and quietly make it past an organization's defenses. To defend against those types of threats, organizations need to first focus on beefing up their detection capabilities. Specifically, they should set standard operating procedures (SOPs) that promote continuous monitoring of applications, alerts that trigger as a result of suspicious endpoint behavior, and limits on software executables. Security teams should also conduct security awareness training with all employees, restrict user privileges, run anti-virus and host-based firewall/IPS, and block unnecessary ports and services.
Once they have those basics in place, organizations can enhance the strength of their EDR programs. For example, IT professionals should consider incorporating alternatives to anti-virus solutions, such as web filtering, whitelisting, sandbox containment and other practices. Additionally, they should make an effort to integrate all malware detection and response capabilities with other security solutions. That includes sending log entries to a log management system for correlation as well as ticketing/reconciling each and every change, thereby building security configuration management into the organization's malware detection strategy. Interested in learning more about malware detection and response at the endpoint? Download Tripwire's resource here.
