If a thief steals a painting from a museum, the detectives on the case will dust for fingerprints in order to gather information on the identity of the intruder. Then, they’ll take the prints down to the station, and run it through their records to check against any potential match.
If the thief’s fingerprints are already in the system, the detectives will be alerted to the identity of their suspect, which they can then use to file a warrant for the thief’s arrest.
This is pretty much how anti-virus software works. However, as technology has advanced, detectives began using another method for catching criminals: DNA sampling.
Just as forensic science has advanced, so too has anti-virus software.
HOW DOES AV SOFTWARE WORK?
Essentially, AV (anti-virus) software protects your computer or server against intrusion by matching files against these virus signatures — and for known viruses, this works great. A malicious file with a known signature will never be able to penetrate your environment’s defenses.
AV software, however, is a little old-fashioned when it comes to preventing new viruses. Just like a crime in the real world, a virus intrusion will create a crime scene in the virtual space that makes up your business’ environment. AV software teams, after being alerted to the intrusion, will analyze this cybercrime scene, sifting through the code of the virus.
Once the virus is understood, a virus signature will be created. This signature is then distributed to all computers with that AV software currently installed. Once a virus signature is known, it is very difficult for that virus to infiltrate a system without the AV software stopping the virus in its tracks.
There are different forms of AV software, just like there are different methods for analyzing a crime scene using forensic evidence.
WHAT IS EPP?
Utilizing machine learning, EPPs (Endpoint Protection Platform) are capable of learning what constitutes as “normal behavior” on your computer.
So, what does that mean exactly? Essentially, EPP is an intelligent program capable of patter recognition. By analyzing your business’ environment, it is able to distinguish what constitutes for “norma” file interaction on your network, by analyzing the millions and millions of file interactions that happen on your network every day.
It’s almost like a police officer learning their beat — they pay attention to who does what at what times, who’s a regular, who’s a stranger — and then use that experience of knowledge to actively intercept criminals before any damage can occur.
EPP even monitors your computer’s memory usage to inspect for spikes in memory allocation, a good indicator that a virus is present. While much more advanced than standard AV software, EPP is solely designed to identify and prevent cyberattack. This makes it an excellent addition to classic AV software because it is much “smarter,” but it lacks the teeth needed to remove a virus once it has taken hold of your network.
WHAT IS EDR?
EDR (Endpoint Detection Response) software takes the methods of EPP, and builds upon it. If EPP was the silent alarm that goes off during a robbery, EDR would be the response from law enforcement. Essentially EDR is like the big brother of EPP, using the same machine learning technology, but with the muscle to back up its intelligence.
Because your EDR software, like EPP, knows what a normal file looks and acts like, it has the ability to stop suspicious files before they penetrate your network. Rather than relying on a database of past viruses, EDR notices a file outside of the parameters it is familiar with, and then simultaneously quarantines that file, and alerts the system administrator of the possible threat.
After the file is safely separated from the network, the system administrator can look at this suspicious file, and either deleted the malicious virus, or allow the benign file to enter. EDR also has the ability to take care of the file by itself.
After identifying a virus, EDR software will retrace the steps the virus took to penetrate your network’s defenses, and will shore them up, all while learning more about the virus, its origins, and how it functions. This forensic evidence can then be used to create a highly detailed virus signature, which is then used to hunt down any remaining traces of the virus.
Because EDR works across your entire network, all devices connected to it will benefit from EDR, with the additional security of a program that can actively hunt viruses, rather than simply stopping them before infiltrating your network — although, as mentioned above, EDR is perfectly capable of stopping even an unknown virus before it breaches your network’s walls.
WHY IS EDR IMPORTANT?
As the tactics and viruses hackers use every day advance, the defenses of AV software are quickly becoming woefully inept at handling the scope of virtual threats present.
Not only are more and more viruses being created, the nature of viruses is changing as well. Hackers are now concocting viruses that have the ability to change their signature, enhancing their ability to infect networks, even after being detected.
This new technology essentially cripples the ability for regular AV software to protect against viruses, and soon, EDR will become the industry standard.
If you want to make sure your business has the increased effectiveness of EDR software, speak with your MITS provider.