Navigating Cybersecurity: Choosing Your Defense Tools Wisely
Navigating the Landscape of Antivirus (Cybersecurity monitoring) Software: A Deeper Look
As end users, we often assume a level playing field when it comes to software sharing the same name, such as antivirus software. However, true parity is achieved only when organizations like the Mitre Foundation play their part. What we make of the framework post-subscription, rests in the hands of the individual or organization subscribing. The efficiency and speed of searches, the accuracy of results—all stem from a common source of data, amplified by the engine delivering the promises. It’s crucial to scrutinize these promises for accuracy and reliability in your unique environment as the engines, built by differing vendors, is where you will find the differences.
Many (in our search all did) monitoring solutions harness the power of Artificial Intelligence (AI) to enhance their services. While we didn’t delve into specific AI technologies deployed by vendors in our review, we assumed a level playing field, focusing instead on the effectiveness of the implemented strategies used. Our aim is to empower you, the reader, with insights that lie within your control when selecting a monitoring solution for your organization.
In our evaluation, we considered:
Algorithmic Soundness: Assessing the algorithm’s robustness for delivering services.
Self-Protection: Ensuring the software guards against easy compromise, preventing unauthorized shutdown by potential hackers.
Response Time: Testing the effectiveness of the Security Operations Center (SOC) when welcomed, as we wanted to evaluate their commitment to vigilance and responsiveness.
Resource Impact: Paying attention to the software’s impact on device performance, considering the burden it adds to the device and the organization.
Navigating the Impact of Your Selection on Your Environment
In our investigation, we’ve uncovered two primary strategies are used—distinct schools of thought—embraced by cyber-monitoring vendors as they grapple with the challenges of safeguarding your digital realm.
Each solution we reviewed commenced with the following fundamental step:
Establish a Baseline: Install the monitoring agent onto the PC, allowing it time to learn the end user’s working habits. This involves creating a working profile, identifying patterns such as email habits, working hours, and preferred applications, establishing a baseline behavior for “the user” at “this terminal.”
What they did once this baseline was establish depended on how the vendor looked at your environment.
Strategy 1: “Supervisor in the School Yard”
- In protect mode, this strategy focuses on detecting and reacting to any suspicious activity.
- The ATT&CK framework serves as a security database for profiling applications within the protected environment.
- Upon detecting suspicious activity, the agent can shut down the offending application, preventing the spread of the attack and notifying support.
- A live person is involved throughout the remediation step.
Strategy 2: “Guard at the Gate”
- In protect mode, this strategy learns which software applications are authorized to execute on your computer and requests authorization for any new application.
- Pre-identified software is allowed to execute uninhibited. Any abnormal behaviors trigger quiet blocking, with support or the user potentially notified.
- New attempts to load software require the user to request permission for installation.
- A person is notified to respond and review the installation request. If the software is deemed non-threatening, the installation is permitted, and the user is notified to retry.
- “Supervisor in the School Yard” allows applications to work normally but monitors for suspicious activity, responding when unwanted behavior is detected.
- “Guard at the Gate” tags all authorized applications and blocks any unauthorized application from executing, requiring approval before a user can install the new application.
Fine-Tuning Cybersecurity Strategies: Pros and Cons
Supervisor in the School Yard:
- Minimal Interruption: Ideal for busy environments with diverse application usage or frequent tool installations.
- Automation-Driven: Relies on automated detection of suspicious activity, reducing dependence on human intervention.
- Uninterrupted User Work: Users can continue working unless a malicious actor is detected.
- Automation Dependency: Vulnerable to disruptions if automations fail. Vendor strategies for handling automation breakdowns need investigation to avoid a false sense of security.
- SOC Response Time: Relies on the Security Operations Center (SOC) for timely response; prolonged deactivation can result in idle employee time.
- Potential Weakness: As automation of detection depends on knowing the application behaviour as they execute, “Zero-day” exploits must be handled as a special case.
Guard at the Gate:
- Silent Operation: Thrives in environments with a consistent application stack and minimal introduction of new software.
- Automated Prevention: Default prevention of any unauthorized application, reducing the need for vigilant human monitoring.
- Uninterrupted User Routine: Users experience no interruptions in their normal workday as device deactivation is not required; only unapproved applications are halted.
- Shadow IT Deterrence: Effectively discourages unauthorized software installations.
- Potential Disruption: Can be disruptive in environments with regular use of different software tools, leading to potential confusion.
- Scheduled Installations: Predictable schedules for new software may cause delays due to the constant approval process. Further, installation delays, especially in busy periods, may lead to stressful experiences for employees as everything must be authorized.
- On the concepts of Algorithmic Soundness and Self-Protection the applications reviewed all passed our benchmark for what a security agent should be.
- On response time, some vendors refused to have their team’s response quality tested.
- One vendor failed response testing, with significant delays in detecting an attack.
- Poor customer support led to the failure of one other vendor.
- From a resource impact perspective, some solutions were deemed cumbersome in terms of technology stack a client will have to deploy.
- Weakness in protecting mixed environments, especially involving MACs, was observed, reflecting the immaturity of the industry at the time of publishing this article.
Special Mention: A unique solution targeting ransomware was reviewed, this solution did not use Mitre’s framework. The application is specifically to protect against ransomware. The strategy involves dropping files with random data on the disk, then monitoring for access, and isolating applications accessing these files. While innovative, its vulnerability to code manipulation raises concerns about its robustness.
In conclusion, cybersecurity solutions in this evolving landscape are complex and may pose challenges in configuration. Relying on vendors for configuration support is crucial. Notable challenges include industry immaturity and a learning curve as new strategies emerge. With all solutions using AI and no current benchmarks to test the robustness, accuracy and correctness of the applications, one must trust in the AI developers to not make mistakes.
Again, our goal was not to help you select a solution but to arm you with insights to what you should be questioning and investigating when selecting a solution.
All AI applications are not written perfectly, all security operation centre (SOC) teams are not 100% on the ball as they watch alerts flowing in.
Last point, EDR – End Point Detection and Remediation. MDR – M****** Detection and Remediation, XDR – Xtra***** Detection and Remediation. Ask the vendor, they will have a great reason why their solution is more than endpoint detection and remediation. Its all in the marketing.