Cyber incident? Get Help
Log In

Coalition | Cybersecurity and insurance to keep your business safe.

Cybersecurity education: How EDR supports zero trust cybersecurity
Aaron Kraus

First came the computer viruses, and we responded with anti-virus (AV) software. Eventually, attackers got craftier and made malicious software that did many unpleasant things, such as spying on your browsing habits, stealing information like usernames and passwords as you typed them, and installing cryptocurrency mining software to steal your computing resources. Malicious software was shortened to malware, and in response, AV evolved to anti-malware (AM).

Concurrent to the evolution of malware, cybersecurity shifted from a mindset of “secure the perimeter and trust everything inside it” to “trust nothing, also known as zero trust.” This mindset demanded even more powerful and capable tools to secure the network-connected devices like servers, laptops, printers, and even smartphones — collectively known as endpoints. The endpoint security evolution takes AV and adds the necessary capabilities to monitor endpoints not just for viruses or malware. This emerging field is called endpoint detection and response (EDR).

An updated solution for updated cyber risk

No two organizations will deploy and configure their IT environments the same; static or one-size-fits-all solutions may not provide significant security advantages against today’s quickly evolving malware. Traditional AV tools look for signatures of known attacks, so new or modified viruses, and malware can often slip through. These tools are blind to new threats until a malware signature is created. Additionally, cyber criminals have gotten crafty by writing malware that can modify itself on the fly, making signature-based detection a massive headache and prone to providing false negatives.

Variations in an organization’s environment, such as unique network layouts and the complex mix of hardware and software, can pose problems for even the smartest AV software. Think about your kitchen: the way you’ve arranged items in cabinets and drawers is probably slightly different than your friends and family. Thus, a visiting chef entering your kitchen is unlikely to work at peak efficiency as they will need time to find the necessary equipment. Those extra few minutes could be the difference between a perfectly cooked dinner and an overcooked mess.

EDR offers an advantage over legacy AV in these two areas by utilizing more advanced technology to identify threats. For example, an EDR software agent running on a network-connected device is able to observe and monitor actions related to that device, such as network traffic, file access, and usage patterns. This baseline of normal behavior is useful for detecting anomalies. When EDR is deployed across an entire network, it’s possible to detect, correlate, and disable malware as it attempts to spread.

Put a lid on it: shortening response time

EDR utilizes its advantage over traditional AV to achieve two primary goals. First, its ability to spot abnormal or unusual behavior allows it to spot new and previously unknown threats, which allows EDR software to respond more quickly since there is no need to wait for a new piece of malware to be analyzed to create a signature.

Second, EDR’s ability to adapt provides an advantage by tailoring detection of suspicious behavior to each environment. For example, ransomware gangs often send themselves copies of sensitive information before encrypting a victim’s network. This process is known as data exfiltration and serves to extort the victim into paying a ransom. Is a large volume of data leaving your network normal, or is it a sign of infection that’s a precursor to ransomware? Good EDR is advanced enough to answer that question and take appropriate action, such as blocking suspicious outbound traffic and quarantining the potentially infected system for further review.

The ultimate goal of EDR is to shorten the time it takes to respond to malware and unwanted activity on network endpoints. When it comes to managing cyber risk, we can take two actions: proactively reduce the likelihood, e.g., with email security tools that can filter out suspicious email attachments, and reactively mitigate the impact of a risk that does get through. That’s where traditional AV played, but it’s ineffective against evolving threats like zero-day vulnerabilities or newly-released malware. Smarter, more flexible detection and automated responses limit the impact and spread of malware.  Quarantining infected files/systems, recovering compromised systems from backup, and automatically performing scans to identify other endpoints that may be infected but are not yet being actively exploited are invaluable in preventing a cyber event from becoming a cyber incident.

Partner spotlight: Malwarebytes

A leading provider of advanced endpoint protection and remediation solutions, Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware, and exploits that escape detection by traditional antivirus solutions. Malwarebytes completely replaces antivirus with artificial intelligence-powered technology that stops cyberattacks before they can compromise endpoints on business networks. Malwarebytes’ comprehensive protection catches increasingly sophisticated threats by monitoring and analyzing behavior, where many traditional solutions fall short by focusing on file-based malware and signature tracking for established threats. Further differentiating from standard security solutions, Malwarebytes allows devices attacked by ransomware to roll back up to three days to restore conditions prior to the attack.

Coalition policyholders can contact Malwarebytes to understand how EDR can protect their business from malware attacks. Coalition evaluates all technical signals when underwriting risk, and we recommend security whether you are connecting to your organization’s network perimeter from the physical office or via remote access. We strongly recommend endpoint security for all of our policyholders to reduce the likelihood of a claim.

Additionally, Coalition’s cybersecurity guide outlines the basic tenets of a cybersecurity program — a critical factor in reducing your organization’s cyber risk. You can also download the full H1 2021 Cyber Insurance Claims Report to learn more about the cyber trends impacting all organizations and our predictions for the remainder of 2021.

Coalition’s insurance products are offered with the financial security of Swiss Re Corporate Solutions* (A+ ratings by A.M. Best) and Arch Insurance Canada Ltd (A.M. Best A+ rating).
WHAT WE DO
© 2021 Coalition, Inc.
*Insurance products are underwritten by Westport Insurance Corporation, a member of Swiss Re Corporate Solutions