From antivirus to MDR: The evolution of cybersecurity technology

AVtoEDRMDR_image.png

Antivirus (AV) has been around since the early age of networked computers, emerging in the 1980s to more commercially available products in the 1990s. Early antivirus worked by scanning for and blocking known virus signatures. As new viruses and malware emerged, you’d have to update your AV database, then run a scan looking for these new bad signatures. In 1994 there were about 30,000 malware samples in most AV databases.

AV was doing its job, researchers were discovering new malware and submitting samples, databases were being updated, and we were scanning and blocking threats. This really worked for quite a while, but as computer and the internet became more common, the cybersecurity community (attackers and defenders) started to realize something.

Attackers were persistent. They’d write new malware to get through protections, each new malware sample creating a new signature. Defenders would discover it, apply the hash to their signature database, and block it. This cat and mouse game went on for a while, but it was tough to keep up, neither side really getting ahead. New malware would be created, it would be discovered and blocked, and the cycle continued.

In 2005 there were roughly 333,000 malware hashes in any given database. As you can see, this number is quite a bit more than what we were seeing in the mid-90s, but AV was still working well. By 2007 though, there were almost 5.5 million unique malware samples reported and that was just two years later! AV was struggling to keep up and things needed to change.

Attackers were also starting to use our own tools against us—such as PowerShell scripts and Office document macros. These were things that traditional AV had a much more difficult time detecting, as the software and execution itself were supposed to be safe.

Cybersecurity experts started to realize we could no longer keep up using this antiquated technology and we had to make some improvements. Next-generation AV (NGAV) started to emerge in the early 2010s. Instead of relying on known hashes, we realized we could look for patterns in the malware and attempt to detect new strains by using the behavior of the malware itself. Instead of looking for just the known bad, we could utilize NGAV to look at everything that executes on the endpoint and determine whether it was malicious or not by the way it behaved.

But not everything is 100%, especially in security. We started seeing new threats all the time, including ransomware, fileless malware, and zero-day attacks. NGAV was good, but we also needed to be able to respond to and remediate the things that weren’t initially stopped by NGAV.

Shortly after NGAV, we evolved into using endpoint detection and response (EDR) platforms. These platforms took the best pieces from AV and NGAV and combined them. Even though malware variants change all the time, there is a much smaller number of ways the malware behaves. This led to the development of the MITRE ATT&CK framework that many EDR solutions are now using today. If we can map these behaviors to the primary 14 techniques, it’s much easier to detect.

Even if malware isn’t detected at that initial infection, chances are it’s going to do something that we know about, and that’s where the response comes in. Like NGAV, EDR solutions track everything on the endpoint. Eventually, that malware will get caught and we’ll be able to step back through the processes, learn what was done, and remediate those changes, cleaning up your endpoints.

You may have heard of an even newer technology, extended detection and response (XDR) and that’s the next evolution. EDR is great at protecting your endpoints, but as the internet of things (IoT) grows, there are a lot more devices than just endpoints on your network. There are printers, phones, cameras, fridges, coffee makers, and so many other things that cannot be protected by EDR—and most of these IoT devices are great ways to get into a network. So how do we protect all these other things? We look at the network traffic going to and from all these devices, then start to learn what’s normal and what isn’t. XDR could be a whole article itself, so we’ll leave it here for now.

As you can imagine, with these new tools comes new skillsets and people required to manage them—that’s where ConnectWise can help. We not only offer some of the best EDR tools available, but we also have the manpower to manage and respond to all these new threats we’re seeing. The ConnectWise security operations center (SOC) operates 24/7/365 and along with the ConnectWise Cyber Research Unit (CRU), is filled with the cybersecurity experts you need.