Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Sherman Chu

How Effective are Endpoint Security Solutions at Detecting and Preventing Malware?

Recommended Posts

First off, I am in no way shape or form an expert in this.

While a majority of EDR nowadays tout that they have the ability to detect and block malware based on behavior, I am still skeptical that such tools can efficiently help with preventing malware such as Trickbot from successful installation. 

Does anybody who have more experience help shed some light on this matter? I know that this may be a loaded question and may contain a lot of caveats and qualifiers. But stripping defense-in-depth and other best practices, how much faith do y'all put into EDRs?

  • Like 1

Share this post


Link to post

I guess the first question is what you mean by EDR. 

My view overall is that EDR is usually anti-virus with an extra price tag. Often vendors have gone overboard with marketing to help sell the extra premium to boards. Sometimes the marketing is so overboard it’s, well, bad. 

For me: AV is great, it detects a lot of stuff. If you can afford premium features easily then great, it’s another layer of security protection. However if budgets are a concern then you risk being mis-sold a false sense of security. 

  • Like 2

Share this post


Link to post
Posted (edited)

most battle hardened  pentesters I know laugh at AV and EDR - they curse app whitelisting but that also fails occasionally - 

if your users are local admin, or you have unpatched priv escs its game over whatever your running 

 

BTW - did you see this - https://speakerdeck.com/tophertimzen/edr-is-coming-hide-yo-sh-t

Edited by james mckinlay
  • Like 1

Share this post


Link to post

Yeah, I tend to not model around what pentesters say because they usually aren’t the threat scenario.

Eg if I’ve got them on the internal network and given them a laptop with admin rights and they disable security controls, I’m not that surprised - the hope would be the security controls stop the attacker gaining access to the laptop and network in the first place. 

  • Like 1

Share this post


Link to post

EDR should also allow you do too things such as remote process/memory fingerprints and capture. I've seen ones that allow you to isolate a host from the network and only allow it communicate to the edr controller, you can also do more advanced forensic captures. if it's just doing av it's not edr because the response part is missing.

Share this post


Link to post

Yeah, it comes back to what people mean by EDR.  EDR has become the new thing that vendors need to sell their product, as industry people are asking for it - but everybody means something different it feels like.  

Sophos are a pretty good example of where it gets confusing.  As a customer, you have:

  • Sophos Endpoint - their main product until a few years ago
  • Sophos Intercept X
  • Sophos Intercept X Advanced
  • Sophos Intercept X Advanced with EDR

But when you've got to "Sophos Intercept X Advanced with EDR" (how is that a product name?!) it still doesn't include the EDR you're describing above, Kieran.

  • Like 2

Share this post


Link to post

out of the box AntiVirus does not play well with non-persistent-VDI so we opted for application whitelisting and removal of admin rights for everyone instead of ( not as well as) Antivirus.

Our monitoring tells us these were sensible choices for our environment.

 

 

Share this post


Link to post
On 8/16/2019 at 2:17 PM, james mckinlay said:

out of the box AntiVirus does not play well with non-persistent-VDI so we opted for application whitelisting and removal of admin rights for everyone instead of ( not as well as) Antivirus.

Our monitoring tells us these were sensible choices for our environment.

It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. That said application whitelisting is quite often more successful than AV, make of that what you will. 

Share this post


Link to post
Just now, Kevin Beaumont said:

It’s a bit of tricky risk one - it’s pretty easy to get around things like AppLocker if you know what you’re doing. You can run AV with VDI, last two jobbings have done it. 

extrahop, senseon, vectra, bro and graylog all say that the environment is clean - it may not be - but thats alot of different ways of saying it is 

we know you can run AV in VDI we choose not to - 

Share this post


Link to post

my personal opinion - its better than nothing but dont depend on it. Too many products depend on signatures and hashes which means you dont even need to be patient zero to be totally impacted. 

 

Good for box ticking but make sure you have defence in depth - invest in more people if there is a choice 

Share this post


Link to post

I'm going to differ here to a lot of the opinions posted: as someone who's been heavily involved in the offensive realm for a long time now, modern EDRs like Crowdstrike and Carbon Black, are annoying as hell to me when I want to be evil. As a defender, they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around.

Sure, the early ones were signature-based, did really stupid things to their agents that made it trivial to disable, perform sneak process hollowing tricks to stop you seeing me and so many others, but that isn't the case much today. I don't see them as a box ticking exercise, not at all whilst they still have a lot to do, i'm glad im not a pentester anymore 😉

  • Like 2

Share this post


Link to post
28 minutes ago, Daniel Cuthbert said:

" they are damn good as they force me and others to make noise and we hate noise as noise makes you know we are around."

must try harder! they will eventually fall too...

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy