You’re maybe searching for your EDR (Endpoint Detection and Response). During the research of the perfect data and endpoints protection software, you may read a lot of scientific and abstract terms. In this article, we’ll uncover information about machine learning, multi-layer zero-trust and their utility in an EDR. In order to do so, we’ll first start by talking about malwares and ransomwares and how they work. This way, we’ll be able to study in which measures classical antivirus softwares are obsolete and why an EDR is essential. After that, you will be able to fully understand the way machine learning and multi-layer zero-trust work and why they are so useful in an EDR.
Malwares and Ransomwares are the principal malicious softwares these days. In order to fight these attacks a better way, it is important to know and understand them. These attacks are not automatic, there is always a malicious user to launch them. Thus, you have to be fully protected. The first step of protection is knowledge so here is a presentation of these attacks.
A malware is a malicious software. It has been developed only to compromise your endpoint or more specifically some data. It is a vicious and discreet software which can hide everywhere on your computer. However, it is not launching itself. It needs your help to do so. That is why you have to be able to recognize them. Indeed, to be launched on your computer a malware needs an action from you. It can just be a clic on a link on an unsafe website, opening a software you downloaded online or opening an email attachment. It is therefore important not to open files or click on links if you are not sure they are safe. Despite all these protections, some malwares are very well hidden. That is why an efficient protection is necessary to prepare for all eventualities.
Indeed, the malicious softwares are more and more performant and also discreet. Their objective being you launching them without knowing you are. Sometimes, they even stay hidden in your system for a long time before starting to corrupt your data which makes their detection even more difficult.
There is also a very specific type of malware which is particularly identified during recent years. It’s the Ransomware.
A ransomware is also a malicious software. Unlike a simple malware it has a specificity : its purpose is to extort money from the infected computer’s owner. The concept is simple. Imagine you’re using your computer when suddenly, a pop-up or an email appears telling you your computer is infected. That your data is crypted. That you won’t be able to access your system or that your browsing history will be publicly disclosed. The only way to stop that is to pay a ransom.You are redirected on a payment page and once the ransom has been paid, your data is decrypted, your system usable again and your browser history deleted.
A ransomware can have different execution schemes. Indeed, you can face different types of ransomwares according to the malicious user needs. Most commons will encrypt your data and you will get the decryption key only after paying a certain amount. Some will stop your exploitation system from starting unless you pay the ransom. In all these cases, you will be blocked, forced to pay a ransom to a malicious user to get back your sensible or important data or only to use your computer.These softwares are getting more and more current and powerful. Fortunately, there are protection softwares which can avoid those types of attacks.
Antivirus softwares came on the market at a time when attacks were very different. Over time, malicious softwares has evolved but the antivirus softwares stayed basically the same : They are using a signature scan structure which we know is completely ineffective against current attacks.
Learn more about antivirus structure in this article.
Traditional antivirus softwares were made in order to detect malicious softwares by scanning the softwares signatures and comparing them to a list of malwares one. However, this technology is completely obsolete nowadays. Indeed, malwares are used in very different kinds of attacks and some parts of their code can be changed by the malicious user. Which makes their detection impossible.
You also need to know that an attack based on a malware developed by the attacker will not be recognized by the antivirus software. Indeed, his signature will not be known.
In the same way, a ransomware will not be recognized by an antivirus and if it is, it would be too late. In fact, there are very simple ways for malicious users to override antivirus detection mechanisms. These actions are file-less or off the land attacks.
Find more information about these attacks in this article.
An antivirus software can not protects you. Your computer and your data are in danger You will need pertinent protection against these new kinds of threats.
Recent attacks have shown that the technologies used by malicious users are becoming more and more sophisticated and hard to detect. For example, the recent attack against the company Sopra Steria in which the attackers used a combination of ultra powerful softwares as Ryuk and CobaltStrike ransomwares.
In order to block these kinds of attacks, it is really important to use technologies as powerful as the malicious softwares that can be encountered. Then, the better strategy is to use on a hand Machine Learning and on the other hand Multi-Layer Zero-Trust.
In order to understand better why this strategy is the most pertinent, here is a presentation of these technologies.
Machine learning is an artificial intelligence technology. Its purpose is to make the computer learn by itself how to recognize alarming or malicious processes by the study of a large amount of data.
The machine learning engine is going to save and analyze all the computer actions. The ones launched by the user and also the ones launched by the system. It will also analyze external data such as malwares, ransomwares, forums, articles, etc in order to learn everything about new attack schemes. That is Big Data. This technology is going to scan an enormous amount of data and this way is going to learn without the help of humans.
The machine learning purpose is to develop statistics and predictions which will permit to know if a process must be blocked, monitored for a defined time or executed after the development of specific algorithms.
The best asset is that the AI does a constant technological survey which leads to a real time knowledge of recent attacks schemes.
Multi-layer Zero-trust is a very technical endpoint protection technology.This technology’s mojo is : Zero Trust.
The concept of Multi-Layer Zero-Trust is to say that not any action, even the simplest is legitimate and that all the computer’s entries are open doors for attackers.To understand this technology, we need to visualise it. This technology is going to analyze every process on your computer layer by layer to check if they are legitimate or not. Let’s imagine the reception of a malware by email.
Multi-Layer is going to inspect each action :
In order to limit complex attacks, it is important to restrict system ressources only to legitimate processes. Indeed, what is an unsigned software (even not malicious) legitimacy to access Office files ? None.
So that is the power of multi-layer Zero-trust. It’s capable of analyzing each computer or user process in separated ways to detect exactly when an action is becoming compromising for the system.
Multi-layer zero-trust is particularly pertinent against ransomwares. Indeed, it’s going to identify anormal processes even before the malicious user could launch his attack scheme.
These technologies are therefore very pertinent against actual threats. However, these technologies need to be built-in protection software so you can use them.
Nucleon’s softwares are gifted by those state-of-the-art technologies and put them at your disposal in one of the most powerful EDR on the market.
As mentioned above, malicious users and attacks are getting more and more advanced and vicious. You need to be well protected against these threats.
It has been shown that classical antivirus softwares could not protect you against the new types of malwares and more precisely ransomwares.
Here is the solution to be effectively protected : Install an EDR. Nucleon’s EDR guarantees you maximum protection against the most sophisticated attacks. Indeed, the computer and server protection software developed by Nucleon Security offers state-of-the-art technologies such as machine learning and multi-layer zero-trust.
Protect data that matter. Ask for a Nucleon EDR presentation.
Written by: Sébastien Guisnet
Cyber security Antoine Botte
Malware developers are always looking for new technics to bypass security systems. In this article we will see how Windows Installer can be abused to deliver malicious code, and how ...