Disclaimer: I am in IT, so I feel the more solutions used, the better – but the article below is my honest take on the bare minimum solutions necessary to help protect your organization from malicious threats and then how to ‘ramp-up’ to reach a level of cybersecurity maturity
The solutions that make the Short List are:
- Antivirus- especially a next generation Antivirus product
- Endpoint Detection and Response
- Hardware Unified Threat Management Firewall
- Air-gapped backup
The solutions that make the Better List – Short List items PLUS:
- An Email filtering solution
- Cloud-server backup (such as backup for Microsoft 365)
- Secure Access Service Edge (SASE)
The solutions that make the Best List – Better List items PLUS:
- Privileged Access Management
- SIEM with retention
- Security Operation Center type services
First, let’s talk about the Short List solutions.
Next-Generation Antivirus is the next iteration of the Antivirus solution. Originally, Antivirus solutions were based on definitions. If a software matched a certain pattern, the Antivirus would classify it as a virus and try to quarantine it. The Antivirus software would typically update the definitions multiple times a day to ensure it had the latest patterns to catch bad software. As time went on, malicious software packages became more sophisticated, and trying to determine if software was malicious based on definitions was no longer enough. The next-generation type Antivirus solutions not only use definitions but heuristic models to ‘see’ what the software is doing and quarantine it based on the actions it is taking. This has allowed next generation Antivirus solutions to be able to catch unknown malicious software, referred to as zero-day exploits before Antivirus vendors can update definitions. Next-generation Antivirus solutions offer significantly greater protection over traditional Antivirus solutions, which is why it is a must-have.
Endpoint Detection and Response (EDR) solutions extend the protection given by Antivirus solutions (next-generation or not). EDR is an endpoint security solution that continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. This differs from antivirus in two ways. First, an EDR solution tries to correlate more data points than an antivirus solution. Typically, Antivirus solutions will only find a virus at the time of execution, where as an EDR solution is continually scanning and will alert if it sees malicious software that is dormant on a system. Second, EDRs typically provide remediation steps to remove the malicious software, whereas Antivirus solutions will only quarantine the main executable (if it even can). Why do you need both then since an EDR solution sounds like it does everything an Antivirus does plus more. Antivirus is still necessary because of how it works – it detects items at execution, whereas EDRs have a harder time doing this.
Next, a hardware Unified Threat Management (UTM) Firewall is necessary to protect the organization from outside threats on the Internet. A hardware firewall sits between your public Internet connection and your local network – blocking malicious actors. A UTM firewall blocks inbound connections, but also adds a layer of web content filtering, Domain Name System (DNS) security, Antivirus, intrusion prevention, intrusion detection, and application control. The additional layers of security added into a UTM firewall allow malicious websites, command, and control servers, and malicious software to be blocked before it is even accessed. Even if Antivirus and EDR are deployed, they cannot catch 100% of the threats. If they are blocked before they even enter the network, there is no chance for them to properly execute.
The last security solution necessary for a bare-minimum or baseline security stack is an air-gapped backup. Wait – backup does not protect my system from malicious software. Yes – that is correct, but if all of the security solutions fail, and malicious software is able to execute and, for example, encrypt your files, a good backup will allow you to restore your data and get back to business. Without a backup, an organization is rolling the dice. As noted, no security product is 100% effective. Ensuring that you have a proper backup in-place allows for recovery in the event of failure. The backup must be both air-gapped and the data is copied and stored off-site. Air-gapped means that when the backup is not in-use, there is no way to access the backed-up data from the network. For example, if you take a backup and store that backup on the same server you are backing up, and then the sever gets compromised, the backups are compromised with it. If they are stored in a spot that is not accessible, and off-site, then the data is recoverable if the server is compromised.
And that makes the Short list. While I am not endorsing stopping with just these four solutions, by utilizing a next-generation Antivirus, EDR, hardware UTM firewall, and an air-gapped backup, you are starting out on the right foot. Additional security solutions should be evaluated and implemented where it makes sense. Lastly, the solutions noted in any of the lists are not exhaustive. There are many more cybersecurity solutions available that may make sense for your organization. The solutions that we listed is our opinion on what makes a good, better, and best cybersecurity solution stack. In the next part of this series, we will discuss the “Better” options, and finally, in part three, the “Best” cybersecurity solutions to implement for the most mature cybersecurity posture.