Rapid cybercrime evolution necessitates endpoint detection and response as opposed to just antivirus or anti-malware

Latest instalment in Armata webinar series builds on theme that cybersecurity threats could be material to organisations staying in business


Cybersecurity peers share a joint purpose to protect organisations from threats and attacks that could be material to them staying in business, says Armata executive head and cybersecurity specialist Caesar Tonkin, who led the second Armata cybersecurity industry webinar, called Detecting and protecting against endpoint threats.


The key theme at the latest event was that endpoint detection and response (EDR) represents the best chance for organisations to win the battle against a surging cybercrime wave that evolves too fast and is too advanced for traditional tools such as antivirus or anti-malware tools.


During his keynote address, Tonkin stunned those in attendance with shocking figures from recent Microsoft research. Some of the insights he shared included that there were 921 parcelled attacks per second in 2022 – staggering 74% increase from 2021, that 93% of Microsoft investigations during Ransomware recovery engagements revealed insufficient privilege access and lateral movement controls, and that the mean time it takes an attacker to move laterally within a corporate network once a device has been compromised is 1 hour and 45 minutes. Perhaps most startling is that 98% of cyberattacks can be prevented with basic security hygiene.


“From an Armata point of view we offer our customers help with basics such as security hygiene but also bring specialised interventions with in-depth aspects of cybersecurity,” he said. He referenced LockBit, which is akin to a ransomware-as-a-service machine. “The pace at which they are targeting organisations, globally and in South Africa, is cause for concern and certainly something that we need to be mindful of in this country,” said Tonkin.


“When we do threat hunting we analyse the steps that criminals follow – their tools, techniques and tactics. What looks like normal software behaviour – criminal actors can hide behind those normal processes. These cannot be detected using basic anti-malware,” explained Tonkin, who said that organisations need to develop threat intelligence, the indicators of compromise, which helps them to join the dots as to what threat adversaries are doing to try to infect and cause harm. “As CISO’s we must link ransomware attacks to business risk at exco and board level,” he said.


Tonkin introduced cybersecurity expert Emile Coetzee and Microsoft’s Wessel Pieterse, who spoke about the current endpoint threat landscape, what they thought the endpoint threat landscape would look like heading into 2024, reasons for selecting an EDR platform and not only standard antivirus or anti-malware tools, the business benefits that arise from adopting an EDR platform, automated detection, cyber defence and response handling against advanced threats that could be harmful, and lessons learnt during threat hunting and defending against advanced threats and malware.


A key theme to emerge from these fascinating, if not terrifying from a business perspective, discussions was the pace at which the world of cybercrime is evolving. Even if the usual suspects such as email compromise or phishing still show up, it is the innovative and new ways that criminals are positioning their attacks that are cause for concern. To this backdrop, both panellists and Tonkin agreed, an EDR platform emerges as a non-negotiable for a business wishing to secure its systems.


Whereas anti-virus, for example, adopts a pre-breach mindset, meaning that it has a series of known signatures or files to scan for, explained Pieterse. The industry needed to move to “an assumed breach mindset”.


“That’s what EDR does – we still look for known signatures, but what we are most looking for is a sequence of events and behaviours, using machine learning and artificial intelligence, to analyse known behaviours and the normal state of individual endpoints to discover malicious actions and behaviours, rather than relying on a certain set of files or signatures like an anti-virus.”


Coetzee agreed that an EDR was non-negotiable. “My advice to any business, even an SME, would be to invest in a good EDR solution, and then partner with a company of experts who can manage the tool for you so that you can go to sleep at night.”


Delegates who joined the webinar most certainly got their share of deep industry insight and expertise, a signature theme in the Armata series of cybersecurity industry webinars.