Last week, we talked about preparing your customer environments and preventing threats from even reaching devices or accounts in the first place. You need this solid foundation to keep customers safe.
But security isn’t static. A decade ago, you may have been able to just put up a firewall and use AV alone, then call it a day. Viruses were typically just nuisances, rather than major (potentially company-annihilating) risks. But those days are long gone, and prevention can’t stop it all.
To protect your customers, particularly with so many SMBs falling in the crosshairs of today’s cybercriminals, IT providers need to have good methods of detecting attacks. While the first step on preparation and prevention was about putting locks on the doors, today’s focus is on the alarm system in the house. Today, we’ll talk about threat detection.
(Missed phase one? Check out last week’s post on preparing and preventing here).
Detecting today’s threats
As mentioned, some threats will slip past preventive technologies. You need to catch them fast to protect your customers. Cybercriminals evolve often, using evasion tactics like malware obfuscation and fileless attacks to slip past traditional technologies. Today’s security stack needs to account for this while also remaining guarded against the old standards.
Here’s what can help at this stage:
As workers increasingly work remotely, having strong endpoint protection on devices becomes more important than ever. Traditionally, this role was filled by antivirus (AV) solutions that scanned for viruses on a set schedule based on virus signatures. While this may work for lower-risk employees without access to a lot of sensitive data, higher risk users (and organizations) may need to opt for an endpoint detection and response (EDR) solution like SolarWinds® EDR. These protect more than just viruses by using machine learning to discover abnormal behavior on a machine, then determining an appropriate response. For example, if the EDR solution detects mass file deletion, it can flag that to the administrator as a sign of a potential attack even if the attack didn’t start with a piece of malware.
As cybercriminals increasingly work to evade antivirus scanners with techniques like remote fileless attacks or weaponized documents that launch scripts, an EDR solution provides a wider protection net against these threats to the endpoint. Plus, as we’ll talk about in our next blog, they can be helpful for responding quickly as well. It’s worth noting there’s still a place for antivirus—some lower-risk users can use AV, relying on time-based signature scans, and still get by just fine. But when more complete protection is in order, you’ll want an EDR solution that can operate around the clock to protect the endpoint from threats.
Network monitoring and protection
While EDR solutions protect the endpoint, you’ll still want to monitor the corporate network and resources for additional threats. Ideally, a security information and event management (SIEM) tool would be best, but not everyone has the in-house expertise and capabilities to man the stations all the time. At a minimum, consider including a next-generation firewall on important networks. These often include enhanced protection against network threats, including intrusion prevention systems and the ability to catch malware.
When the pandemic first started, we saw an uptick in phishing schemes. Email schemes can be one of the easier ways for malicious actors to attack a victim. They can use email to deliver malicious files that compromise the end user’s machine or they might try to use a phishing scheme to steal peoples’ usernames and passwords. During times of uncertainty, people can become even more prone to falling victim to a well-crafted, believable email threat. That’s why it’s so important to use strong email filtering to detect these threats and quarantine them before they ever reach the eyes of an end user.
Most email solutions offer some anti-spam protection, but adding additional email security is paramount to prevent the deluge of email threats facing businesses today. SolarWinds Mail Assure, for example, uses collective intelligence from the entire userbase as well as threat intelligence feeds to detect even new, emerging threats as they arise. This offers a huge benefit—rather than protecting against threats that your customers’ primary email solutions find, it protects against threats found across users of multiple email providers. With a wider breadth of data to pull from, you can protect your customers against even emerging email threats.
We mentioned patch management as part of the prepare and prevent section and won’t go into detail here. However, it’s worth noting that there’s an element of detective security here as well—you need to consistently scan to detect any unpatched systems and update them accordingly, particularly with security updates.
Finally, you’ll need a remote monitoring and management solution. For starters, a good RMM tool like SolarWinds® RMM will allow you to manage security for multiple distributed customers from a single dashboard. Time is of the essence in security, so having all your tools in one area allows you to detect threats and respond to them more quickly.
Catching today’s threats
Today, we talked quite a bit about detection technologies for security. Once you’ve built a solid foundation with the preventive layers, you still need to have your alarm system to alert you to threats that slip past the first few layers. If you follow the steps laid out here, you’ll be able to find those threats before they can wreak havoc across your userbase.
Next week, we’ll talk about what to do once you discover a threat. But between now and then, take a deep dive into the types of threats EDR solutions can solve by reading our eBook, Five Cyberthreats that Slip Past Traditional Antivirus.