Anti-Virus
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hi, and welcome to Module 2 Lesson 4.
00:00
In the previous two lessons,
00:00
we talked about the perimeter layer
00:00
and the network layer.
00:00
In this lesson, it's all about the endpoint.
00:00
We're going to talk about a handful of the components at
00:00
the endpoint layer that'll help
00:00
our endpoints be more secure.
00:00
Now when we say the word endpoint, originally,
00:00
endpoint meant an end-user device.
00:00
It's a device that an end-user was using.
00:00
But over time, that's evolved to
00:00
mean anything that's connected to our network.
00:00
If you think of the network wherever the network ends,
00:00
where something is connected to it is an endpoint.
00:00
That could be a PC or a laptop,
00:00
a server, an IP phone.
00:00
It could be a badge reader.
00:00
Basically, everything that's connected
00:00
to the network where
00:00
that network ends is called an endpoint.
00:00
One of the main components,
00:00
probably the biggest two
00:00
technologies that are installed on
00:00
the endpoint that help us protect that endpoint
00:00
are anti-virus and EDR.
00:00
Now anti-virus is the thing that's been around forever.
00:00
It's what protects us against known forms of malware.
00:00
Everybody knows what anti-virus is.
00:00
Anti-virus is signature-based.
00:00
What we mean by signature-based is anti-virus
00:00
can only detect things that are
00:00
known things in the environment.
00:00
We talked about this a little bit in the IDS,
00:00
IPS section in previous lessons.
00:00
If you think of a signature as a digital fingerprint,
00:00
in the anti-virus world,
00:00
we're talking about identifying
00:00
a specific file or an application.
00:00
That application, when it's compiled,
00:00
it has a certain fingerprint or
00:00
a hash that gives it its unique flavor.
00:00
No other application looks like it,
00:00
and you can identify it based on that.
00:00
That's what a signature is.
00:00
When we're talking about EDR,
00:00
EDR stands for Endpoint Detection and Response.
00:00
It's not just signature-based,
00:00
it doesn't have to know about
00:00
a threat in order to detect it.
00:00
It's anomaly-based.
00:00
EDR is going to actually look at
00:00
the behavior of something while it's
00:00
running or even while
00:00
it's being installed and it's going to
00:00
find anomalies in that behavior and going to flag.
00:00
Based on the number of flags that it hits,
00:00
it will determine if it's malicious or not.
00:00
The big difference between anti-virus and EDR,
00:00
one is signature-based,
00:00
one is anomaly-based, and that means one is
00:00
known threats and one is unknown threats.
00:00
Anti-viruses use DAT files to identify malware.
00:00
A DAT file is just
00:00
a generic data file that stores
00:00
some kind of information for a program.
00:00
In the case of anti-virus,
00:00
it's storing those signatures of that malware.
00:00
That files have to be updated all the time
00:00
because malware can morph
00:00
and change and something that
00:00
looks like a certain program today,
00:00
a slight change in that program,
00:00
and tomorrow it looks like
00:00
something completely different.
00:00
DAT files need to be continually updated.
00:00
If you're running an Anti-Virus,
00:00
it's good to have your DAT files
00:00
updated once a week or once every two weeks.
00:00
I'd say once a week at at a minimum to make sure
00:00
you're always getting the latest and greatest protection.
00:00
Let's take a look at how that morphing can occur.
00:00
We're talking about signature-based files.
00:00
Let's say we have a piece of
00:00
known malware and this is its digital signature.
00:00
This is what it looks like, it's its fingerprint.
00:00
An attacker can take that malware, that application,
00:00
and it can change a single bit within that application.
00:00
It doesn't even have to be a functional bit,
00:00
if it changes a bit from 0-1,
00:00
and maybe that changes just some line of
00:00
code that's not even executional line of code.
00:00
Maybe it's just a reference, maybe
00:00
it's just a note in the code
00:00
that has no functionality change at all,
00:00
it fundamentally changes that piece of malware.
00:00
Even though the functionality is exactly the same,
00:00
there's just some new note in
00:00
the code, the malware itself,
00:00
the signature of the malware has changed,
00:00
and now that known malware becomes unknown and
00:00
our DAT files can't pick it up
00:00
anymore because it has a new signature.
00:00
Until that thing has seen out in
00:00
the wild and anti-virus manufacturers
00:00
get it in their labs
00:00
and examine it and create a footprint
00:00
for it and update the DAT files
00:00
until all of that occurs,
00:00
we can't detect it with
00:00
our anti-virus systems that
00:00
are using signature-based detection.
00:00
Now for that reason,
00:00
any viruses becoming less
00:00
and less effective in the environment.
00:00
We still want to have
00:00
anti-virus in environment because we
00:00
still want to protect ourselves against known threats,
00:00
but because it's so easy to manipulate
00:00
a piece of malware and turn it
00:00
into something completely new,
00:00
organizations are starting to move more and more towards
00:00
the EDR tool or the endpoint detection and response tool.
00:00
It's important to know with EDR,
00:00
it's much more than just a technology
00:00
on the endpoint itself.
00:00
There's an agent or
00:00
some application that's running on the endpoint,
00:00
but that application can
00:00
interface with a lot of different things.
00:00
It can first of all can look at
00:00
regular normal signatures like
00:00
we've talked about for signature-based,
00:00
but can also look at anomalies.
00:00
It's going to look at a lot of different
00:00
things on the endpoint,
00:00
the way the endpoint is actually behaving,
00:00
look for those anomalies.
00:00
It can ingest threat feeds to
00:00
see if there's anything that's been
00:00
reported out in the wild out there that we can
00:00
match to something going on on the internal system.
00:00
It can interface with a lot of
00:00
our other security tools to do some pro-action,
00:00
blocking, and monitoring and things of that nature.
00:00
Let's look at an example of how EDR might work.
00:00
Let's say we've got our endpoint
00:00
here and we've got EDR installed on it.
00:00
That EDR tool can look at
00:00
your standard signatures that may
00:00
or may not be in the form of a DAT file,
00:00
but it's going to look at standard
00:00
known malware signatures.
00:00
It can also look at what's
00:00
going on on your CPU and your RAM,
00:00
the actual processes that
00:00
are running in active memory and
00:00
what requests are those processes
00:00
sending to your CPU for compute.
00:00
It can get very low level.
00:00
Look and see what's going on in your actual system.
00:00
It can also look at your network interface card
00:00
and see what kinds of things
00:00
this system is interacting with
00:00
out there on the wire, on the network.
00:00
It takes all of this information that
00:00
it's gathering from the system,
00:00
and it compares it against threat feeds.
00:00
These threat feeds are just as we
00:00
talked about an IPS and IDS,
00:00
they are these lists of bad things
00:00
out there, these suspicious things.
00:00
With this anomaly-based detection,
00:00
if we have a threat feed that says
00:00
these network locations are known
00:00
bad and this process is
00:00
suspicious and all of these different things,
00:00
we can start to put those things
00:00
together and if we get enough of them,
00:00
we can fire an alert,
00:00
degenerate an alert or invoke
00:00
protection or whatever the EDR is configured to do.
00:00
Now, it can take an action on the local system itself.
00:00
EDR, just like Anti-Virus,
00:00
it can block that action on the local device,
00:00
but it can also interface with other security tools.
00:00
It can send alerts to our sim tool,
00:00
which we're going to get into in
00:00
the monitoring section later,
00:00
but that's essentially just a tool
00:00
that network analysts can look at to
00:00
see what's going on in the environment and figure
00:00
out how to prioritize their work.
00:00
They can send information,
00:00
can send alerts to IPS or to a firewall,
00:00
and then those devices can take
00:00
action on that alert and block.
00:00
Let's say for example, if we get one system in
00:00
our environment that's running EDR that
00:00
has some an unknown malware,
00:00
but we're pretty sure it's malware,
00:00
EDR determines it's malware
00:00
based on its anomalies that are going on.
00:00
We can send that information to
00:00
IPS devices and firewalls and we can block so
00:00
that no other systems are going to get
00:00
infected with that same malware.
00:00
This wraps up our section
00:00
on host-based EDR and Anti-Virus.
00:00
Next step we're going to talk about
00:00
patch management and the patch management process.
Up Next
Instructed By
Similar Content
