Hi. Welcome to module to lessen. For In the previous two lessons, we talked about the perimeter layer and the network layer.
In this lesson, it's all about the endpoint. We're gonna talk about a handful of the components at the end point layer that will help our in points be more secure
now when we say the word in point originally in point meant an in user device. It's a device that a nen user was was using. But over time, that's evolved to mean anything that's connected to our network. So if you think of the network wherever the network ends, where something is connected to, it is an in point that could be a
PC, a laptop, a server
on I p phone. It could be, ah, badge reader, basically everything that's connected to our endpoint. Where the network ends eyes, everything is connected to the network.
Where that never ends is called an end point.
One of the main components, probably the biggest two technologies that are installed on the end point that help us protect that endpoint are anti virus and e. D. Are now anti virus is the thing that's been around forever. It's what protects us against malware against known forms of malware. Everybody knows what any viruses,
anti viruses, signature based
and what we mean by signature based is
any virus can only detect things that are known things in the environment. We talked about this a little bit in the I. D S. I. P s section in previous lessons. If you think of a signature as a digital fingerprint in the anti virus world, we're talking about identifying a specific file an application,
that application, when it's when it's compiled,
it has a certain footprint or a hash are certain fingerprint, I mean, are a hash that gives it it's unique flavour. No other application looks like it, and you can identify it based on that. That's what a signature is
when we're talking about DDR, GDR stands for in point detection and response. And it's not just signature based. It doesn't have to know about ah threat in order to detect it. It's anomaly based. So DDR is gonna actually look at the behaviorist something while it's running
and ended, or even while it's being installed. And it's going to find anomalies in that
in that behavior and gonna flag and based on the number of flags that it hits, it will determine if it's malicious or not.
So the big difference between anti virus and er one, a signature based one, is anomaly based, and that means one is known threats and one is unknown threats.
Any viruses use DAT files to identify malware, and a DAT file is just a generic data file that stores some kind of information for a program. In the case of anti virus, it's storing those signatures of that malware.
DAT files have to be updated all the time because malware can change, it can morph and change and something that looks like a certain program today. Ah, slight change in that program, and tomorrow it looks like something completely different so that files need to be continually updated. If you're running an anti virus, it's good to have your
you know that files updated once a week or, you know, once every two weeks, I'd say once a week at a minimum
to make sure you're always getting the latest and greatest protection.
Let's take a look at how that morphing can occur, so we're talking about signature based files. Let's say we have peace of known malware, and this is its digital signature. This is It's hash, not hash. But this is what it looks like. It's it's fingerprint.
Um, an attacker can take that malware, that application, and it can change a single bit within that application. It doesn't even have to be a functional bit if it changes a bit from 0 to 1, and maybe that that changes just some line of code. That's, um,
it's not even execution. Elena Cho. Maybe it's just a reference, you know, maybe it's just a note in the code that has
no functionality. Change it all. It fundamentally changes that piece of malware, even though the functionality is exactly the same. There's just some new note in the code. The malware itself. The signature of the Mauer has changed, and now that known malware becomes unknown and our data files can't pick it up anymore because it has a new signature.
Until that thing is seen out in the wild and any virus manufacturers get it in their labs and examine it and create a footprint Ford and update the debt files. Until all of that occurs, we can't detect it with our anti virus systems that are using signature based detection.
For that reason, anti virus is becoming less and less effective in the environment. It's still we still want toe have any virus and environment because we still want to protect ourselves against known threats. But because it's so easy to manipulate a piece of malware and turn it into something completely new,
organizations are starting to move more and more towards the ER tool or the endpoint detection and response tool.
It's important to know with ER, it's much more than just a technology on the endpoint itself. There's an agent or some sort of application that's running on the end point, but that application can interface with a lot of different things. It can First Balkan look a regular, normal signatures like we talked about for signature based, but can also look at anomalies,
and it's gonna look at a lot of different things on the end point, the way the endpoint is actually behaving, look for those anomalies.
It can ingest threat feeds to see if there's anything that's been reported out in the wild out there that we can match to something going on on the internal system, and it can interface with a lot of our other security tools to do some pro action blocking and monitoring and things of that nature.
It's looking an example of how er might work. Let's say we've got our in point here and we've got ER installed on it. That er, tool can look at your standard signatures that may or may not be in the form of a dat file that's gonna look at standard known malware signatures. It can also look at what's going on
on your CPU in your RAM, the actual processes that air
running an active memory and and what what requests or those processes sending to your CPU for compute so it can get a very, very low level look and see what's going on in your actual system. It can also look at your network interface card and see what kinds of things this system is interacting with out there on the on the wire on the network.
And it takes all of this information that it's that it's gathering from the system,
and it compares it against threat feeds. These threat feeds are just as we talked about in I PS and ideas there these lists of bad things out there, these suspicious things and with this anomaly based detection, if we have a threat feed that says, You know, these network locations are are known bad, and this process is suspicious and
all of these different things we can start to put those things together. And if we get enough of them,
weaken, weaken, firing, alert to generate, alert or or invoke protection or whatever the ER is configured to do
now it can taken action on the local system itself. Et Arkin. Just like any of ours, it can block that action on the local device, but it can also interface with other security tools. It can send alerts to us. Our seemed tool, which we're going to get into in the monitoring section later. But that's essentially just a tool that
network analysts can look at to see what's going on in the environment and figure out
how to prioritize their work. They can send information to contain alerts to I. P s or to a firewall, and then those devices could take action on that alert and block. So let's say, for example, if we get one,
Ah, system in our environment that's running e g R. That has some sort of an unknown malware, but we're pretty sure it's malware. If he'd er determines its malware based on its anomalies that are going on,
we can send that information to I PS devices and firewalls and weaken block so that no other systems are going to get infected with that same that same malware
get this wraps up our section on host Space CDR an anti virus. Next time we're gonna talk about patch management and the patch management process.