Easy endpoint security story

Hello,
I
'm Kawa from the System Solutions Department.

There are only a few days left in this year.
A while ago, the IPA published the Information Security White Paper 2024.
https://www.ipa.go.jp/publish/wp-security/2024.html

Perhaps due to the rise of generative AI, this year in particular has seen an increase in complexity, with ransomware and sophisticated phishing scams written in Japanese. It
feels like we are entering an era in which both companies and individuals are required to further improve their security literacy.

In this article, we will explain endpoint security products, which can be said to be the foundation of security

What is Endpoint Security?

Endpoint security, as the name suggests, is
is installed on endpoints, i.e., devices such as PCs and smartphones,
to protect them from malware and other threats *It is also referred to as endpoint protection. It is also called by a wide range of other names, such as antivirus software, but they generally refer to the same product.

Basic functions

Although functionality has been constantly upgraded over time, the basic concept and behavior remain the same.
Generally, it scans the device, detects files deemed to be dangerous, and then isolates or removes those files to protect the device .
There are countless software vendors, including overseas products, but they generally behave as described above.
Recently, we have seen an increase in attempts to differentiate themselves by incorporating AI and sandboxing functions, or by adding completely different added value.

Scan function

It scans all files on your PC and checks for any risks. Users
can usually choose to quarantine or remove files depending on their settings.
The scan has various behaviors depending on the load on your PC.

[Scheduled scan]
This is a method of scanning at a specific time, day of the week, or specific interval.
Since it can be performed when the user is not operating the device, it is less likely to interfere with daily work.

[Real-time scanning]
the name suggests, real-time scanning examines files on devices in real time, tracking file operations.
A common behavior is to list the unique hash values ​​for each file and check the differences when changes are made. This
is more immediate than scheduled scanning, but because the process runs constantly, it can easily put a strain on the device.

[Full Scan/Quick Scan]
This method scans the entire device or only directories with frequent file transfers/suspicious files.
A full scan takes time but is reliable. Depending on how you use it, it is common to perform a quick scan on a regular basis and a full scan once a month.
There is also a method to scan only specific directories by user settings.

How detection works

The detection mechanism used during scanning varies depending on the software, but the most common is static inspection .
Most malware that is widely known in the world has specimens collected by various vendors.
Files have a unique string of characters called a hash value, and basically, this value is compared to determine whether the file is the relevant one.
Reference: https://www.trendmicro.com/vinfo/jp/security/definition/hash-values

This function is often called
signature file ," " pattern file ," or " definition file The list is updated daily, and some vendors update it every few hours, so new malware can be dealt with quickly.
However, there has been an increase in the number of files circulating that do not match this list, and there has been an increase in cases where pattern files alone are not enough to deal with the problem and users are becoming victims.

About the sandbox feature

That's why the sandbox function was invented. It
means sandbox in Japanese, but this function runs files that may be malware in virtual memory and removes them if they exhibit suspicious behavior .
Since it observes behavior, it is also called
behavior detection (apparently named after the image of playing in the sandbox at the park)
Recently, we have seen products equipped with big data and AI functions, and technologies that improve the accuracy of the sandbox, which differentiate them from others.

About false positives

False positives are common with this type of product.
For example, if you have a macro in an office document file, it may be mistakenly recognized as suspicious activity and quarantined or removed.
To deal with this behavior, you can register the file as an exception or allow the directory where the file is saved as an exception.

About EDR Products

Another similar product, though slightly different in nature, is
EDR (Endpoint Detection and Response) Compared to EPP (Endpoint Protection Platform, or endpoint security), which detects and removes malware when files are downloaded, EDR products post-event countermeasures .
For example, their main function is to restore a device after a malware infection, such as rolling back the PC's state (to its pre-infection state).

The Importance of Endpoint Products

As noted in the IPA White Paper, the rise of ransomware has been notable in recent years. Furthermore, although it has slowed down compared to a while ago, Emotet remains active.
Reference: https://www.ipa.go.jp/security/emotet/index.html
The basic approach is to implement a multi-layered defense that provides protection at various layers, but I think the first step is to implement an endpoint security product.

complete