Easy endpoint security story

Hello
,
I'm Kawa from the System Solutions Department.

There's only a little time left this year.
A while ago, IPA published Information Security White Paper 2024.
https://www.ipa.go.jp/publish/wp-security/2024.html

Perhaps due to the rise of generative AI, it seems that ransomware and sophisticated Japanese phishing have increased in complexity, especially this year.
I feel that we are now in an era where both companies and individuals are required to further improve their security literacy.

In this article, we will explain endpoint security products, which can be considered the basics of security.

What is endpoint security?

Endpoint security, as the name suggests, is installed on endpoints, that is, devices such as PCs and smartphones,
to protect them from dangers such as malware .
*Also referred to as endpoint protection. It is also called by a wide variety of other names, such as antivirus software, but they usually refer to the same product.

About basic functions

Although the functionality has been upgraded over time, the basic idea and behavior remains the same.
Generally, it scans the device, detects files that are deemed to be dangerous, and isolates or disinfects the files to protect the device .
There are countless software vendors, including overseas products, but they basically behave as described above.
Nowadays, we can see that they are trying to differentiate themselves by being equipped with AI or sandbox functions, or by providing completely different added value.

Scan function

It scans all the files on your PC to find out if they are dangerous.
In most cases, users can choose to quarantine or disinfect files based on user settings.
Scanning has various behaviors depending on the load on the PC, etc.

[Schedule scan]
This is a method of scanning at a fixed date and time such as a specific period, day of the week, or time.
This can be done when the user is not operating the device, so it is less likely to interfere with daily work.

[Real-time scan]
Investigates files on the device in real time, literally tracking file operations.
A common behavior is to list the unique hash values ​​for each file to see the differences when changes are made.
Although it is more immediate than a scheduled scan, it tends to lead to device load because the process is running all the time.

[Full Scan/Quick Scan]
This is a method of inspecting the entire device or only some directories where files frequently come and go/suspicious files tend to enter.
A full scan takes time but is reliable. It depends on how you use it, but I think it's common practice to perform a quick scan normally and a full scan once a month.
There is also a way to scan only specific directories using user settings.

About the detection mechanism

The detection mechanism during scanning varies depending on the software, but the most common is static inspection .
For most of the malware that is widely known in the world, samples are collected by each vendor.
A file has a unique string called a hash value, and basically the file is determined by comparing that value.
Reference: https://www.trendmicro.com/vinfo/jp/security/definition/hash-values

This feature is often referred to as a " signature file ," " pattern file ," or " definition file ," and is often compared to a wanted list.
The list is updated daily, and some vendors update it every few hours, so they can quickly respond to new malware.
However, recently, there have been an increasing number of cases in which files that do not match this list have been circulating, and the number of cases in which pattern files alone cannot be used to deal with the damage is also increasing.

About the sandbox feature

That's why the sandbox feature was invented.
In Japanese, it refers to sandbox, and this a function that executes files that may be malware in virtual memory and removes them if they exhibit suspicious behavior .
It is also called
behavioral detection because it looks at behavior (It seems that the name comes from the image of playing in a sandbox in a park.)
Recently, we have seen products that are equipped with big data and AI functions and are differentiated from other products with technology that improves the accuracy of the sandbox. .

About false positives

False positives are common with these types of products.
For example, if a macro is set in an office document file, it may be mistakenly recognized as suspicious and may be quarantined/disinfected.
To deal with this behavior, you can register the file as an exception or allow the file saving directory itself as an exception.

About EDR products

there is a product called
EDR (Endpoint Detection and Response) that is a little different but similar reactive measures compared to EPP (Endpoint Protection Platform), which detects and disinfects files when they are downloaded .
For example, after malware infection, the main function is to restore the device, such as rolling back the state of the PC (returning it to the state before infection).

The importance of endpoint products

As stated in the IPA white paper, ransomware has been on the rise in recent years. In addition, although it has slowed down since a while ago, Emotet is still active.
Reference: https://www.ipa.go.jp/security/emotet/index.htmlThe
basic idea is multi-layered defense that protects at various layers, but the first step is to introduce an endpoint security product. I think so.

complete