A simple introduction to endpoint security

Hello,
this
is Kawa from the System Solutions Department.

There's only a little time left in the year.
A little while ago, the Information-technology Promotion Agency (IPA) published the Information Security White Paper 2024.
https://www.ipa.go.jp/publish/wp-security/2024.html

Perhaps due to the rise of generative AI, ransomware and sophisticated Japanese-language phishing attacks seem to have become more complex this year in particular. It
feels like we are entering an era where both companies and individuals need to improve their security literacy more than ever before.

In this article, we will explain endpoint security products, which can be said to be the foundation of security

What is Endpoint Security?

Endpoint security, as the name suggests,installed on endpoints—that is, devices such as PCs and smartphones—
to protect them from malware and other threats.
(It is also sometimes referred to as endpoint protection.) While it's also called antivirus software and other broader terms, these generally refer to the same product.

Basic functions

While the functionality has been constantly upgraded over time, the basic concept and behavior remain the same.
Generally, it scans the device, detects files deemed dangerous, and then quarantines or removes those files to protect the device.
There are countless software vendors, including those producing products from overseas, but they all basically behave as described above.
Nowadays, however, we can see vendors trying to differentiate themselves by incorporating AI or sandboxing features, or adding entirely different value-added features.

Scan function

This scans all files on your PC to check for any potential threats.
Typically, users can choose to quarantine or remove files based on their settings.
The scan process can vary depending on the load on your PC and other systems.

[Scheduled Scan]
This method involves performing scans at specific times, days of the week, or other fixed dates.
Since it can be done when the user is not operating the device, it is less likely to disrupt daily work.

[Real-time scanning]
Literally, this scans files on the device in real time, tracking file operations.
A common behavior is to list the unique hash value for each file to see the differences when changes are made. While it
is more immediate than scheduled scans, the process runs constantly, which can easily lead to increased device load.

[Full Scan/Quick Scan]
This method scans either the entire device or only specific directories with high file traffic or those prone to suspicious file intrusion.
A full scan takes time but is thorough. Depending on your usage, it's common to use quick scans regularly and full scans once a month.
There are also user settings that allow you to scan only specific directories.

How detection works

The detection mechanisms used during scanning vary depending on the software, butthe most common is static scanning.
Most widely recognized malware samples are collected by various vendors.
Files have a unique string called a hash value, and basically, this valueis compared to determine if a file is the one in question.
(Reference:https://www.trendmicro.com/vinfo/jp/security/definition/hash-values

This feature is oftensignature file," "pattern file," or "definition filecalled
The list is updated daily, and in some cases, vendors update it every few hours, allowing for rapid response to new malware.
However, recently, there has been an increase in files that do not match this list, and the number of cases where people are affected because pattern files alone are insufficient to deal with them is also increasing.

About the sandbox feature

This is where the sandbox function comes in.
In Japanese, it refers to a sandbox, but this functionexecutes potentially malware-like files in virtual memory and removes them if they exhibit suspicious behavior.
Because it observes behavior,behavioral detectionit is also called
(It seems to have been named after the image of playing in a sandbox in a park.)
Recently, we have seen products that differentiate themselves from others by incorporating big data and AI functions to improve the accuracy of the sandbox.

About false positives

A common issue with these types of products is false positives.
For example, if you have macros in an office document file, it may be mistakenly identified as suspicious activity and quarantined/deleted.
To avoid this, you can add the file to the exception list or allow the file's save directory itself as an exception.

About EDR Products

Another product, though slightly different, that is similarEDR (Endpoint Detection and Response)is
Compared to EPP (Endpoint Protection Platform ≈ endpoint security), which detects and removes malware during file downloads, EDR products are designed forreactive measures.
For example, after a malware infection, their main function is to restore the device, such as rolling back the PC's state (returning it to its state before infection).

The Importance of Endpoint Products

As noted in the IPA White Paper, ransomware has been on the rise in recent years. Emotet is also still active, although its activity has decreased somewhat.
(Reference:https://www.ipa.go.jp/security/emotet/index.html
) While a multi-layered defense approach that protects at various levels is fundamental, I believe the first step is to implement endpoint security products.

complete