The early days of the Internet, when antivirus software was the only defense against online threats, are long gone. New tools such as Endpoint Detection and Response (EDR) have been developed to fill the gap as antivirus became increasingly unable to stop newer forms of cyber attacks such as malware.
But even traditional EDR has its weaknesses: most notably, it only registers threats once they have entered your system. Your organization needs a zero trust endpoint security solution that stops threats before they run in your environment.
From antivirus to endpoint detection and response
The development of EDR tools was the next step in cyber resilience after antivirus fell behind in its ability to stop malware.
The battle began when the rate at which new malware was created and distributed far exceeded the rate at which it could be recorded and prevented from causing damage. The most logical step was to develop a cybersecurity tool that could identify malware by actions taken, not just by code.
Cybersecurity experts are continuously working to improve EDR tools to detect and respond to threats faster and more accurately, introducing strategies including, but not limited to:
- Artificial Intelligence (AI): The recent rise of AI has allowed cybersecurity tools to identify malware more frequently and with fewer false positives or negatives.
- Automated incident response: Most traditional EDRs have automations that take action as soon as the EDR detects a potential threat.
- Managed detection and response: Organizations can outsource the management of EDR tools to a product vendor. Suppliers delegate an internal team to monitor alerts and take additional actions following any automated responses, while also notifying the customer.
The problem with traditional EDRs
Using malware obfuscation, threat actors can bypass EDR identification techniques, such as analyzing the behavior of malware scripted to behave as an end user and recognizing malware signatures or characteristics compared to known malware.
Additionally, cybercriminals are now using AI to streamline their malware generation process, creating malware faster and improving its ability to execute without detection.
Another critical problem with traditional EDRs and other detection-based tools is that they only act when the malware is already active in the environment, leaving customers in the lurch and missing cyber attacks until it is already too late.
This means that malware can cause massive damage before traditional EDR tools notice and take action, if at all, and the best they can do is limit the amount of damage incurred.
Discovery tools are not the future of endpoint security
The next step in cyber resilience is zero trust controls that enforce least privilege across applications, user access, data access, and network traffic.
Take, for example, blocking applications versus allowing applications. Blocklisting is similar to antivirus strategies in that it makes a list of what is known to be bad, blocks everything on that list, and allows everything else.
Allowlisting applications lists the applications and software you trust and need, and blocks everything else from functioning. Allowlisting is a zero-trust application control method that prevents known and unknown threats from running on your devices, preventing cyber-attacks such as ransomware from detonating.
How ThreatLocker fills security gaps left by EDR
ThreatLocker is a zero trust endpoint protection platform that uses proactive controls to mitigate known and unknown cyber threats. The solutions that make up the ThreatLocker platform play a critical role in preventing cyber attacks before an EDR can detect them:
- Allow list: Allows only the software you need and blocks everything else.
- Ringfencing: Places restrictions on what your allowed software can do, preventing the weaponization of trusted applications.
- Altitude Control: Removes all local administrative rights from the end user. Administrative rights can be automatically delegated to applications via ThreatLocker policies.
- Storage Control: Protects your data from unauthorized access or theft by setting detailed policies for your storage devices.
- Network Control: Gives you complete visibility and control over all network traffic, including dynamic ACLs that can automatically open and close ports on your server to ensure only trusted devices can access your network resources.
- ThreatLocker Detect: Alerts you to indicators of compromise blocked by modules, such as when Allowlisting repeatedly blocks unknown software from running on your corporate device(s).
Case study: ThreatLocker protects hospital against ransomware gangs
On January 15, 2024, an unnamed hospital was protected by ThreatLocker from a ransomware attack that would destroy a second hospital that was still connected to the original hospital’s network due to technological limitations.
The attack began when the threat actor compromised the hospital’s site using stolen domain administrator credentials purchased on the dark web and entered the network through the corporate VPN. At the time, the hospital had not enabled two-factor authentication for VPN connections to the network due to a lack of budget.
Upon accessing the network, the ransomware gang attempted to install and run AnyDesk, a remote desktop application, which was immediately denied and blocked by default due to the ThreatLocker application’s allowlist. Understanding that they would not be able to execute malware in the environment, the threat actors laterally attacked the second hospital on the same network that was not protected by ThreatLocker.
ARK Technology Consultants, the hospital’s Managed Service Provider (MSP) and a ThreatLocker partner, discovered an attempted cyberattack when they noticed someone had attempted to delete the event logs. ARK was able to observe the threat actor’s attempts through the ThreatLocker allowlist and the Storage Control module event logs captured in the unified audit.
The ransomware gang left a note claiming they had stolen terabytes of data from the first hospital, but the unified audit, which included event logs from the Storage Control module, said otherwise. In reality, ThreatLocker Storage Control had prevented them from reading, writing, or moving the critical data, preventing the gang from stealing anything of importance from the first hospital.
Despite stealing the domain administrator’s credentials and VPN access to the hospital’s network, the ransomware gang was ultimately unable to carry out their cyberattack because ThreatLocker’s allowlist blocked AnyDesk’s application and prevented the attack from destroying the files in its database could exfiltrate or modify with Storage Control.
Zero trust endpoint protection for the future
A complete security strategy requires a detection tool like EDR and antivirus so that all bases are covered. These tools act as your last line of defense against cyber threats. But traditional EDR and other detection tools can no longer be used as a complete security strategy.
ThreatLocker provides proactive security controls to prevent cyber attacks in the first place and not respond to them after they happen. ThreatLocker places controls over applications, data, and user permissions, then alerts you to indicators of compromise through ThreatLocker Detect.
ThreatLocker Detect differs from traditional EDR, which is typically the first line of defense for some organizations. ThreatLocker Detect, on the other hand, is the last line of defense, as the other ThreatLocker modules will already prevent most endpoint-based cyber attacks.
Additionally, ThreatLocker Cyber Hero MDR combines the capabilities of ThreatLocker Detect with a 24/7/365 managed response service, giving you expert support to investigate and respond to threats as they arise.
To learn more about how you can implement a proactive approach to securing your environment, book a demo with ThreatLocker today.
