Why Traditional Security Measures Like AV, Anti-Spam and Firewalls Are Not Enough

Traditionally organizations were able to rely on a limited number of security tools to protect their IT infrastructure and applications. Firewalls provided the outer perimeter or “moat” around the network, protecting all of the assets on the inside. Antivirus software did the work of protecting endpoints, mainly focusing on signature-based detections of viruses and malware that might have somehow made it onto a workstation. With the growth of unsolicited email and phishing attacks SPAM filters or email hygiene solutions needed to be added to the toolset. These helped to prevent attacks which attempt to bypass firewalls by using applications such as email. As some users started to become mobile, requirements for secure remote access drove the introduction of VPN solutions.

While this portfolio of security tools served both large and small organizations well for a period of time, the move towards digital transformation, increased remote work and delivery of applications from the cloud have fundamentally changed the IT architecture of most organizations. As a result, the attack surface has changed and has become significantly more complex. While previously an organization’s IT estate existed within the “bounds of the network”, most organizations now have collections of IT assets connected to each other via the public Internet. Even for SMBs, hybrid and remote work have become a reality that cannot be ignored. The advent of SaaS has made it much cheaper and easier to test and deploy new applications giving smaller organizations a greater ability to deploy more applications as a result of the lower cost.

Cloud Applications Are Not Protected by Firewalls

As applications move to the cloud, they are no longer protected by the corporate firewall. The same is true for laptops and other endpoints which have become mobile and which connect to business IT resources from anywhere using the public Internet. Their traffic is no longer visible on the enterprise network and they cannot be protected by a firewall. This change has affected organizations of all sizes. The move to cloud and remote or hybrid work, which were once trends and are now common business practice, are having far-reaching implications which cannot be ignored.

Malware is Developed to Evade Antivirus Software

At the same time, attackers have become more sophisticated as they develop techniques to evade traditional tools like antivirus software. For instance, to evade tools which rely on signatures to detect threats, attackers have developed “polymorphic” malware, which is able to “mutate”, staying one step ahead of signature-based detections. In a similar way, the operators of botnets have developed increasingly clever ways to hide the locations of their command and control (or “C2”) servers, making simple reputation checks on IP addresses and domain names less effective.

Because of this malware “arms race” traditional antivirus software will no longer suffice to protect increasingly mobile endpoints, and more advanced tools such as Endpoint Detection and Response (EDR) are required. Similarly, while VPNs are able to protect connections back into the enterprise network, the move of applications into the cloud requires new tools such as Cloud Access Security Brokers (CASB) which are able to protect access to cloud applications.

Not only have applications moved into the cloud, but the management of user identities (the user names we use to “log in” or authenticate) has also moved into the cloud as organizations of all sizes move to using cloud-based identity providers such as Okta or Microsoft’s Entra Id (formerly known as Azure Active Directory).

This increased complexity of technology resources and locations has led to a situation where we can no longer trust that because a user is “inside the network” they are allowed access to resources. This has given birth to a further technology, known as “Zero Trust” which is essentially the confluence of identity, VPNs and other technologies such as CASB to create a framework where users are authenticated every time they access a resource and they are only given access to the resources they need to access (known as the principle of least privilege).

This proliferation of new applications and the security technologies required to protect them has given rise to a bewildering amount of security logs or telemetry being generated by all of them. Organizations that want to protect themselves from threats have no choice but to pay attention to this telemetry. The volume of sources and the sheer quantity of data being generated makes it impossible to try to manage each source of telemetry on its own. Instead, organizations need a way to bring all of the security telemetry from their IT estate into a single location, so that they can track security alerts in one place. It is also necessary to be able to correlate events happening in different parts of an organization’s technology stack to be able to track the stealthy activities of threat actors who sometimes go to great lengths to disguise their nefarious activities. These threat actors often try to “tread lightly” leaving only thin traces of their activities which, viewed in isolation, might not lead to a detection. If, on the other hand, we are able to correlate events coming from multiple sources, using tools such as AI, we increase our chances of being able to detect threats.

How XDR Enhances Cybersecurity Measures

This is where XDR excels. Firstly, XDR brings all of your security telemetry into a single location. Then, by using Advanced Analytics and AI, XDR is able to correlate the signals obtained from multiple telemetry sources to be able to track the activities of a threat actor as they either probe or access multiple elements of an organization’s IT estate. Not only does XDR bring all of your telemetry together into a single location, it also stores all of your telemetry in a data lake. This is important when you need to perform activities such as threat hunts. For instance, if malware is detected on one laptop, it is usually desirable to perform a hunt to check whether the same threat actor might have tried to breach any other systems or applications.

Samurai XDR gives you the ability to bring all of your telemetry from endpoints, infrastructure, applications and security tooling into a single location and consolidate your threat detection and response. Our data lake gives you the ability to collect up to a year’s telemetry, allowing you to perform sophisticated threat hunts using our Advanced Query functionality. To simplify the management of your security operations, start your free trial of Samurai XDR today.