Why Antivirus Tools and Firewalls are Not Enough Threat Protection

The cyberthreat landscape has evolved over recent years to become much more dangerous for organizations of all sizes. Threat actors are using increasingly stealthy and more sophisticated methods of compromising a computing environment, resulting in breaches that cannot be effectively addressed by traditional security measures.

Firewalls and antivirus software have typically formed the cornerstone of traditional cybersecurity defensive techniques. These defensive methods still have a place in a comprehensive cybersecurity strategy. They are no longer able to serve as the only means of defending an organization’s computing environment from the advanced threats of today’s cybercriminals.

We’re going to look at how firewalls and antivirus tools work, where they are still effective, and how advanced security solutions like extended detection and response (XDR) are necessary to address the multi-faceted threats plaguing IT environments.

How do Firewalls and Antivirus Tools work?

Firewalls and antivirus tools have long served as the primary method of protection against cyberattacks.

Firewalls

A firewall is a network security device that can be implemented as hardware, software, or firmware. Its purpose is to prevent unauthorized access to a network. A firewall inspects incoming and outgoing traffic and permits or blocks access based on a set of rules configured by network administrators. A key characteristic of a firewall is the need to continuously update its rules to address newly discovered threats.

Firewalls can be categorized according to the methods they use for filtering and the amount of context they consider when determining if specific traffic should be permitted access to the network.

• A packet-filtering firewall examines each packet in isolation with no regard to its context. This type of firewall does not consider if the packet belongs to an established stream of traffic when making its decision. While packet filtering is still used, stateful firewalls and NGFWs have become the primary firewall technology
• A stateful inspection firewall takes into account network traffic patterns to determine if a packet is related to other packets. If the packet is related to previously identified safe connections, it is allowed to go through.
• A proxy firewall or application-level gateway inspects packets at the application level. It examines a packet’s payload to determine if it is a valid request or a disguise for malicious code.
• A next generation firewall (NGFW) integrates enterprise firewall capabilities with the advanced capabilities of an intrusion prevention system and application awareness. A NGFW will also perform deep packet inspections to guard against malware infection. A NGFW combines the capabilities of the previous generations of firewalls with advanced functionality for more effective protection.

Antivirus tools

Antivirus (AV) tools are primarily used as the first line of defense for endpoints. An antivirus program is a piece of software designed to detect, prevent, and remove malware infections from specific devices, systems, or networks. An AV tool can scan files as they are introduced to a system as well as files that are already resident on it. When malicious software is detected, the tool may remove it automatically or inform the user of the infection and ask if it should be removed.

Antivirus tools employ a variety of detection techniques that include:

• Traditional signature-based detection which is only effective against known threats;
• Heuristic-based detection that can detect new or disguised viruses;
• Behavior-based detection that looks for suspicious behavior, potentially indicating the presence of malware.

Antivirus tools and firewalls can be strengthened through the use of endpoint detection and response (EDR) solutions. An EDR system picks up when an antivirus solution fails. After a threat has infected an endpoint, the EDR tool will:

• Generate an alert that the endpoint has been compromised;
• Perform an immediate action such as isolating the endpoint;
• Provide forensic information to facilitate further investigation.

What Types of Threats are AV Tools or Firewalls Effective Against?

AV tools and firewalls are most effective against known threats with signatures that can be incorporated into the tool’s malware database. They are not as effective against new threats or those delivered through methods such as fraudulent websites or malicious phishing emails.

The limitations of firewalls and AV tools require organizations to take additional protective measures to ensure the security of their IT environment. Threat actors have developed techniques that allow them to launch successful attacks despite the existence of firewalls and AV software.

How Cybercriminals Get Around Firewalls and AV Tools

Cybercriminals have developed methods to defeat the defensive capabilities of firewalls and AV tools. The two types of tools operate independently and traditional detection tools cannot correlate the signals they detect. This is where XDR steps in to consolidate signals for more effective threat detection.

The following tactics illustrate some of the ways motivated cybercriminals get around firewalls and AV software.

• Continuously changing malware signatures can trick AV tools and bypass firewalls, enabling entry into the infrastructure. Hackers are also making increasing use of malware free threats that use a vulnerable piece of system software such as a remote desktop agent. These threats do not leave a signature and must be detected through behavioral observation.
• Once inside a network or system, a threat actor often performs stealthy movements that leave weak and hard-to-detect signals while further exploiting the environment. This is known as lateral movement and is used to identify valuable targets to attack in the environment.
• Cybercriminals attack endpoints that are outside the company network and may not be protected by a firewall. AV software will still provide endpoint protection.
• Attacks initiated by phishing emails and malicious websites are extremely popular with cybercriminals and are not detected by firewalls. Phishing emails are becoming increasingly sophisticated to avoid detection from mail hygiene solutions.
• Supply chain attacks can subvert firewalls, AV tools, and endpoint detection.
• Preying on human vulnerabilities to compromise credentials is still one of the most common methods of exploiting system vulnerabilities and cannot be stopped with a firewall or AV tool.

What are Advanced Persistent Threats?

Advanced persistent threats (APTs) are a particularly dangerous type of cyberattack. An APT attempts to embed itself in a computer network or system without being detected or noticed. Once inside a system, the APT often monitors, intercepts, and relays sensitive data to hackers outside the network. In many cases, APTs are used by state-sponsored groups or rogue government agencies to attack high-value targets. They typically use lateral movement to embed themselves more deeply into their targets' environments. APTs are often used to steal valuable data over time while remaining undetected. The victim is unaware of the threat and cannot take the necessary countermeasures to mitigate the theft.

An APT can be used to steal information, damage infrastructure components, and disrupt the operation of mission-critical systems. They can be extremely hard to detect as they use diverse tactics to gain entry such as employing social engineering and exploiting multiple software vulnerabilities.

APTs use various methods to remain hidden so they can perform their malicious activities for an extended time. An APT can do an incredible amount of damage while remaining undetected. A successful APT attack was perpetrated on News Corp in 2020 that was not discovered for two years, until 2022.

How XDR Enhances Existing Cybersecurity Measures

In the current threat landscape, organizations need to accept the fact that they are likely to be breached at some point. The best firewalls and AV tools alone cannot guarantee the ability to prevent every cyberattack. Threat actors are evolving too fast for technology such as firewalls to keep up. Even large organizations with extensive dedicated security teams cannot keep pace with threat evolution. Small companies do not have the resources to constantly update and maintain firewalls and endpoint protection solutions.

Extended detection and response (XDR) augments and enhances an organization’s existing cybersecurity measures. XDR works on top of your other security tools to uncover threats that they cannot identify. It provides a single platform that consolidates all security notifications across the organization. An XDR solution collects data from across all network components and endpoints to coordinate weak signals that may indicate the presence of APTs or other threats that are difficult to detect. XDR uses threat intelligence (TI) to distinguish emerging threats that need to be addressed by security personnel.

XDR benefits companies of all sizes but may be especially useful when deployed by small and medium-sized businesses lacking in-house cybersecurity resources. It provides a defensive mechanism that continually evolves and can detect and respond to threats that other tools miss.

An Advanced XDR Solution

Samurai XDR is a powerful and advanced open XDR solution suitable for organizations of all sizes and infrastructure complexity. The cloud-based solution enables reactive and proactive threat hunting to both mitigate breaches and prevent them from impacting the environment.

You can see Samurai XDR in action by signing up for a 30 day free trial. The threat detection and response experts at Samurai can show you how you can improve your company’s cybersecurity posture with the addition of Samurai XDR.