What is layers of protection? Layered security is also known as layered defence is the practice of combining multiple mitigating security controls to protect resources and data. In other words, layer security is the practice of using many different security controls at different levels to protect assets. This provides strength and depth to reduce the effects of a threat. Using the house break-in example, the layers of protection can be the door lock, sensors, cameras and automatic alarm system. All of these are extra layers, providing more protections.
Layers of Protection can be implemented at the endpoint and network.
Endpoint can include desktop or laptop computers as well as portable devices like tablets and smartphones. Other types of hardware installation like self service kiosks can also be categorised as endpoint devices.
Network is a collection of computers, servers, mainframes, network devices, or other devices connected to one another to allow the sharing of data. An example of a network is the Internet, which connects millions of people all over the world. On a smaller scale, a small business may use LAN (local area network), where all devices are connected to the same local network.
In this article, we will focus on Bitdefender endpoint security which comprises of three stages (layers of protection): prevent, detect, and response.
Using analogy of a house:
Prevention is to make sure that you have locks and fences in place so that no one would be able to break in.
Detection is achieved by the cameras and sensors to see if there is unauthorized person inside the house.
Response is where the automated system calls the police and determines how to deal with the unauthorized person after detection.
Endpoint Security Layer 1: Prevention (Hardening)
Prevention is the first stage of endpoint protection, which requires hardening as the first layer of protection to prevent or to avoid being breached.
Vulnerability is a weakness that can be exploited by a threat actor, such as an attacker performing unauthorised actions within a computer system.
In order to exploit or take advantage of a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.
Vulnerability is also known as the attack surface. Attack surface is the different ways in which a device can be infiltrated. For example, through vulnerabilities, external devices, process hijack, infected files (malware), etc.
Malware or malicious software is any program that is intentionally created to harm, steal or damage a network or computer. Types of malware can include computer worms, Trojan horses, and spyware. These malicious software can carry out stealing, locking you out from your own data, hijacking computing resources or unauthorised monitoring of your computer activities.
Once an infected file gain access to your machine, even if it didn't get executed, you are still breached. And that's what we're trying to avoid with hardening.
Bitdefender implements endpoint hardening by:
Full disk encryption
Web threat protection
Patch management is the process of managing OS and software patches in order to mitigate and remove vulnerabilities in your environment.
Why is this important? All software has bugs and subjects to undergo continuous updates and patches. As a matter of fact, most of the breaches that happen today are not due to unknown vulnerabilities, but due to unpatched systems. An unpatched machine can leave vulnerabilities that attackers could use to breach your systems.
For example, when NSA leaked the EternalBlue vulnerability with Windows operating system, Microsoft started to work on patch to fix it which was ready in matter of days. As the bad actors were working on ways to exploit EternalBlue vulnerability, not everyone patched their systems. This was the main reason behind one of the biggest cyber attacks in history - Wannacry. It took place months after the patch was available to remove this vulnerability from the system.
So the option to have Bitdefender Patch Management, a centralized patching solution managed from the same console as your security agent is important.
Patch management is an add-on feature which you can purchase separately. Contact us to get special pricing.
Full Disk Encryption
Full disk encryption is encryption at the hard drive level. Full disk encryption works by automatically converting data on a hard drive into a form that cannot be understood by anyone who doesn't have the key to undo the conversion.
Without the proper authentication key, the data cannot be accessed. Full disk encryption can be installed on a computing device at the time of manufacturing, or it can be added later by installing a special software like BitLocker on windows or FileVault for Mac. The Bitdefender solution can work with these two encryption for all endpoints.
Another advantage of full disk encryption is that even if someone stole the machine, removed the hard drive and connected it to another machine, he/she will not be able to access the data as the encryption takes place on the hard drive itself. That's why full disk encryption is considered an important tool for PDPA (Singapore) and GDPR (Europe).
Full Disk Encryption is an add-on feature which you can purchase separately. Contact us to get a special pricing.
Through Bitdefender console, you will be able to allow a specific set of applications to run on your system (application white listing).
Application control is an important feature for any business with large number of employees because it is difficult to control the activities or applications that they are running.
Application control gives the admin the ability to allow only certain applications to run. And it reduces the risk of installing and running unneeded application, which comes with some vulnerabilities like gaming, screen and file sharing or VPN applications.
Device Control is designed to monitor the use of devices on endpoint machines. You can specify how user can access devices like CD, DVD, USB, Bluetooth, NFC, etc, by defining groups for media devices and users on the client workstations. Device Control blocks unauthorized media and prevent malware from spreading via removable media.
One study shows that over 60% of attacks come from within the company. That doesn't mean that there is an attacker or someone from your staff means to do you harm. But the attacker counts mainly on employee naivety, like losing a USB stick, flash memory, or even a CD.
The normal response from some employees is to connect the USB stick and check if it is theirs and they totally forgotten about it. This gives an attacker direct access to your network.
With Device Control, you can avoid all that risk with just one policy.
Another part of Bitdefender hardening layer is the firewall. It is a set of connection rules on the endpoint or the network level. It works on IP and ports together with Bitdefender Web Threat Protection.
In the medieval era, they used to build a wall around the city to fortify it. Firewall is like the wall around the city that protects the parameter of the network. The more rules you add to the firewall, the stronger it gets at filtering unwanted connections.
Nowadays, some employees use their laptops and work phones outside the work network. So you cannot protect each and every network they connect to. That's why we use a local firewall on the machines. It has given the same set of rules from the network level to the end point, which provides more protection for the endpoint when they connect on an unknown network.
Web Threat Protection
Every time you go online, you expose the information stored on your computer to viruses and other malware. They can infiltrate the computer while the user is downloading free software or browsing website compromised by criminals. Network worms can find their way onto your computer. As soon as you establish an Internet connection, even before you open a webpage or download a file. The Web Threat Protection component protects incoming and outgoing data sent to and from the computer over the HTTP and HTTPS protocols and check them against the list of malicious or phishing web address.
The Web Threat Component intercepts every webpage or file that is accessed by the user or an application via HTTP or HTTPS protocols and analyze them for viruses and other threats, which we is called Traffic Scan on Bitdefender console. If the page or file is found not to contain any malicious code, they either gain immediate access to them. If the user access a webpage or file that contains malicious code, then it gets blocked.
In the Bitdefender console, you can also use Content Control to block certain websites.
Web Threat Protection works hand in hand with Cloud Threat Intelligence, and you can find it on Bitdefender console as Anti-phishing.
Endpoint Security Layer 2: Detection
Prevention by hardening will not give you 100% safety against cyber threat. In this section, we will dive into the 2nd stage of endpoint security - Detection.
Detection has 2 layers. The first one is pre execution and the other is post execution.
Pre execution contains
Local and Cloud Machine Learning
Generally signatures compare hashes file on a system to a list of known malicious files. Once a malicious file gets exposed and patched, a signature gets recorded based on its signature. And that's how the solution will be able to stop it. For example, we can relate signature of a file to the name of a person. If a criminal's name is released to the public and put on a wanted list, this criminal won't be able to go through checkpoints as his name is matched to the wanted list. And that's how we identify files known as being malicious.
Local and cloud machine learning
In cybersecurity, machine learning algorithms can learn by themselves to make prediction based on previous experience and from daily analysis of millions of malicious and clean programs. This is because you need both to train an algorithm so you can keep a low false positive rate. Practically, machine learning algorithms is trained to identify a new or unknown threat based on similarities with known threats.
For example, feeding a machine learning algorithm with all known variants of CryptoLocker ransomware family will give it the ability to estimate whether an unknown sample is statistically likely based on the feature with non CryptoLocker samples to be part of the same ransomware family.
The trick is to fine tune the algorithms to make sure that assumptions as accurate as possible without causing false alarms by tagging clean files as malicious. And why is it important to have machine learning as part of your security?
Because if you don't have machine learning, you only have security layer that relies only on signature based detection. This is seriously insufficient because of 2 main reasons:
The first for us to have the signature of a known malicious file, we first need to be infected by that file. It takes time for this attack to have signature, and we don't want that to happen every time in our system. We want to block them before they damage our infrastructure.
Secondly, with machine learning, we don't need to do much investigation into new types of threats. As the automated learning is programmed to secure you against future attacks based on previous experiences.
Bitdefender HyperDetect adds advanced machine learning models and stealth attack detection technologies. It is an additional layer of security specifically designed to detect zero day attacks, advanced persistent threats, protection from fileless attacks and suspicious activities in the pre execution stage. A totally new threats, specifically designed to infiltrate or target an organization starts with a suspicion.
It raises suspicion, but not enough to reach a malicious verdict. Most endpoint protection solutions out there will let it go through out a fear of having too many false positives. The suspicion soon turns into malicious after it infects a few victims and the new threat emerges in the market. But by this time it can be too late if you're the one targeted.
With HyperDetect, Bitdefender tunes the machine learning algorithms to act on this suspicion. Depending on a confidence score, which can be set by the admin, it can block even the most elusive and advanced threat by catching them from moment zero and avoid being breached. It also detect files attacks by analyzing and scanning command lines.
HyperDetect is available only in GravityZone Elite and Ultra. Please contact us to find out which solution is suitable for your organization.
Bitdefender's Sandbox Analyzer is part of the GravityZone endpoint security platform. It is a virtual machine in which all the Bitdefender technologies like advanced machine learning algorithms, decoys, anti-evasion techniques, anti-exploits and aggressive behavioural analysis in listening mode only. In Sandbox Analyzer, you can detonate a piece of malware, let it run and record everything it does on the system.
It provides pre execution detection of advanced attack by automatically sending the suspicious file that requires further analysis to Cloud Sandbox and taking remediation action based on the verdict.
Each time an unknown portable executable or a file is accessed by the end user, Bitdefender first applies machine learning and hybrid attack technology to determine if the file is malicious. Bitdefender will then automatically send files that require further analysis to the cloud sandbox.
Since the file is analyzed in a sandbox environment instead of on the endpoint itself, Bitdefender can perform in depth analysis without worrying about the performance implications. And it eliminates the risk associated with allowing a potentially malicious file to run on the endpoint. Bitdefender will either allow or block execution of the file on the endpoint based on the administrative policy.
Sandbox is available only in GravityZone Elite and Ultra. Please contact us to find out which solution is suitable for your organization.
Post Execution Detection
Bitdefender post execution detection consists of Anti-exploit, Process Inspector, Event Recording and Threat Analytics.
Not all companies can implement patch management due to their business practices. Some companies have multiple tools that are either developed internally, legacy tools or off the shelf software. If such a company applied patches automatically as they are released, they would have compatibility issues with their tools.
Anti-exploit programs provide an additional layer of security by blocking the techniques attackers use. These solutions can protect you against flash exploits and browser vulnerabilities, even new ones that haven't been seen before or patched yet.
Process Inspector is a behavior-based real time protection that monitors all processes running in the operating system. If the process is deemed malicious, we'll terminate it. Process inspector is an unexecution protection layer. It drastically reduces the risk of a new or emerging threat compromising a system.
It operates on a zero trust model and monitors processes running in the operating system, using filters in user mode and kernel mode. It looks for behaviors specific to malware and assigns a score for each process based on its actions and contexts. This is important because each process individually may not indicate malicious intent, but collective analysis provide more insights.
When the overall score for process reaches a given threshold, the process is reported as harmful and appropriate remediation action is taken. Actions will include the rollback of changes made by the malicious process on the endpoint.
Here's an example. Imagine a gun being an end game, sophisticated attack. The gun is obviously not going to pass through the security controls at the airport. But if a bad actor can disassemble the gun into hundred pieces where each piece individually would probably look harmless. But putting all these pieces together, it is a deadly weapon on the airplane.
The Process Inspector uses machine learning models to put the pieces together and determine the object that is getting formed at the end, before the pieces received the green light to pass.
Event Recorder And Threat Analytics
This is part of the GravityZone Ultra EDR (Endpoint Detection & Response) module. It's an engine that record events that took place on the infrastructure, which you get analyzed by threat analytics.
The threat analytics module operates in the cloud and continuously sifts through behavioral events and system activities and creates a prioritized list of incident for additional investigation and response.
Each security module generates events whenever it does something, but each security module only look at its own events. Sophisticated attacks can have such a small footprint and several different places that any single security layer would be blind to determine that it's an attack hiding behind those actions.
The EDR sensor puts together all the events from all the security layers and looks at the bigger picture. Imagine that detective gathering information from the telephone companies, banks, street cameras, government agencies, to put together small clues in order to correlate the event leading to the identification of a highly complex hiest. That's exactly what event recorder and threat analytics does, which is why it's so important when you're a targeted organization.
Event recorder and threat analytics is available only in GravityZone Ultra. Please contact us to find out which solution is suitable for your organization.
Endpoint Security Layer 3: Response
Response is considered one of the essential to protection, as it takes care of remediation and automatic actions. There are two response categories:
Investigation & Response
Reporting & Alerts
Investigation & Response
Investigation & Response consists of:
IOC Lookup & Block List
IOC Lookup & Block List
IOC stands for Indicator of Compromised Lookup. Through the IOC lookup, you find malware related to external IPS. In the IOC lookup, an administrator can search for specific external IPs, URLs or certain command lines running on your system that will target specific process. The IOC lookup helps you determine whether a potential band actor is targeting your company through a set of multiple attacks that would show the same indicator of compromise associated with a high number of EDR incidents
If through the IOC lookup, you find malware related to external IPs, you can can easily add them to the block list and apply at a company level, thus securing a gap in your defenses against these indicators.
For example, IOC is part of the attack surface of your company. Instead of repelling an attack manually over and over again, the EDR blacklist together with the IOC lookup helps you automate these tasks by easily determining which of these indicator you should create an automatic block rule for it. This will reduce the effort that you need to input for future attempts from the same source.
IOC Lookup & Block List is available only in Bitdefender Next Gen solution. Please contact us to find out which solution is suitable for your organization.
Based on the threat analytics, you will be able to identify the machine that got infected. The investigation response part can take as little or long time as the complexity of the attack is. To avoid lateral movement of this specific malware attached to other machines, while you do the investigation, you can easily isolate said machine from the network without worrying that the malware would spread.
Network Isoluation is available only in Bitdefender Next Gen solution. Please contact us to find out which solution is suitable for your organization.
Detonation is part of the Sandbox Analyzer. It allows you to run a specific file, application or URL in a test environment, where the file or application gets all the access it needs to run any hidden commands that would be malware related. In a production environment, such hidden commands could take months to expose themselves and will stay hidden until then. In the sandbox environment they get triggered immediately. It records everything that happens on the machine so you can see for yourself what could have happened on yours.
Detonation is available only in Bitdefender Next Gen solution. Please contact us to find out which solution is suitable for your organization.
EDR (Endpoint detection and response), being a complex investigation and response tool, would be difficult to manage without an easy to look at map of an entire instance. The visualization part of EDR portrays a blast radius of malware attack on one or multiple machines reporting that attack.
For example, there is a machine in your environment that got infiltrated. The malware branches out in all different directions, different applications, different processes that the attacker leveraged in order to reach its goal. Each of these involved point in the blast radius can be interacted with visually on the Bitdefender console. You can then respond with easy to access and management commands specific to each type of event and the entire timeline
Visualization is available only in Bitdefender Next Gen solution. Please contact us to find out which solution is suitable for your organization.
Reporting and Alerts
Reporting and Alerts includes the following:
Disinfection removes the infection from the file, but does not actually delete the file itself. This is the best option if you need to keep the file. If this infection fails, we move to the next option.
Quarantine moves the malware to a safe location that the antivirus software manages. This option does not delete or clean the file. It's similar to quarantining a sick person so that they cannot infect anyone else. They're not removed permanently, nor are they healed. We can use the Quarantine to store files that are suspicious just to make sure that we don't get infected in case they are malware related. If we determine that they are safe, we can restore the files to be used. And if quarantined fails, we move to the next option, which is our last resort.
Removal completely removes the file from the computer, which is useful if you don't want it anymore. As with any deleted file, a file that your antivirus program deletes are no longer visible and cannot be used.
Deletion is tricky. If you instruct your antivirus software to delete all infected files, some that are crucial to your computer's operating system might get deleted. This could affect the functionality of your Operating System and programs. This is why we should use the removal default action as a last resort only.
Cleaning can be useful, but antivirus software cannot clean a worm or a Trojan because there is nothing to be cleaned because the entire file is the worm or Trojan.
Quarantine occupies the middle ground here. It moves the file to safe storage that is under the control of the antivirus application so that it cannot harm your system. This gives you the option to restore the file in case you decide that the file was mistakenly tagged as harmful.
Process Termination automatically kills a process based on behavioral analysis made by advanced threat control or process inspector.
Once a process is deemed malicious, we will rolled it back to its previous state in which the process was clean. This way, we make sure that when would terminate a malicious process, it doesn't reboot itself and resume doing its malicious doing. Instead when the process is restarted, it operates in normal way.
Bitdefender rolls back some system files, DLL files that got modified during an infection process. It has nothing to do with user files since we can do roll back to a very specific files.
We hope you have better clarity on how Bitdefender can provide you with the best endpoint security for your organization. Bitdefender product bundles are designed to address your requirement based on your resource and risk level of your business. We recommend that you get in touch with us so that we advise you on the bundle that will suit your environment.