Modern cyberspace is a deadly festering swamp, teeming with dangerous programs such as 'viruses,' 'worms,' 'Trojan horses' and 'licensed Microsoft software' that can take over your computer and render it useless, said Dave Barry, the Pulitzer prize winning American author.
Every 14 seconds an organization gets hit by ransomware. Businesses often refer to ransomware, malware, and viruses interchangeably and conclude that an anti-virus solution would protect them from all such threats. Malware is an all-compassing term that refers to viruses, worms, bots, keyloggers, ransomware etc. Traditional anti-virus software does not protect against all these threats.
Anti-virus protection works by referencing a massive library of established signatures. The AV solution compares the files downloaded on the device to this reference library. If there is a match the file is quarantined. It is a quick, easy solution but the problem is an AV cannot combat today's evasive malware and emerging threats.
There are on average 450,000 new instances of virus signature on any given day, requiring AV vendors update their programs throughout the day. Despite this, it is estimated that 39% of malicious software goes undetected. Not to mention these AV solutions require a connection to the internet for frequent updates. So their use is limited if customers have air-gapped devices or they cannot have internet access in their environment due security policies or regulations.
This is where an Endpoint Detection and Response (EDR) solution comes into play. EDR detects small changes in files, in registries, in certificates, networks, memory, etc. to discover malicious activity. EDR helps security analysts identify threats and new attacks never seen before (e.g. zero-day attacks) and blocks them.
EDR solutions monitor the devices continuously and analyze all activities on it, thus they can give complete visibility into what is happening on a single end point and across all endpoints. The behavioral analytics of the data collected on endpoints helps block anomalous activity before it turns into a breach. In addition, an EDR solution can also integrate with the security infrastructure of a company and enhance its visibility, defense, and remediation capabilities.
IBM Security ReaQta EDR solution delivers these behavioral analytics with its advanced threat detection engine Destra (Detection Strategies.) Destra is a Lua (extended) engine that allows security analysts to write custom detection scripts.
Once created, Destras can be pushed to the agents on the endpoints. These detections scripts are executed directly on the endpoint. The Destra scripts then reside on the end point and monitor the device to detect and act on anomalies and threats. The benefit of this is that Destras work even when the endpoint is airgapped. For example if a dis-connected device is breached via its Bluetooth port, the on-board Destra scripts are monitoring the device and protecting it.
.
Figure 1: Destra detection script for Hafnium
All Destras run in real-time on the endpoint and thus can identify and respond to a new behavior as-it-happens. Unlike traditional post-processing rules, Destra playbooks react immediately to any threat, leaving little room for movement for an attacker. Once a Destra is created, it can immediately be activated across the entire organization without any intervention or downtime. Customers do need connectivity to download Destra scripts on the devices, but once deployed Destra works independently and act autonomously on the device, whether its connected or air-gapped.
This gives an advantage to IBM Security ReaQta customers, who need to protect devices that are either connected to or air-gapped from the corporate networks.
More information on Destra can be found here. A short video on creating and configuring Destra policies can be found here.