The malicious activities have moved away from being malicious files that can be caught by signatures to malicious performances utilizing legitimate files such as CMD, PowerShell, or Exploit within word documents, PDF files, etc.
Therefore, the cyber-attack game has strengthened its rules and updated to an advanced level. The current antivirus systems consider PowerShell as safe executables and let them operate; for this reason, we need an EDR system as a weapon to survive these attacks and to check what’s running inside these PowerShell/ memory space of WinWord if there is an exploit, or a process injection, etc.
So, what are the main characteristic of an EDR system:
– Strong incident response team and threat intelligence
– Detection capabilities of the EDR agent using machine learning, and AI
Machine Learning Role:
Since the amount of data you need to examine is massive, creating rules on the EDR level is not scalable or sustainable: Here comes the role of Machine Learning and Artificial Intelligence that are a part of Data Science, which is not currently available in the region.
Unfortunately, we don’t have the capability for Machine Learning experts and data scientists in the region. We are still rules-based even on SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response); perhaps, we have to wait up to 10 years to have such expertise due to several aspects:
1- such technologies are not included in the colleges’ curriculum
2- we cannot easily understand user behaviors to write or create rules inside the system since the number of existing attacks and the expected ones are noncountable.
3- noticing the gap between human errors and machine errors is tremendous.
Despite the fact, with all the technological progress, there is no magical solution for cybersecurity; meantime, we are required to take care of other things such as patching, hygiene, and monitoring malicious activities; while hardening the existing firewalls and operating systems.
Stay Up To Date!
Originally published at https://www.linkedin.com.