The Scary Truth About Antivirus & Why It Leaves You Vulnerable

TOM: Right. Just in case you’ve never been on here before, these are real casual. So if you want to speak, Kindsey would be happy to turn the microphone on for you. Oh, and we’ll do it at the end. There’s only two or three slides to the meat of this, so at the end we should have time to take any questions or comments.

We’d love to hear what you guys want to know more about, because we’re in the forest. We can’t see the trees as well as you guys can. We are continually surprised at some of the concerns that are expressed to us that just blow us away, like “Oh, we just assumed you knew this,” and that’s not the case. So you guys tell us what you want to hear about, what you want to know more about, and maybe we’ll make it a Deeper Dive.

We do these every Tuesday, 2 p.m. Central Time. Sometimes we do topics that are in the headlines, like SolarWinds. It’s probably a little late for that. The SolarWinds breach and stuff, we’ve studied that a lot. We know quite a bit more about it. The good news is, any of our clients that are using our EDR would be immune to it. They would not have suffered a breach on their network, even if we were using or your IT service provider was using SolarWinds’ Orion product. If you had the additional layer of security, our primary EDR that we force our clients to install, you still wouldn’t have been hit. Good news. Why these other companies aren’t using the EDR that we use, I don’t have a clue, but things move slowly in government circles. I’m surprised they even had Orion installed, actually.

Okay, let’s jump right in. This is an anti-antivirus slideshow. I go through this a lot on the main webinar, but I want to dig in a little deeper. I meant to put some logos up on here before we started. You look at that shelf of antivirus at Office Depot or Best Buy or whatever and you see Norton and Symantec and McAfee and Bitdefender and Avast and AVG and Kaspersky and all of those off-the-shelf antivirus. They really are about one notch above useless.

The simple fact of the matter is if you’re running Windows, the Windows Defender is pretty good these days, and it comes with it for free, so there’s no point in buying an antivirus. And if you’re on a Mac, you can get by without an antivirus. Now, we don’t recommend not using something better, which we’ll get to in the next slide.

But here’s the deal about antivirus. A pure play antivirus can only detect a threat by its signature. There’s a lot of different ways you can calculate or determine a signature of an executable. One of them is an algorithm based around the executable size that creates a unique code. You may have seen this when you’ve downloaded things on websites. It’s like a SHA-1 hash. What that means is, that SHA-1 hash, you can verify it against the download and verify that that download hasn’t been tinkered with.

Antivirus can use a SHA-1 hash or they can detect another fingerprint of the viruses that it knows about and then sometimes stop the threat or at least warn you that there’s a threat.

Here’s the problem. There’s a lot of problems with that. If the antivirus is not up to date, and a virus comes in that the signature hasn’t been updated or even added, it’s not going to detect it. It’s got to be in the local database for it to protect it. Another problem is that antivirus vendors don’t all say, “We’re releasing an update for Tom’s Trojan tomorrow.” Norton may do it tomorrow, Bitdefender maybe 6 months later, or 3 months, or never. So they all have varying – there’s no continuity amongst the vendors on when a particular virus signature is updated on your computer. That’s a serious problem.

And even more serious is it cannot detect zero day threats. Now, a zero day threat is a threat that’s been discovered – typically a brand new virus that’s active in the wild. There’s a time between when the signatures get updated – no matter if it’s 24 hours or 24 days or 24 weeks, that time, you’re vulnerable to that particular virus.

Let’s see, what else is wrong with antivirus? Those are just some of the things. There’s probably 2 or 3 other things that I’m missing, but the simple fact of the matter is, long story short, antivirus is pretty much useless these days. They’ve tried to do some stuff with polymorphic viruses. There’s virus technologies that can change its signature as it replicates itself. AVs can keep up with some of that stuff. You can splice DNA, but the vast majority of the DNA is still the same. The same thing applies to a virus.

But there’s no artificial intelligence or machine learning analysis, or even human analysis, that’s going on. It either detects it or it doesn’t, and it either stops it or it doesn’t, and it either quarantines it or it doesn’t. That’s not good enough these days. As I’ve said many, many times, once the NSA hacking tools were stolen and put on the Dark Web for sale, these NSA hacking tools, cyber warfare tools the United States used against other nation-states, are now available for sale on the web. Including the source code. These are very sophisticated hacking tools, and they’re just incredible threats. When that happened about 3 years ago, it drastically upped the ante on the defensive front for companies like us.

So, what’s the answer? It goes by a number of acronyms, and if you know anything about technology, you know that we love acronyms. The funny thing about EDR is that it’s continually evolving, just like all technologies are. Just in the course of the last couple of years, it’s been known as ETDR, MeDR, MDR, and other names. I think SentinelOne is calling theirs PPE now to differentiate themselves from antivirus vendors that are claiming there’s EDR in their stuff. But there’s still limitations to it, and none of it – if it’s an off-the-shelf antivirus, even if they claim they’ve got an EDR, it is nowhere near being best of breed. But there’s an important distinction besides that that has to be considered.

An endpoint detect and respond or automated endpoint detect and respond or managed detect and respond, all these different acronyms – there’s two primary characteristics of EDR that are super, super important. The first one being they use artificial intelligence and/or machine learning to look at the behavior of the user and the computer to determine if it’s an anomaly. Not necessarily a threat; it just wants to see weird stuff and keep an eye on it.

In the case of ransomware, ransomware has no signature. Zero virus in a ransomware, in the purest definition of the word virus. It is simply a macro that executes programs that are part of the operating system. So there’s no virus to detect a signature on. That’s why antivirus doesn’t work with ransomware very well. Those that try to do lateral movements, try to infect the computers on the network, they might pick up some of that stuff, but it’s not worth the risk to even think about it. So that’s the first thing.

The second one is any EDR worth its money, the vendor has a SOC, security operation center, that is staffed with security experts. These guys day in and day out, they get alerts. Our clients will send them alerts, and their SOC analysts look into it and then escalate it to us, coordinate and orchestrate with us for response, mediation, and defensive responses. We’ve got to stop it, we’ve got to kill it, get it off the computer, see what damage it’s done, do a post mortem on it, figure out where the breach came in, why it occurred, and all that. That’s any good security company.

Antivirus just does its automated thing and that’s it. There’s no human monitoring or intelligence behind it to make sure that it properly quarantined or to make sure there wasn’t yet another threat. That’s another way to do it; these hackers, when they create these attack viruses, it’s not uncommon to use the tactic of the shiny bobble. You go, “Hey, look over here! We’re getting attacked!” and while the antivirus is taking care of that, they’re doing something else in the back. Misdirection, like a magician does. They misdirect, put all the resources on the obvious threat while they are doing something else totally different on the back. Maybe putting a backdoor on the server or whatever it may be.

An EDR is going to catch that because they’re monitoring every single thing on the computer. An EDR is also going to function as an IDS and an IPS. It’s an intrusion detection system – used to have to pay big bucks for these – and an intrusion prevention system. Good EDRs will do both of those roles, and it will create a storyline for the post mortem. When we go back and play it back, you can see every event that got triggered and what led eventually to a successful ransomware attack – or even an unsuccessful ransomware attack, because we want to investigate those too to build up our defenses going forward, with everybody, and just learn more and more and more. It may be something we’ve never seen before. That’s not uncommon at all.

One of the cool things is our primary EDR actually has the capability of doing a rollback – for many reasons, but especially in the case of ransomware, even if your files get encrypted, you can click a mouse button and it’ll roll everything back like it never happened. Is it Vendor Service Pro? I think that’s their tagline, “Like it never happened.” You’ve got a fire and they come and clean everything up. It’s like it never even happened. So they’ve got rollbacks built into our primary EDR.

We fortunately have never had to use that, I don’t think. If we have, it’s been very small-scale stuff. There’s only one EDR on the market that has that. It’s patented. That’s why they’re the best.

You want to have humans and automated responses because that fulfills the NIST Cybersecurity Framework. If you’ve been to our main webinars, you know that’s what we do. We are a best of breed NIST organization, beginning to end, top to bottom, left to right, full 360. That’s everything we do.

Just a reminder: EDR is an important layer of that onion. This is just 5 examples. Password manager is a great layer. Spam filtering is a good layer. Continuous cybersecurity awareness training is the best layer because everybody skips over that. Can’t stress it enough that you need security training. Just because there’s a technical solution to the problem, doesn’t mean you don’t train as well.

We often have clients that want to monitor employees, what they’re doing on their computer, are they on Facebook all day long. The very first thing out of my mouth is, “That’s a leadership problem first.” Why use technology to do something that should be addressed as a function of a management team or the owner or the head honcho? You confront them, you encourage them not to do this, and if that doesn’t happen, you move on. Let’s find somebody that wants to work. Yeah, we can do that and we have done that, but the very first thing is I say, you sure you don’t have a management or a leadership problem?

In our company, everybody’s pretty much on their own. I’ve come in, seen guys asleep on the sofa. I’ve come in and guys are on some forum that has nothing to do with work. And I’m good with that. It just depends on what their job is. You’ve got to think – about half of our office are firemen. They’re playing pool, they’re cooking really nice dinners until that fire alarm goes out, and then it’s all hands on deck, let’s go put the fire out, let’s save human lives. So when they want downtime at the office – they’re still there, they’re ready to get in that fire engine and rumble, but yeah, let’s play a little pool or pinball or whatever it may be, air hockey. Like I said, it’s a leadership and management problem.

And of course, backup and disaster recovery. The training is also a leadership issue, too. That’s just smart. That training makes everybody in your organization not just a better employee, but it makes them a more aware person, and it affects their personal life. I think it drops it in half, the likelihood they’re going to fall for a scam – which is the way ransomware is distributed these days. It’s an email that manipulates. In the tech world it’s called social engineering, but in the real world it’s just a scam or a con job that manipulates people to open a file attachment that delivers the payload.

Training will cut in half the likelihood you will suffer an attack or a breach. So you’re already cutting it in half just by doing security training. You drop in an EDR and a password manager, you’re going to be under 1% chance of being attacked successfully. Everybody’s being attacked all the time; you just don’t know it. Hundreds of times a day. And it’s all automated. We’ve talked about that before on the main webinars. Probably need to dip into that on a Deeper Dive sometime, Kindsey.

We are going to launch a new bundle in January. I’m letting you guys know. You can just send an email to Kindsey or me or sales. Fill out the contact form, do a chat on the website, whatever you want to do. Just let us know that you’re interested in getting this new bundle that we’ve created. We distilled it down to the essentials of what you really need. This is before we start talking about SIM tools and maybe changing firewalls. It’s outside the scope of a backup because those are invariably custom for each client’s needs and budgets.

But it looks like for $25 a month per user, you’re going to be able to put a password manager on, you’re going to be able to have the best in the world EDR, and you’re going to get your security awareness training. Now, you can buy just one, but I would only do that if you’re just doing it to try it out. But if you don’t put everybody – a security defense is only as good as the weakest link. You’re not doing yourself a favor if only 3 out of 5 people are getting security awareness training or have the EDR. You’ve got to do it everywhere. It’s an all or nothing deal if you want to do it smart. Any device that’s connected to that network has to be monitored, and any human connected to that network has to have training.

And password management is to keep you from reusing passwords, to increase the complexity of the password, to make sure that all of your credentials are unique, and it also goes out and checks the Dark Web periodically to see if your credentials have been leaked or stolen off of Facebook, which happens all the time, or Yahoo.com. If you use Yahoo, AOL Mail, they get breaches all the time. Facebook really doesn’t care. They’re selling you anyway. You’re the product on Facebook. So your security is really not all that important to Facebook, and the privacy sure as hell is not. That’s what they sell, your privacy.

I’m getting on my soapbox. We got any questions, Kindsey?

KINDSEY: I’m not seeing anything in the chat box just yet.

TOM: Just a reminder, you can get a security assessment from us. It’s only $495. Also, we’ll be putting this all online so you can do online shopping as well. It’s well worth the $500. You will have something in your hand. You’ll know, “What’s it going to cost to protect my business?” What’s the recommended stuff, what’s the absolute minimum – we go through all that with you. It’s part of our orchestration even before you’re a client. You can take that assessment and do whatever you will with it. There’s no obligation whatsoever. So let us know about that.

We’ve still got a 30-day trial of security training, but I think that’s going to go away pretty soon. So if you do want to take advantage of that, I encourage you to reach out right away. Probably come first of the year, that won’t be available anymore because we’ve got a bundle that takes care of that. And onboarding is expensive, by the way, for us.

Like I said, it was going to be a quick show. Look there, 22, almost 23 minutes.

KINDSEY: Yeah, that never happens. [laughs]

TOM: [laughs] Yeah. Did I miss anything, Kindsey? You want to add your two cents?

KINDSEY: We’re not doing a Deeper Dive next week, so we’ll see you guys again on January 5th for “Why You Need to Stop Reusing Your Passwords Now.”

TOM: Perfect topic.

KINDSEY: Yeah.

TOM: Change all the ones that you have reused.

KINDSEY: Yes.

TOM: A good password manager will go in there and find duplicate credentials, and some of them – and I don’t know if 1Password does, but some of them will even go to the site and update your passwords for you, which is kind of neat. Doesn’t always work, but…

KINDSEY: Richard did have a question. Can you explain multi-factor authentication?

TOM: Love to. Multi-factor, or sometimes it’s called 2-factor authentication – and there are technical differences, but I don’t want to get in the weeds on that. Basically, it’s a third, maybe a fourth credential piece. At its basic, when I say the word “credentials,” it’s the authentication method that you are who you say you are when you log into your bank account. At a bare minimum, username, password. That’s the authentication methods.

Multi-factor or 2-factor authentication is going to add a third component, and most of us commonly know it as maybe you’ve got a cash manager with your bank, and they require a hardware device where you hit the button on it and then you punch in a 6-digit number. So if someone were to hack that account, they would also have to have that hardware key because those numbers are algorithmically – they use an algorithm to generate the 6 digits, and then they’re time-sensitive. Usually 5 minutes or so that they’re only good for.

The website knows the algorithm, but no one else does, so once you punch in those 6 digits, the website says, “That’s an authentic number right now,” and it lets you in. Some go a step further. One of my banks uses 4 pieces of ID. I’ve got to have username, password, a PIN, and that 6-digit key. And theirs is hardware or software, so it’s actually on my phone.

When you really get down to it, if you’re just using the bare minimum, which is username and password – the username is easy to figure out. It’s probably an email. That’s not a secret piece of information. So all of these websites are only protected by what that password is. That’s why it’s so critical that it’s a unique password for every login and that it’s complex, because if it’s only 6 or 8 – how long does it take to break an 8-character password, Kindsey? Is it just a few hours?

KINDSEY: A few seconds. It’s not even hours, it’s seconds.

TOM: Yeah, especially if it’s in the dictionary, it’s going to take seconds or minutes to crack it using a brute force attack. Not to mention if it’s your pet’s name, all it takes is somebody that knows you, or anybody that sees your pets’ names on Facebook. They’re in. They can test that stuff and see, and they do it. I’m not just making stuff up. This all happens.

With that third piece of identity, that 2FA or MFA, even if my Facebook credentials were to be stolen and I happened to use it for my bank account – same exact credentials – which I don’t because I know better, but if I did, my bank also requires MFA. So even if somebody used it and tried to log into the bank, without the MFA they would not be able to get into it.

What you should do if you’re practicing good security hygiene is to enable multi-factor authentication on everything you possibly can. On our computers, even in the office, physically on the keyboard, we require MFA. For us it’s really cool because it does a push. We don’t even have to punch in the numbers. We just hit an OK button on the cellphone, and then it logs you in on the computer. So it’s good physical security. We don’t even worry if one of our computers gets stolen. I mean, we worry about it, but the likelihood of somebody physically stealing the computer and causing a data breach is dramatically reduced.

We also do things like encrypt all data at rest. It’s easy to get past an operating system password just by pulling the drive out and plugging it into a USB port on another computer, and then you’ve got direct access to the drive. Well, since the data is encrypted, they can’t see it. So we’ve got both multi-factor authentication in the office, even – of course with remote. If you’re remoting in to your office network from home and you’re not using multi-factor authentication, you’re going to get breached. We require it. We will not set up remote access without multi-factor authentication, just like we don’t take a client on that doesn’t use EDR. If you’re one of our clients, you’ve got EDR, period. No ifs, ands, or buts. We feel the same way about multi-factor authentication.

We don’t have too many things that we force, but those two are so important. I hope that answered your question, Richard. Got any more? Is that it?

KINDSEY: Yeah, I think that’s all.

TOM: Well, I hope everybody has a nice holiday. I guess we’ll see you in 2021.

KINDSEY: Thanks, guys.