kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

Why Antivirus Isn’t Enough

Did you know relying on antivirus to protect your business is leaving you vulnerable to malicious cyber attacks?

Prefer to read? (Transcription)

DAVIN: Thank you all for attending. I am very, very excited to start this series. Like Kindsey said, there is going to be one every week ,every Tuesday at 2 p.m. Central Time. So make sure you sign up for the ones down the road. I’m very excited to talk about this subject today, especially with all the craziness going on in the world right now. Cybersecurity is extremely, extremely important. We’re going to learn about antivirus, about other tools you can use to secure your organization. We’re going to get rid of some myths saying that antivirus is enough, because it clearly is not.

But first, before we start anything, I do want to start it off with the first poll. Have you ever or anyone you know been a victim of a ransomware attack? And you might not know about it, actually. I know a lot of people try to keep it secret or something. But it’s very interesting to us, especially now that you may have recently experienced an attack or an attempt at ransomware recently, especially with everything going on.

TOM: Well, that hits our 20%. There’s three. Oh, we’ve got a real live poll.

KINSEY: We do. We’re trying it out this go around.

DAVIN: It’s 2022. We have the good stuff.

TOM: Yeah. “Someone I know.”

DAVIN: While y’all are still working on that poll, we’re going to go ahead and get started. These are going to be short 30-minute webinars. They’ll be sweet, down to the point. Of course, if you have questions, we’re going to try to address them as we go along. Oh man, “someone I know,” 56%. That’s wild.

First question is, what is an antivirus? We’re going to throw some words around here. I’m going to get some quick definitions out of the way. But the base definition of an antivirus is it’s a computer program used to prevent and detect and remove malware.

You hear “malware” thrown around; what is that word? Malware is a software that’s designed to disrupt, damage, or gain access to your computer system. Of course, that’s not supposed to happen, so malware is bad; that’s what people know.

Now, what is ransomware? People associate, “Okay, I’ve been cyberattacked; here comes the ransomware.” What’s ransomware? Ransomware is a malicious software that basically locks up a computer system until a sum of money is paid (the ransom). But a lot of confusion comes between ransomware and viruses. A lot of people put the two together, ransomware, virus. But there are two different types of malware, a ransomware and a virus. We’ll get into that a little bit deeper, but I wanted to knock those definitions out of the way so we can have a smooth show going forward.

Do you have anything to add to that, Tom?

TOM: No. Go right ahead.

DAVIN: Why do you have an antivirus? The way an antivirus works, it is looking for malicious code, malicious signatures. I want you to pay attention to that, malicious code and signatures, as we go along – containing malware, ransomware, viruses, things like that.

The reason we’re having this whole webinar is because when you’ve had antiviruses – Norton, McAfee – that’s what you’ve been told that you need for years and years and years, and that’s what everybody’s been using. But technology is changing. Cyber threats are changing. As we go along, cybersecurity is changing as well.

It brings us to the question: why is antivirus useless? Why do you not need it anymore? That’s because it’s detecting threats too late. Everyone needs something to monitor in real time. I’ll put this in perspective. I watched a recent show called Inventing Anna. You may have seen it; it’s on Netflix. It’s about a con artist. She is young, she goes into New York, and she goes to all these different hotels and she makes them believe that she has a trust fund coming in with millions and millions of dollars. So she stays at these nice hotels, lives this lavish lifestyle, and tells them that her father will pay, it’ll get taken care of. Then she leaves, goes to the next one.

She leaves this trail of about 10 or 15 hotels left with all this damage because she didn’t pay, she was lying, she’s a con artist, and now they can’t do anything, they can’t get anything back until someone puts her face up on a poster and says, “Hey, don’t let this lady in your hotel. She’s not going to pay.” That’s a brief example. I don’t want to ruin the show, but that’s similar to how an antivirus works.

It’s looking for malicious code and virus signatures that are already known to be malicious. For them to be known, they have to have successful attacks over the past maybe 3 to 6 months, basically making them old and useless, and now there’s a new threat in place. That’s why everyone needs something to monitor in real time. Of course, that leads on to what that tool is. But antivirus is all we’ve known.

One – I don’t want to say bad thing, but it just comes with antivirus and what we’ve seen is also false positives. You understand how the antivirus works, but one bad thing on the end of the antivirus is if it detects something that it believes is a virus or believes is malicious, it has actions to delete it, and if it’s wrong, then on the back end, possible client information, very confidential files that you need and are filed to your business may get deleted in the process. That’s what we’re seeing a lot of companies and organizations complain about or have to deal with because of the antivirus.

Now, I brought up that ransomware is not a virus and it doesn’t contain a virus, because antivirus is looking for virus signatures. That’s where the name “antivirus” comes from. You say, “Okay, if antivirus can’t stop or find ransomware, why do you need it?” And that’s why we’re here today.

Tom, before we move on, do you have anything to add on antivirus?

TOM: Just quit using it. Actually, the ones that’s built into Windows, Windows Defender, is pretty good these days as far as using an antivirus. But I always go back to reasonable efforts. Some of you, especially if you’ve got ethics requirements, rules of professional conduct, you’ve got to make reasonable efforts to protect your client data. And if I’m asked to testify in a case that involves a data breach – say it’s with a law firm, and they’re not doing the 5 things, they’re not doing what you’re about to present – I would have to say that no, they weren’t making reasonable efforts. That “reasonable efforts” phrase when it comes to cybersecurity is different than it was just 5 years ago.

DAVIN: I’m glad you mentioned that. We’re actually going to touch on that and compliance and things like that as we go on.

The next thing is, so you don’t need an antivirus; what do you need? What everyone in cybersecurity is talking about and what all organizations are moving towards, and even – we’ll talk about this in a little bit – insurance companies are requiring this as well, and that is an EDR. What does EDR stand for? EDR is endpoint detection and response. You may have heard it called endpoint threat detection and response or MEDR, managed endpoint detection and response.

Why should you have it? Like I said, antivirus is looking for threats 3 to 6 months old. You need something to monitor in real time. That’s where the EDR comes in. The EDR doesn’t look for malicious code or signatures. What makes it different is that it is behavior-based. It’s looking for malicious behavior/activity, anomalous activity, activity that shouldn’t be happening.

For example, when you open a Word document, there’s specific activity that’s supposed to happen every single time. If you get an email with a Word document attached, you click on that, a specific activity is supposed to happen. But if you click on it, it may try to create a folder in the background or maybe access a folder in the background. Of course, that’s not supposed to happen. What the EDR done is, one, analyzes that activity. It detects it in real time using AI or machine learning, and it’ll analyze that threat. If it is a threat, it has the ability to kill it and get rid of it, make sure it doesn’t spread to any other devices within your network, your server, anything like that, but also make sure it doesn’t happen again and make sure no further damage has occurred.

One big thing about EDR is it does not rely on virus signatures. Like I said, it’s looking for that behavior. Ransomware does not contain a virus. The way the EDR works and why if everyone simply had an EDR now, you may not be hearing about cybersecurity as much – of course, with everything going on in the world, cyber war going on, you’re definitely going to hear about cyber threats and cyberattacks and ransomware and all these different things going on. But if you have the proper tools in place to keep up with the ever-changing cyber threats, then I can guarantee you can sleep a little bit better at night.

I don’t know how well Tom is sleeping at night. I know he’s keeping up with all the different cyber threats and what’s going on with the war.

TOM: Pins and needles.

DAVIN: Yeah, pins and needles. But EDR is basically the cybersecurity of the future. Antivirus is old. It worked, and of course it still has its perks here and there, but everyone is needing an EDR. Like Tom was saying, compliance. We’re going to get into this a little bit deeper in a second.

We did a recent webinar last month where I spoke on cybersecurity and cyber insurance and different requirements and compliance requirements, things like that. We are seeing a lot of cyber insurance policies require different cybersecurity tools such as an EDR. We’ll get on to the 5 things in a little bit, but you’re going to start hearing EDR a lot more. Endpoint threat detection and response. You’re going to be possibly required to have these tools in place down the road, if not in the next 6 months, in the next year. EDR is very important, but that’s not it. There’s a lot more.

This has been a lot of information real fast, so we’ll take a quick break, and I do have another question regarding what you are relying on. Are you relying on antivirus to protect your business? Do you have other tools in place? Is that number one? Is that all you’re using? We definitely want to know.

It’s 50/50. Ah, interesting. Very interesting.

TOM: Now I want to know what the no’s are using.

DAVIN: I know, right? I’m interested.

TOM: Throw it up in chat if you’re using an alternative to antivirus. I’m curious to know that. And I know that everybody’s got spam filters and firewalls and other things, but I’m just curious to know what is the endpoint detection technology. Because you’ve got to have endpoint detection. Even if you’re all in the cloud, you’ve got virtual desktops – probably you don’t, but if you do, those things don’t go away just because you’re in the cloud.

There’s a good one. “Subscribe to IronTech Security.” Thank you very much. [laughs]

DAVIN: [laughs] That’s funny.

TOM: Yep, that’s great. Thanks for the plug, Bruce. Check’s in the mail. Michael’s saying he keeps a separate copy offsite, always. Don’t underestimate the downtime, because that computer pretty much becomes useless once it’s got an active ransomware or anything else on it, for that matter. Another IronTech. Thank you, Frank. I’m just kidding about the checks, guys. [laughs]

We lose a lot of sleep when the Russians are invading Ukraine, by the way.

DAVIN: It’s been a busy week.

TOM: That’s the first thing I do when I wake up in the morning, if I sleep much at night now. Go to CNN and check our alerts.

DAVIN: Keep up to date.

TOM: Yeah.

DAVIN: I’m glad you mentioned that, though, because you not sleeping, our team not sleeping, isn’t just out of coincidence. It goes back to what you need to secure your organization, which is the 5 things. We call it the 5 things. You’re going to hear that a lot over the next 6 weeks. If you’re listening to us and we don’t mention the 5 things, something’s wrong. You should check on us, definitely. This is what is essential.

It’s not just us saying this. You should be able to see the document right there. That is a document from the White House recommending the 5 key important things that you need to secure your organization.

I know this is me and Tom’s favorite thing to speak on. You have a list of 5 things here. I want to really focus on that first thing you see: a skilled security team. That is number one, because if you have a skilled security team in place, then two, three, four, five, the rest right below all come with that skilled security team. That’s what you should expect from them, and that’s what they should give you.

When we talk about a skilled security team, Tom was talking about he’s not sleeping much at night. He wakes up in the morning and we’re checking updates to see what’s going on with the war. That’s because our skilled security team here at IronTech have to. It’s our day to day 24/7. We have to keep up with different threats that are going on in the world, where the threats are coming from. Shoot, in the past week, we’ve seen a crazy influx in the amount of activity just from Russia and Ukraine. We’ve taken a very serious amount of security precautions because that’s what we do. We are a security team. We’re here to protect our clients, their customers, and anyone who needs help, and we are doing that by these 5 things.

You see deploy EDR in there. It’s recommended not only by us, but the White House. Insurance companies, like I said, they’re requiring it. Right above that you see use MFA. What is MFA? You’ve probably heard of it: multi-factor authentication, 2-factor authentication. It is extremely, extremely important in today’s time. Tom, do you have anything to add on MFA and that security team?

TOM: Well, at the risk of ruining the next slides, I just want to simply say that the thing that Anne is pointing out here that’s very clever, I think – and remember, this is an open letter to businesspeople. The government can only do so many things. But none of this stuff works without a skilled security team already in place. We get calls from people that it’s too late. “We need some protection, but you’ve got to get this stuff off our network.” That is actually not our specialty. We can do it, but we’re in the business of not allowing it to happen in the first place.

But without that skilled security team, that EDR technology that Davin’s talking about, you’ve still got to have that security team already in place to detect and respond. The best technical controls still need human oversight and human involvement because the threats – especially when you’re talking nation-state, cyber warfare tools, which is the world we live in now – it didn’t start with this latest deal with Ukraine. It started 5 or 6 years ago.

Everyone’s really got to have a skilled security team, and the skilled security team is what’s going to continuously incorporate new threat intelligence. It’s going to know if we need to tighten up EDR settings, and maybe we need to use MFA or require it for certain other things that we didn’t before because the threat landscape is totally different. None of this other stuff works without a skilled security team.

DAVIN: That’s true. Let me stop there real quick. The importance of a skilled security team is not just happening now. In 2021, the number one position in a corporate organization – the position that got the highest raise in a company over 2021 was the chief technology officer and the CISO, the chief information security officer. In our other slides, you’ll see how we talk about CISOs and security teams. But this is nothing new. It’s happening and it’s important. A security team is essential now to take care of and protect your organization.

I want to touch on that last point: continuously incorporate new threat information into defenses. That means continuously upgrade your security. I want to point out – I could bet money that everyone on the webinar today has an IT person or IT team that of course takes care of the technology in their office.

Well, the difference between IT and infosec – they both work in the technology world, but they both have their specialties. IT keeps everything up and running, makes sure everything runs smooth, you don’t have any problems. But their number one focus isn’t security. The information security team’s number one focus is making sure you have these 5 things and protecting you and your organization and your clients. That’s their number one focus. You have to have that because they’re the ones that are continuously keeping up with the cyber threats, updating the cybersecurity, making sure you have the best of the best security in place.

Security is not something to settle for less on. You shouldn’t save a buck on security. Security is important. You have to have it.

TOM: Yeah, it’s the cost of doing business. These 5 things that the White House is saying – it’s not use. It’s not IronTech Security, “You need to do all this.” And by the way, you can do MFA yourself. Now, if you need remote desktop access, then we’ve got a good MFA solution. That does need to be paid for. But you can turn on MFA on your Amazon account, your Facebook account. Storage encryption is built in to all modern operating systems. That’s something you can turn on.

But what you can’t do is respond and detect and investigate the things that just don’t smell right, things that are suspicious. Those have to be looked into, and relying on your IT team is putting them in a position that that’s not their job. Their job is a day to day profitability, bottom line-focused task. “Just make it run. Fade into the background. Let me just be an accountant or let me be an attorney. I want to practice law.”

To a skilled security team, security is job one. We understand when a hit has to be taken on productivity. We’re looking at the long-term health of the organization, because a serious cyber breach, for probably everyone on this webinar, could potentially and statistically put you out of business. And that’s not IT’s job. It would be like say you need a quadruple bypass heart surgery and your buddy’s a neurosurgeon, and you really like him and he’s really smart. Are you going to go to him for heart surgery? I mean, I know they won’t take it, but it really is two completely different things.

DAVIN: Yes. That brings us to the next question, next poll – the last poll, I promise. Are you using a skilled security team? We saw a few people –

TOM: Well, we already know the IronTech people have a skilled security team. And it’s okay if you do it yourself. These are not embarrassing. We’re not going to take these and target you with emails and stuff like that.

DAVIN: One thing I am curious about – of course, this is Episode 1, so I would be curious to ask these same questions in Episode 6 and maybe see how the answers change. Maybe down the road you see some no’s turn to yeses, things like that. This information is important to us and it does help us, but it’s very interesting to see.

TOM: 27% is doing it themselves. I actually added that to the main webinars. I don’t know how many people in here have seen one of the CLEs or continuing education webinars, but what Anne is saying in the White House letter is it’s no longer do-it-yourself. Arguably, if it ever was. But it is definitely not now. Just word to the wise. The true business leaders, the visionary leaders, recognize that. They recognize it’s the cost of doing business, and they’re taking it serious, and they’re treating it as an investment to potentially save their firm.

DAVIN: Yeah, the longevity of their firm, make sure it lasts.

TOM: Yep. And it’s not that expensive to do it right.

DAVIN: I love the little picture down there. What do you need to do? It’s simple. You need to speak with an infosec specialist. It’s very simple. Right below, you see meeting.irontechsecurity.com, where you can schedule a direct short chat with me. You can also send an email.

But I also want to share my personal phone number. You can call that. I would say at any time, but I go to bed pretty early. [laughs] Call in business hours. But I want to talk to you. I want to answer your questions. If you have any concerns regarding maybe possible weak spots in your organization, “I’m not too sure about the safety of our passwords,” “We are relying on Norton right now and we have some very valuable information we need to protect; what do we need to do?” – we have a team. I can answer those questions. I love talking to anyone and everyone regarding cybersecurity. But we also have a big team that is willing to help you, help understand your organization, where your risks and vulnerabilities are, so then you can put a plan and some security controls in place to take care of that.

We’re coming up on the 30-minute mark. I want to make sure you’ve got the good meat out of this webinar. You understand that antivirus is not enough anymore. We’ve been relying on it for years, and it’s old news. Cyber threats are changing. You’re seeing that now; you may be experiencing that now. But there’s things you can do, things you can put in place to protect yourself, your organization, your information as a company, and also your clients’ organizations as well.

There’s new compliance requirements that are coming out regarding security, and you need help. You need a specialist. That’s what we’re here for. This is just the first episode. We talked about antivirus, you learned about EDR. In the next 5 weeks, we’ll have different topics – password manager, we’ll dive a little bit deeper into the 5 things, we’ll talk about different security controls, maybe get rid of some myths you’re hearing out there regarding cybersecurity.

But we want to hear from you. If there’s a certain topic that you want a webinar on, a deeper dive on, or you’re curious about, feel free to put that in the chat box. I’d love to know. Of course, this isn’t just a 6-week series; we may do one later in the year. We’ll definitely have one next year. But I want to make sure all your questions and topics are talked about and answered and you have as much information to make the best decision for your organization and your clients that you can.

TOM: I think those 5 things – you know what that is? I’m going to get in the weeds here a little bit.

DAVIN: Yeah, come on.

TOM: Those 5 things are what’s known as a defense-in-depth strategy, or a layered defense strategy. What it means is for all of our clients, we’ve either put in place or they have in place multiple layers of defense. Spam filter catches a lot of the phishing emails with the ransomware, but it’s not 100%. Security awareness training cuts your risk in half right there.

The more layers that we can add, practically and realistically – because no one has all the layers; you would think as a security company, we would have all the layers, but even we don’t.

DAVIN: There’s always more.

TOM: It becomes a risk and reward. What’s the likelihood that this other layer is actually going to stop an attack in our environment? If it’s past the five nines, it’s 0.0001%, it’s up for discussion. We may not need it. It’s all about the risk, analyzing and understanding and accepting the risk. I’m here to say if you don’t have the 5 things, or the 4 things if you don’t need multi-factor – if you don’t have it, your risk is way too high. It’s unacceptable. It’s not reasonable efforts.

But what Davin’s specialty is – and that meeting.irontechsecurity.com, Kindsey put a link in the chat box – all that is about is to get you on the calendar, and Davin can quickly tell you what you need. It’s not going to take a lot of time. For the larger organizations out there, and you’ve got other decision-makers involved, we may want to take you down an assessment and do it formal and document your vulnerabilities and all of those things.

But really and truly, it’s an easy, painless thing. If you don’t have the 5 things, we know you need them. That’s it. And it’s not just the White House. It’s not just IronTech. We’ve been doing this for years. The White House just came out with that less than a year ago, about 8 months ago, I think. But that’s what we’ve been doing for years. It’s best practices inside the industry, using best of breed both technical controls and administrative controls. So I encourage you to at least reach out and say hi to Davin. He’s a good guy.

DAVIN: I appreciate that. Man, I’ve had a good introduction, a good closing. I keep some good friends around me, that’s for sure.

TOM: You have a lot of fans.

DAVIN: [laughs] I appreciate everyone hopping on today. Like I said, hope you got some good information. Next week, tune in Tuesday, 2:00. You’ll see the links everywhere. We’ll make sure we reach out to you. I appreciate you attending, and I’ll speak to you next week.