Think of it this way (and I am oversimplifying).
An Anti-Virus to me means "I look for **files** that match known patterns, string, names etc". I.e it has a database (definitions) of what it is looking for.
EDR/ XDR includes Anti-Virus but adds capabilities like "If you see a process doing something funky like phoning home to a know C&C IP - block it". The process may not be "known" but the behaviour it is exibits matches a pattern of behaviour that is inherently malicous.
Depending on what vendor you ask, capabilities also included in EDR/ XDR are; WAF, IDS, IPS, Host Firewall, DLP etc etc.
I just want to add that even though this definition of anti-virus is entirely correct it's a little outdated, most modern AVs will also have capabilities beyond simple signature matching.
So if you already have an EDR solution in place like Sentinel one I guess, is the incremental value of an IDS like claroty or Nozomi only related to asset details?
With IDS there is HIDS (host-based IDS) and NIDS (network-based IDS). If you have S1 you presumably are coving HIDS.
Claroty and Nozomi are (I think) NIDS. These protect your whole network, regardless of if you have HIDS on the devices within it.
NIDS would prevent int**e**rnet (cross-network) attacks, HIDS would protect against intr**a**net (within the same subnet) but only cover devices that have it installed.
Use a HIDS if you "manage" all the devices on our LAN. Like a corporate network. (and I mean all, no exceptions, no way to connect random devices etc)
Use a NIDS if you can't put HIDS on all the devices on your LAN. Like an IoT LAN.
NIDS is also useful to identify devices on your LAN that you should, but are not currently, managing.
Use both if you have an unlimited budget and time.
Oh, that’s right, makes sense. Claroty and Nozomi are definitely both network based IDS, since they use span ports to do passive monitoring and then active querying from their host server. Verses on the AV side, I guess you’re just looking at the details of the device, where the agent is installed, nothing outside of that Machine.
Bitdefender is just nice and I play the game where I buy a family account for very little money over as many years as possible then protect 15 + computers across my family and extended family so that hopefully I don't have to deal with them installing malware.
No notable performance impact and a non invasive gui.
All the usual signature and behaviour based monitoring.
Bitdefender performs well in testing (see av-test.org) and make a good product, I also tend to manipulate a good price when renewal rocks up.
Regular Defender is Antivirus. Defender for Endpoint is a full EDR platform. Of all the products that Microsoft hasn’t renamed, this is the one that needs it the most.
No that's wrong, Microsoft XDR is the full Security suite which covers:
-Defender for Endpoint (+ vulnerability)
-Defender for Identity
-Defender for Office 365
-Defender for Cloud Apps
It also integrates with:
-Microsoft Purview
-Microsoft Entra ID Protection
-Microsoft Defender for Cloud
Defender XDR is just the new name for Defender 365
Defender for Endpoint is the "NGAV/EDR" solution.
Correct. Defender XDR is the main portal for incident/ alerts and configuring the various parts of Defender (Endpoint/ Cloud Apps/ Identity/O365) and also the Entra ID Protection and Defender for Cloud (which is still Azure based)
Not quite. See below. Defender XDR is the portal for the Defender suite
Edit: ahh the vagaries of Reddit… this comment is in response to boxofcookies and should read see above for lesgrosgainz
Working in a corporate setting as the primary owner for the org's Defender suite, all too often people in IT roles oversimplify Defender as a bare-bones AV. Its multiple products (7-9) carrying the same name to a degree and in a E5 license setting, you can't just lump all of its products into one simple role.
I wish Microsoft would stop hyper focusing on what to name its administrative portals (Azure AD / Azure / Entra ID, intune, endpoint etc and relative products and instead rename defender's product lines.
Agreed, the opinion I have heard is that Microsoft has improved defender enough as a product to be plenty fine for personal use for most people. Defender also has some other functionality built in such as DEP to where unless you are a Corp that has "crown jewels" to protect it will probably cover what you need at no additional cost. Which matters a lot more for personal users.
Defender for Endpoint is a beast when deployed proper for unifying most of the common security policies in a hybrid environment. If configured proper by an infosec team, it can overrule IT doing stupid things at the MECM --> devices level.
just for clarity, there is no pattern only AVs anymore as i can tell, pretty much everything is NextGen AV(most good, some bad)
its essential, if you care about your security team's sanity, regardless of your EDR/XDR. in most cases EDR requires execution for detection, imagine if you could prevent 80% of treats from being written to disk or executed in the first place. Less P1s, less investigation, less responses needed
In virtually every incident response engagement I've worked AV detected or stopped something. It's just the fact that people suck at monitoring defender or legacy AV. It shouldn't be the only thing there (pair with EDR) but it's still super useful.
I can't think of any security software at this point that only does old-style AV. Pretty much all the products I can think of off the top of my head also implement some level of EDR functionality. Seems like AV just became EDR, and it was renamed because shiny.
A lot of desktops are locked down so that new installations and unauthorised code simply doesn’t run. In a high security corporate environment both whitelisting and blacklisting are often used.
There are always backdoors and vulnerabilities that can be exploited so AV is always used but you might not see it. Sometimes it is hidden from the user.
AV with pattern recognition is no longer enough because most malware is encoded to avoid the pattern recognition. So there are many triggers that can be activated whilst running…..the sentinels, process monitors, file monitors and more can figure out what is misbehaving and examine the process tree. Everything in the tree is usually shut down, copied and sent back to the AV vendor….just check the conditions and you will see that you have agreed to this.
Defender from Microsoft is usually enough and there is a monthly cleanup and scan that is included as part of Microsoft updates that does scans and removal for the most active malware.
Anything which opens invalid ports or uses invalid MAC or IP nos etc is usually picked up by the network edge and the machines can be knocked off the internet and locked forcing the user to bring them in. Sometimes though a laptop can be cleaned up remotely and this has been common in some organisations for about 30 years.
Define traditional. I’d imagine most people use basic AV (windows defender for example). What they don’t use is full on EDR (defender for endpoint as an example) because of cost
It's a nice safety net. Your behavior online is a far better method to avoid malicious software, but AV tools can help when you make a mistake (everyone makes mistakes).
Relying on AV tools to keep you safe is a poor security practice. :)
Most AVs these days have evolved with the threats, and can detect most kinds of malware if it's been seen already as well as some novel kinds by using behavior analysis. It's still a valid tool by all means, but not the only protection you should rely on by any means.
Part of the problem with answering this is EDR.
EDR and traditional antivirus overlap significantly. They do similar jobs but do them in different ways; with EDR generally being more advanced than AV. The overlap can be significant enough that some orgs rely on EDR alone. For example, completely possible to forego AV in a PCI environment with a competently maintained EDR solution.
The other issue is that OS protections have increased significantly reducing the likelihood an AV would ever trigger.
Is traditional AV dead? No. Defence in depth, diversification, yadda yadda. But if it’s not present, depending on the use case or context, it wouldn’t alarm me either.
The other things are secure configurations, standard user with JIT/PAM for escalation, MDR (like Huntress), DNS filtering if there isn't a firewall to do it, browser hardening, for Windows I use application whitelisting as well.
Well, i think antivirus is very useful especially if you compliment it with another CIS control. Specifically in the network. Yeah, it might be extra, but nothing is great when its left on its own
You don’t need one
I’m sailor in the ocean of the internet so you’d think I’m confronted to sensitive stuff or what else but I still don’t need it
At the very least, please, don’t pay
EDR has taken over the traditional antivirus space. Smaller disciplined organizations could make use of something like MSFT defender or Wuzah, but if there's a budget for an EDR solution I'd go with that.
Think of it this way (and I am oversimplifying). An Anti-Virus to me means "I look for **files** that match known patterns, string, names etc". I.e it has a database (definitions) of what it is looking for. EDR/ XDR includes Anti-Virus but adds capabilities like "If you see a process doing something funky like phoning home to a know C&C IP - block it". The process may not be "known" but the behaviour it is exibits matches a pattern of behaviour that is inherently malicous. Depending on what vendor you ask, capabilities also included in EDR/ XDR are; WAF, IDS, IPS, Host Firewall, DLP etc etc.
I just want to add that even though this definition of anti-virus is entirely correct it's a little outdated, most modern AVs will also have capabilities beyond simple signature matching.
So if you already have an EDR solution in place like Sentinel one I guess, is the incremental value of an IDS like claroty or Nozomi only related to asset details?
With IDS there is HIDS (host-based IDS) and NIDS (network-based IDS). If you have S1 you presumably are coving HIDS. Claroty and Nozomi are (I think) NIDS. These protect your whole network, regardless of if you have HIDS on the devices within it. NIDS would prevent int**e**rnet (cross-network) attacks, HIDS would protect against intr**a**net (within the same subnet) but only cover devices that have it installed. Use a HIDS if you "manage" all the devices on our LAN. Like a corporate network. (and I mean all, no exceptions, no way to connect random devices etc) Use a NIDS if you can't put HIDS on all the devices on your LAN. Like an IoT LAN. NIDS is also useful to identify devices on your LAN that you should, but are not currently, managing. Use both if you have an unlimited budget and time.
Oh, that’s right, makes sense. Claroty and Nozomi are definitely both network based IDS, since they use span ports to do passive monitoring and then active querying from their host server. Verses on the AV side, I guess you’re just looking at the details of the device, where the agent is installed, nothing outside of that Machine.
Which XDR solution are you using on your personal device?
Bitdefender is just nice and I play the game where I buy a family account for very little money over as many years as possible then protect 15 + computers across my family and extended family so that hopefully I don't have to deal with them installing malware.
[удалено]
No notable performance impact and a non invasive gui. All the usual signature and behaviour based monitoring. Bitdefender performs well in testing (see av-test.org) and make a good product, I also tend to manipulate a good price when renewal rocks up.
Yes we do. We use anything and everything. Defense in Depth.
[удалено]
Regular Defender is Antivirus. Defender for Endpoint is a full EDR platform. Of all the products that Microsoft hasn’t renamed, this is the one that needs it the most.
It's actually getting renamed to Microsoft XDR.
No that's wrong, Microsoft XDR is the full Security suite which covers: -Defender for Endpoint (+ vulnerability) -Defender for Identity -Defender for Office 365 -Defender for Cloud Apps It also integrates with: -Microsoft Purview -Microsoft Entra ID Protection -Microsoft Defender for Cloud Defender XDR is just the new name for Defender 365 Defender for Endpoint is the "NGAV/EDR" solution.
Preach brother/sister as someone who is trapped in a role tethered in Microsoft hell.
I had not heard this but this is great.
I think Defender XDR incorporates/supersedes a lot/all of the functionality of Defender for Endpoint, Defender for Cloud, Defender for O365 etc
Correct. Defender XDR is the main portal for incident/ alerts and configuring the various parts of Defender (Endpoint/ Cloud Apps/ Identity/O365) and also the Entra ID Protection and Defender for Cloud (which is still Azure based)
Not quite. See below. Defender XDR is the portal for the Defender suite Edit: ahh the vagaries of Reddit… this comment is in response to boxofcookies and should read see above for lesgrosgainz
Working in a corporate setting as the primary owner for the org's Defender suite, all too often people in IT roles oversimplify Defender as a bare-bones AV. Its multiple products (7-9) carrying the same name to a degree and in a E5 license setting, you can't just lump all of its products into one simple role. I wish Microsoft would stop hyper focusing on what to name its administrative portals (Azure AD / Azure / Entra ID, intune, endpoint etc and relative products and instead rename defender's product lines.
Yes, but isn't the only difference with the EDR sku centralized mgmt and reporting (and some mdr/xdr for plan 2)? The local agent doesn't change.
For personal use that’s probably fair but for enterprise it’s EDR/XDR depending on the deployment
Agreed, the opinion I have heard is that Microsoft has improved defender enough as a product to be plenty fine for personal use for most people. Defender also has some other functionality built in such as DEP to where unless you are a Corp that has "crown jewels" to protect it will probably cover what you need at no additional cost. Which matters a lot more for personal users.
Defender for Endpoint is a beast when deployed proper for unifying most of the common security policies in a hybrid environment. If configured proper by an infosec team, it can overrule IT doing stupid things at the MECM --> devices level.
OP asked about personal machines and everyone is replying with enterprise use cases?
just for clarity, there is no pattern only AVs anymore as i can tell, pretty much everything is NextGen AV(most good, some bad) its essential, if you care about your security team's sanity, regardless of your EDR/XDR. in most cases EDR requires execution for detection, imagine if you could prevent 80% of treats from being written to disk or executed in the first place. Less P1s, less investigation, less responses needed
In virtually every incident response engagement I've worked AV detected or stopped something. It's just the fact that people suck at monitoring defender or legacy AV. It shouldn't be the only thing there (pair with EDR) but it's still super useful.
Same for me in my IR experience. Or our non fully managed clients saying "expected behavior" to our partner, and it's not
I can't think of any security software at this point that only does old-style AV. Pretty much all the products I can think of off the top of my head also implement some level of EDR functionality. Seems like AV just became EDR, and it was renamed because shiny.
If you use Windows, you have antivirus unless you specifically disable it
A lot of desktops are locked down so that new installations and unauthorised code simply doesn’t run. In a high security corporate environment both whitelisting and blacklisting are often used. There are always backdoors and vulnerabilities that can be exploited so AV is always used but you might not see it. Sometimes it is hidden from the user. AV with pattern recognition is no longer enough because most malware is encoded to avoid the pattern recognition. So there are many triggers that can be activated whilst running…..the sentinels, process monitors, file monitors and more can figure out what is misbehaving and examine the process tree. Everything in the tree is usually shut down, copied and sent back to the AV vendor….just check the conditions and you will see that you have agreed to this. Defender from Microsoft is usually enough and there is a monthly cleanup and scan that is included as part of Microsoft updates that does scans and removal for the most active malware. Anything which opens invalid ports or uses invalid MAC or IP nos etc is usually picked up by the network edge and the machines can be knocked off the internet and locked forcing the user to bring them in. Sometimes though a laptop can be cleaned up remotely and this has been common in some organisations for about 30 years.
Define traditional. I’d imagine most people use basic AV (windows defender for example). What they don’t use is full on EDR (defender for endpoint as an example) because of cost
It's a nice safety net. Your behavior online is a far better method to avoid malicious software, but AV tools can help when you make a mistake (everyone makes mistakes). Relying on AV tools to keep you safe is a poor security practice. :)
Most AVs these days have evolved with the threats, and can detect most kinds of malware if it's been seen already as well as some novel kinds by using behavior analysis. It's still a valid tool by all means, but not the only protection you should rely on by any means.
But why would I go all out on my personal laptop. I find anti virus just fine.
Part of the problem with answering this is EDR. EDR and traditional antivirus overlap significantly. They do similar jobs but do them in different ways; with EDR generally being more advanced than AV. The overlap can be significant enough that some orgs rely on EDR alone. For example, completely possible to forego AV in a PCI environment with a competently maintained EDR solution. The other issue is that OS protections have increased significantly reducing the likelihood an AV would ever trigger. Is traditional AV dead? No. Defence in depth, diversification, yadda yadda. But if it’s not present, depending on the use case or context, it wouldn’t alarm me either.
The other things are secure configurations, standard user with JIT/PAM for escalation, MDR (like Huntress), DNS filtering if there isn't a firewall to do it, browser hardening, for Windows I use application whitelisting as well.
Just stick with Norton 2003 Suite.
Well, i think antivirus is very useful especially if you compliment it with another CIS control. Specifically in the network. Yeah, it might be extra, but nothing is great when its left on its own
Traditional antivirus are outdated, best to have an edr/xdr solution
Just don’t go to weird sites. And if you do need to then use a VM and then blow it away when you’re done.
Edr instead
You don’t need one I’m sailor in the ocean of the internet so you’d think I’m confronted to sensitive stuff or what else but I still don’t need it At the very least, please, don’t pay
Windows is the ultimate virus. Ditching that is the most antivirus thing you can do.
How much do clothes cost in the matrix?
So edgy...
Whatever that means…
Yes dear, do you need a lie down?
Linux people are cute… what colour is the sky in your world?
Outdated tech, replaced by application whitelisting.
You do application whitelisting on your personal device?
I do for some, primarily those I do for network analysis stuff. Easy to do, take a fresh known clean and do a scan after that not an issue.
EDR has taken over the traditional antivirus space. Smaller disciplined organizations could make use of something like MSFT defender or Wuzah, but if there's a budget for an EDR solution I'd go with that.