Well it all started with some big guys dropping 5 humongous cardboard boxes in my room one day. I was only an eleven years old with new shiny Packard Bell PC with floppy drives (1.2M and 1.44M in size). After fiddling around with PC-DOS, MS-DOS and lots of other stuff that I knew nothing about, I had a thirst for something fun. Lets go get some games, I thought, its easy, harmless — How little did I know then. In my days I had to go to the friendly neighborhood computer shop to Diskcopy some freeware games to my diskettes. I came home that day happy as a lark waving my new treasure — an all-in-one 50 games in one diskette.

I happily opened that drive’s latch, inserted the diskette, closed the latch and booted it to the menu. After choosing my ascii-based snake, and started playing, something weird has started happening. Nothing could stop that cursed miserable little dot “o” thing that started jumping on my screen….

I hurried back to the store sobbing my brains out and they patiently sat me down and explained me that was the first encounter with another species — the common Ping-Pong virus.

Then they introduced my first two Antivirus programs — Eliashim and Carmel and explained that I need to run it and everything will be fine.

From there I have encountered numerous vendors with great promises to protect my home from unkn0wn malicious viruses, worms and other spawns of evil that try and drive me insane

Beware of hidden costs

Antivirus went into spiraling technological era in the last 20 years.

AV -> NGAV -> EPS (Endpoint Security) -> EDR -> XDR -> ?

Q: So AV was not enough? what was missing?A: The centralized management — NGAV (Next-Gen Antivirus)

Q: SO NGAV, not enough? YES! of course it is but what should we do when a USB drive is connected?A: Lets look at the computer as an endpoint and map the peripherals that transfer data from/to it. Lets control the applications and devices and scan them from DNA of viruses.

Q: So why EDR and XDR is needed?

A: In short — technological and cyber threat handling arose. The long answer: We would need to define what is EDR and XDR. EDR is an endpoint security solution that continuesly monitors end-user devices and activities to detect (eDr) and respond (edR) to cyberthreats, malware and ransomware. XDR is actually the eXtended detection and response solution enabling visiblity and enhanced threat detection and response.

In my opinion, this is namely a spin. Each vendor has its own unique way of managing, displaying, and giving its value.

Q: So what is missing you might think?

A1: Well, the answer is not that simple. It depends on your size of SecOps (Security Operations) team.

If you are managing a small company with a sub-hundred endpoints, I would try to find a system that operates with no visible maintenance, with no visible human interaction — a cloud-based endpoint security would suffice, no need for a grand solution that can give threat hunters the ability to investigate and hunt for IOC (Indicators of Compromise) or IOA (Indicators of Attack).

A2: If you have an enterprise organization on your hand, this is a whole different story.

I think as a veteran of enterprise information and cyber security, it depends on your technological appetite for “peace and quiet”. If you have a thriving security team with the lust to research, threat hunt, bug bounty, intelligence and so forth, definately go for the XSOAR + XDR + CLOUD THREAT HUNTING ++++

Q: If I’m not interested in that, and want to keep my enterprise safe and sleep with both eyes closed?

A: To achieve the serenity of our home, when we install our All-In-One Endpoint security solution, I would consider outsourcing your security service to a qualified MDR (Managed Detection and Response) and let them be responsible for Designing, Implementing and maintenance of the whole endpoint security cicle.

My first Ransom Letter

Starting as early as 1989 with the first documented ransomware known as the AIDS trojan, which infected around 20 million computers. from then till now Ransomware revenues has gone up exponentially to hundreds of millions of attacks nowadays.

Q: But can we do with those Ransom threat letters?

A: Avoid getting those letters as much as possible. Yes you are bound to get those letters sometime, DONT JUST DON’T answer them. CUT THE COMPUTERS POWERCORD, get come blazing with the AV guns. OK seriously:

1. Backup all your important data. AND PLEASE CHECK FOR RESTORATION possibilities.

2. Map all your data transfer streams and

3. Make sure that you secure all your incoming and outgoing data streams.

4. Make sure that you have your Endpoint security solutions deal with all data stream types (EMails, encrypted/non-encrypted Web traffic, File transfers, binary files traffic, disk access)

5. Make sure you update your signature based and heuristic prevention mechanisms daily.

6. Run visibility tools to have a way of detecting organization computers without endpoint security solution.

7. Mitigate and tighten the security belt around your “organizational” waist.

8. Implement means of security posture on a network connectivity access (wireless and wired connectivity).

   
   

The DO’s and DONT’s of the MDR and SecOps

1. The sea of flows and currents

2. “Dispatch, this is Unit22 please respond to a domestic incident” — Alerts and Reactions

3. Don’t stop at infrastructure — use Orchestration and Automation

4. Backup Backup Backup.

5. Don’t let your forgiveness get the better of you — see that Helpdesk and PC technicians can’t override your security measures and “do things quicker — their way”.

   
   

Fiction….. or maybe not

A fictional story that I would like to tell you about a health system in Israel.

A tale about a medical facility with the most advanced endpoint security solution, with “malicious” tech-team. By malicious I mean, with intent in heart to bypass the organizational security policy and use RUSSIAN tools to make OS images to quickly rover and install workstation.

That organization knew that the helpdesk people have high permissions and elaborate access to the network.

The SecOps team didn’t take into account that one weekend, the malicious actor would install a workstation and use that RUSSIAL-ALL-IN-ONE-SUPER-DUPER Bootable USB(ISO File).

For your information, that act was like bombarding the network with Ransomware letters, All the medical workstations stopped working, no system worked properly, which sent the medical institute to the “stone ages” — They have started documenting on paper. They have tried to recover, but it was too late… IT TOOK THAT ORGANIZATION 3 MONTHS to recover totally. Patients stopped receiving medical care for days!!!

Do you remember that episode in Grey’s Anatomy, where hospital stopped working? LIKE THAT

On a happy note

Sleep tight and don’t let the bed bugs 👹 bite.