Beyond Antivirus – The Modern Solution is Active Endpoint Detection and Response (ActiveEDR)



The goal of cybersecurity for your law firm is boiled down to 1) keep bad actors out; 2) identify when cybercriminals have breached your systems; and 3) remediate and mitigate damage and restore systems.  Traditional Antivirus (AV) software was once the preferred solution to tackle the first item on that list, but as threats evolved, some software became more of the problem than the solution.

Traditional AV software alone doesn’t do enough to protect a law firm’s systems from today’s cybersecurity threats.  The tactics used by cybercriminals have outpaced the capabilities of traditional AV software to identify and quarantine sophisticated threats such as the consequences of a phishing attack and fileless malware attacks.

Data Protection and Cyber Security on Internet Server Network with Secure Access to Protect Privacy against Attacks. Illustration with Electronic Circuit Board Connections and Cybersecurity Icons.

The modern solution goes beyond scanning files for known viruses and malware.  Active Endpoint Detection and Response (ActiveEDR), otherwise known as Extended EDR (XDR), blends advanced behavior analytics and machine learning to detect threats with automatic responses to remediate potential damage.  This proactive tool protects your law firm from known and unknown threats, including ransomware and data theft.

Traditional AV Shortcomings

You might be familiar with traditional antivirus software that came preinstalled on your personal computer.  In addition to updating at the most inopportune moments, traditional / legacy AV software identify viruses and malware by scanning files for threats known to the community.

This approach has two major shortcomings.  It can only identify and quarantine files with threats that are known and the software is updated to detect.  In today’s landscape, by the time a piece of malware is known and documented, it becomes less profitable for cybercriminals to promote and they pivot to a different version.  The second major shortcoming is they can typically only identify malicious files and are less effective at detecting malicious behavior.

Today’s Threat Landscape

Cybercrime has evolved past creating files that contain malware to infect their targets’ systems.  It used to be a simpler game of cat and mouse – cybercriminals write malware into files that victims download, and AV software learns of the malware and updates its database to block that file’s signature.

Malware and other modern threats do not always rely on loading executable files to infect a device.

Fileless Malware

Instead of deploying a separate piece of malicious software, the fileless malware approach leverages trusted programs already on the device.  This avoids detection from an AV by injecting code into a running process which then commands the operating system to download and execute the malware.  Fileless malware has a low footprint and leaves little trace of its activity, making it hard for traditional AVs to detect it.


Phishing has become a preferred method of cybercriminals to gain access to user credentials.  It is a type of social engineering that tricks a user into giving them sensitive information, such as log in credentials, through a variety of techniques.

Social engineering is the most common root cause of cybersecurity breaches.  That’s not surprising considering it’s much easier to get a human to err than a computer.

A traditional AV scans files for known threats.  It cannot compete with a cybercriminal who has access to a user’s account.  Once in that account, the cybercriminal is free to steal any accessible document or run malware of their choosing.

Today’s Solution

As cybercriminals improve their approach as does cybersecurity solutions.  We recommend being the cat, not the mouse.

ActiveEDR takes a proactive approach to threats as opposed to the reactive approach of traditional AVs.  It focuses on analyzing and responding to behavior rather than files.

Suspicious Behavior Monitoring

Regardless of the point of entry in a breach, damage is caused by the cybercriminal instructing the network or device to take an action that is not typical of normal user behavior.  Normal user behavior isn’t encrypting all files and locking down the system (ransomware) or exporting terabytes of data (data theft).  These are ultimately the actions you are looking to prevent.

This extends beyond cybercriminals and hackers as we typically think.  If a disgruntled employee who has legitimate access to data attempts a mass export on their way out, ActiveEDR will flag the behavior and automatically block the action.

By focusing on behavior analytics in real-time and automatically responding to them by blocking malicious actions, ActiveEDR provides a level of protection that traditional AVs don’t.

Endpoint Protection

An endpoint is a device at the end of a network connection that uses the network to communicate and transmit data with other endpoints, such as laptops, desktop computers, and smartphones. Servers, routers, and firewalls that connect one network to another are also endpoints.

Cybersecurity breaches are often multistep processes that begin by gaining access to one endpoint, and require the bad actor to move laterally to other endpoints throughout the network to achieve their objective.

ActiveEDR solutions have a wholistic view of a network’s endpoints and can track and respond to suspicious behaviors throughout the network.  Modern antivirus solutions have some behavior analytics capabilities, but they cannot track lateral movement throughout a network.

Not Reliant on Cloud Connectivity or Lengthy Updates

Traditional AV software is downloaded on your device and contains a database of known threats to the publisher of that software.  With the rapid pace of evolving malware, that database is updated frequently, and the software can become bloated.  These updates can decrease the performance of the device and affect the user’s productivity.

ActiveEDR solutions use artificial intelligence models to identify malware and have minimal impact on system performance of the device they are protecting.  They send behavior statistics to a security operations team while connected to the Internet, but they do not require connectivity to automatically respond to suspicious behavior.  This ensures all of your firm’s entire network is protected even when an endpoint is not connected to the cloud.

A Complete Story

The goal of cybercriminals is to get in and get out without leaving a trace.  Modern techniques like fileless malware leaves a minimal footprint.  This leaves unequipped security teams without the necessary context to analyze the attack or realize the full extent of the damage.

ActiveEDR solutions always track everything.  By tracking everything, the tool can conceptualize the entire story of the attack and mitigate each element, not just the last one that occurred. 

Cybersecurity attacks are multistep processes that involve different elements.  There is the entry point where the malware came from or the application the attacker logged into.  Then there is the action the malware or hacker takes such as exporting files or encrypting data.  Not only does ActiveEDR automatically respond to and prevent the malicious payload, it provides security teams the context to identify the vulnerability that enabled the attack to happen.

The Human Component

Some ActiveEDR solutions include constant monitoring of network activities and response management by a team of cybersecurity experts.  Armed with the complete story of a potential threat, this security team can accelerate threat resolution, analyze the root cause of the incident, and take any further action to contain the event.

Your law firm has further protection with this 24/7 managed detect and response service by having a team of experts reviewing and acting upon potential incidents as they happen.  Expert decision making backing up automatic responses to suspicious behavior is a powerful line of defense to keep your firm safe and operational.

Automatic Responses and Fast Recovery

Cyberattacks happen within the blink of an eye.  The world’s best cybersecurity professional cannot respond to and mitigate a typical cybersecurity attack in real-time without advanced tools simply because humans can’t process information at the speed computers can.

ActiveEDR solutions protect by automatically responding to malicious activities.  In the event an activity is not flagged as suspicious behavior and responded to automatically, the solution gives security teams the ability to reverse the damage quickly and get users back running within minutes.

Implement ActiveEDR

ActiveEDR is a powerful tool to integrate in your firm’s cybersecurity approach.  By focusing on behavior analytics and responding to threats automatically, the solution gives your entire firm a level of protection necessary to combat the modern cybersecurity threats.  Speak with your cloud hosting provider or IT team to learn more.