Defensive Cybersecurity Technologies for Small Businesses
Defensive technologies refers to software designed to actively detect, prevent and thwart cyberattacks.
Consider a layered defensive structure consisting of defensive technologies used for each ‘layer’ of your network. For a small network, there should be a network firewall protecting the entire network as a whole as well as defensive software on every computer, workstation, mobile device, and server.
As the network grows, it is also important to incorporate technologies that allow for better detection and response across the network. This is where SIEM and XDR come into play.
- A firewall is software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. There are two types of firewalls: host-based firewalls and network-based firewalls.
- A host-based firewall lives on an individual computer and protects it. We most commonly use firewalls on our individual computers; nearly everyone has used the Windows Defender Firewall at some point. These are often called host-based firewalls (the term ‘host’ refers to a computer, tablet, smartphone, etc.) Host-based firewalls are often the first line of defense in a small business network and they should be turned on and configured properly.
- A network-based firewall, also called a ‘network firewall’, helps to protect an entire network or network segment. It is very important for small businesses to use a network firewall, because a network firewall can see things on the network that individual hosts can’t and do things that they can’t do. For example, a network firewall can detect an attacker on the network and completely prevent them from accessing the network by blocking all traffic from their IP address. Without the network firewall, we not be able to detect the attack at all. Even if we do detect an attack, we could only take action at the host level; there would be no way to block the attacker from the network itself. Network firewalls also frequently come with other helpful security related software like VPN capabilities. They are often installed on a small, dedicated computer and are extremely cost effective ways to improve security.
- Antivirus (AV) software is designed to detect, prevent, and remove malicious software (malware) from computers and other devices. It works by scanning files, applications, and incoming data for known viruses, worms, trojans, and other types of malware, and either quarantining or deleting these threats to protect the system from harm. Antivirus is an absolute requirement but can easily be defeated, even by relatively unskilled hackers. This is why we also promote the use of EDR.
- “Which antivirus should I buy?” is an extremely common question, and it’s a great one. In general, we usually don’t recommend buying ‘premium’ AV software (such as Norton, McAfee, etc…) at all. There are two reasons for this: (1) Most AV software perform similarly because they use similar detection mechanisms, and (2) It’s our opinion that if you’re willing to buy AV software you may as well purchase EDR which is about the same price and dramatically more effective.
- Endpoint Detection and Response (EDR) is software that provides continuous monitoring and response to advanced threats. We’ll dig into EDR in an upcoming section to see how it works and why it’s so effective. For now, we can think of it as a really powerful antivirus (AV) engine. EDR goes far beyond AV in the methods it uses to detect malicious activity, and is much more difficult to defeat. While AV can be defeated by a relatively unskilled attacker, EDR can be tough to get around for even the best hackers in the industry. Getting around EDR requires a hacker to know how to write custom malware, which few can do. The only difficulty with EDR is that it typically needs to be installed and managed through a provider (such as Guardian Angel IT).
- Security Information and Event Management (SIEM) software provides real-time analysis of security alerts generated by applications and network hardware. SIEM aggregates and correlates data from various sources to identify patterns indicative of potential security threats. This helps organizations detect, respond to, and mitigate cybersecurity incidents efficiently. We can think of SIEM as software that allows us to collect and work with logs from across a company’s computers, networks, devices, and services. Not only can these logs then be investigated for signs of an attack, we can also set up detection rules used to identify attackers based on their activities across the network. Note that SIEM solutions today often come with additional capabilities like XDR.
- Extended Detection and Response (XDR) software that integrates and correlates data across multiple security layers, including endpoints, networks, servers, and cloud environments. XDR provides enables comprehensive threat detection, investigation, and response by leveraging analytics and automation to enhance the efficiency and effectiveness of security operations.
| Technology | Scope | Effectiveness | Description |
| Host Firewall | Host / Endpoint | Low / Medium | Controls network traffic on a single endpoint |
| Network Firewall | Network | Medium / High | Controls traffic going into/out of network |
| Antivirus | Host / Endpoint | Low | Blocks known or poorly encoded malware on disk |
| EDR | Host / Endpoint | High | Much better at detecting malware on disk than AV. Can also detect malware in memory, suspicious network traffic, and other Indicators of Compromise (IoCs) |
| XDR | Network | Medium / High | Looks for malicious activites across the network using an agent on each host. Doesn’t replace EDR but is an excellent accompaniment. |
| SIEM | Network | Medium / High | Collects logs from across endpoints on the network. Can be used to spot IoCs based on network-wide activity. Makes it much easier to investigate potential incidents. |