Hi all. This is a request for clarification about how it is that malware can bypass SEP (or any AV). I'm not asking how to do it, rather I need to understand better how it happens in order to carry on intelligent discussions with colleagues and customers alike about how important patching is.
You see in IT security discussions/blogs all the time how they say some zero-day flaw exposes a host to infection, and you see statistics about percent of unpatched systems to known flaws, etc. That recent one from Talos about 3 million unpatched Internet-facing servers running Destiny (the middleware, not the game :) ) is a good example.
But what I never did look into was, is that a moot point if the computer in question is using a commercial endpoint security solution? Let's assume there is no network-level IPS or anything and we're talking just endpoint security. And I fully understand that AV and hostt-based IPS etc. is not 100% effective and that's fine, but does exploiting zero-day or unpatched known flaws somehow bypass endpoing security? I'm sure the answer is not black and white, so perhaps the question is more about proportion - how much more likely are systems with unpatched holes to get infected if they happen to also be running current and commercial grade endpoint security.
And again this stems from how I contiuously see artidcles that talk about how some unpatched flaw was used to allow infection to occur, yet these same articles never talk about how effective or not was the endpoint security. You almost have to wonder if endpoint security does anything at all in these situations.
Thanks, sorry if this request is long-winded, haven't had my coffee yet.