Cb Connect 2018 | Power of You | Register Now


Replacing Traditional Antivirus with Next-Generation Antivirus: Visualizing NGAV and Evaluation Architecture

December 20, 2016 / Ryan Murphy

(Editor’s Note: The content below derives from the recently published SANS Guide “Out with the Old, In with the New: Replacing Traditional Antivirus.”)

Since its start in the late 1980s, antivirus (AV) has been the first line of defense against known malware. Traditional AV relies on malware signatures and behavioral analysis to uncover threats to critical information endpoints: servers, applications, workstations and mobile computing devices.

Research over the past 10 years, however, continues to indicate that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and non-malware attacks. Today, organizations look to spend their antivirus budget on replacing current solutions with next-generation antivirus (NGAV) platforms that can stop modern attacks, not just known malware.

What is NGAV?

NGAV takes a system-centric view of endpoint security, examining every process on every endpoint to algorithmically detect and block the malicious tools, tactics, techniques and procedures on which attackers rely. This fundamentally different and more complex nature of NGAV demands a different approach to evaluation than traditional AV calls for.

Methods used to test traditional AV solutions are limited to the AV tool’s ability to find malware. Among other things, NGAV evaluation methods need to address this greater range of modern attacks and threat scenarios, non-malware attacks and the malicious use of good software, such as when an attacker uses PowerShell to execute a ransomware attack.

Visualizing NGAV

The starting point for developing an approach to NGAV evaluation is being able to visualize what next-generation AV actually encompasses. This is aided both by understanding the differences between traditional and next-generation AV, and the enhancements offered by NGAV. Equally important is defining your organization’s key requirements, by which you can evaluate (and select) the best NGAV product for your organization.

Here is a side-by-side comparison of NGAV with traditional AV, summarizing how NGAV can help avoid many of the inherent limitations in traditional AV protection in the detection of malware, both known and unknown:


NGAV provides more than malware-centric protection and detection. It is a new class of AV architected around an analytics engine that is built on data science, machine learning and threat intelligence, and that can be tuned to provide deep attack context and insight into both known and previously unknown patterns of attack.

NGAV can detect and act on the malicious compromise of system processes by analyzing the process directly in memory, which is critically important, given that modern attacks increasingly may involve no malware to avoid traditional AV detection.

Beyond Signatures

For example, using binaries increases the chance of detection. Attackers are turning to memory-based exploits, for example launching attacks against a running system process, such as iexplore.exe or javaw.exe, and avoiding any footprint on the storage system for the AV or file integrity monitoring tools to catch. Attackers are using powerful scripting tools, such as PowerShell, and legitimate administration applications, such as PsExec and TeamViewer, to access and control victim hosts, easily evading traditional protection and monitoring solutions while taking advantage of the elevated privileges that come with utilities.

NGAV capabilities also reach beyond use of indicators of compromise (IOCs), metadata such as virus signatures, IP addresses, file hashes and URLs—all of which demonstrate that potentially malicious activity has occurred.

Tactics, Techniques and Procedures

Using advanced data science, machine learning, artificial intelligence and highly scalable, cloud-based analytics, NGAV solutions can actually determine relationships between patterns of behavior to detect the tactics, techniques and procedures (TTPs) used by attackers.

From TTPs, the specific, identifiable patterns of malicious activity, discovered through analysis and correlation of files and behavior, such as listening on a given service port, memory scraping or code injection, an NGAV solution can actually (re)construct a chain of events, visualizing what the actual attacker might be up to, as opposed to looking at individual, discreet events. TTPs can be saved and re-used to block future, similar attacks. Matched to endpoint activity, these patterns help set the activity into context and support policies at the endpoint for protection, detection or response.

Evaluation Architecture for NGAV

Here is an overview of how NGAV components are related in a high-level reference architecture that illustrates the three basic sets of requirements needed to fully evaluate an NGAV:


NGAV requirements can be thought of as three interrelated families:

Product Features—How well do the product features and capabilities meet the functional and technical requirements defined by the organization? For example, what and how will the product detect attacks, including unknown and non-malware attacks, etc.?

Operational Requirements—How well will the product align with the operational needs and requirements of the organization, including coverage of endpoints deployed within the organization, interoperability with existing network and security infrastructure, and management?

Business Requirements—What are the business requirements (and assumptions), such as cost versus terms of coverage, ease of use, compliance and so forth?


In the coming weeks, we will be publishing more critical information from the SANS Guide “Out with the Old, In with the New: Replacing Traditional Antivirus.” If you’d like to get a head start in reading more, click the image below to read the full report from SANS.