(Editor’s Note: The content below derives from the recently published SANS Guide “Out with the Old, In with the New: Replacing Traditional Antivirus.”)
With requirements in hand, start planning your evaluation. While every organization’s structure and business drivers are different, there are key common planning considerations to develop your evaluation framework:
What is the time frame for the evaluation?
What is the urgency for product selection based on evaluation?
What endpoint systems will the NGAV run on (e.g., production user desktops, company-owned laptops, production servers, etc.)?
How much can your organization invest in evaluating performance in a simulated environment that mirrors production? Smaller organizations may not have the luxury of larger organizations with a sophisticated test environment. You may need to evaluate the product strictly based on tests conducted by a third party and/or a limited test on your own equipment.
What are the criteria required for different categories of users (e.g., developers, security analysts, system administrators, endpoint users)?
How should I evaluate the replacement of traditional AV with NGAV? Should I run my evaluation alongside existing AV for comparison? When should I feel comfortable shutting off traditional AV?
Once requirements are defined, it’s time to plan how you will evaluate/verify those requirements, given some of the constraints identified in your planning process.
Procedurally, many ways exist to conduct an evaluation, including:
• Inspection. Examine product documentation.
• Demonstration. Discuss implementations, view product demonstrations by the vendor or participate in limited hands-on experimentation with a demo version of the product.
• Analysis. Analyze test results reported by a reputable third party.
• Testing. Actually test the product in a preconfigured environment that simulates your production environment.
Organizations with limited resources usually conclude their evaluation and selection of products with just “kicking the tires,” using the criteria laid out in the next section together with the inspection, demonstration and analysis methods described. However, this guide also provides a framework for organizations that want to take the next obvious step: a “test drive” to formally test the NGAV in an environment that simulates enterprise conditions, assess the product against one or more probable scenarios, and rate the outcomes based on the viewpoints of both the administrator (detection and remediation) and the endpoint user (operational impact, education) experiences.
Attacks today are far more complex, and so is NGAV. So you need testing to deal with known and unknown malware, signature and signature-less attacks, integration with intelligence, response and many other automated capabilities and features. It takes a combination of skills, tools, techniques and safe testing zones to truly evaluate at this level—something many IT organizations simply don’t have in-house.
For testing the system against malware, third party assessments are generally trustworthy and are definitely more secure than trying to run malware in your environment to test. Unfortunately, these tests are designed around known malware. NGAV must be tested against unknown malware, malware variants and non-malware attacks.
In the coming weeks, we will be publishing more critical information from the SANS Guide “Out with the Old, In with the New: Replacing Traditional Antivirus.” If you’d like to get a head start in reading more, click the image below to read the full report from SANS.