What is Next-Generation Antivirus (NGAV)?
Moving Endpoint Security to the Cloud: Replacing Traditional Antivirus
Modern attacks such as ransomware and advanced phishing are becoming more prevalent each year. “Next-generation” attacks require next-generation antivirus (NGAV), which can stop more attacks, see more threats and close more security gaps than traditional AV. NGAV solutions that are purpose-built to utilize cloud-based analytics enable an even more dynamic, proactive approach to endpoint security. In this webcast, SANS will discuss how cloud-based analytics can assist organizations in managing the security of their endpoints and function with NGAV to improve protection and simplify operations.
Next-Generation Antivirus solutions prevent all types of attacks, known and unknown, by monitoring, responding to attacker tactics, techniques and procedures (TTPs), providing security administrators with real-time response capabilities, data science, predictive analytics, and threat intelligence.
Next-Generation Antivirus takes traditional antivirus software to a new, advanced level of endpoint security protection. It goes beyond known file-based malware signatures and heuristics because it’s a system-centric, cloud-based approach. It uses predictive analytics driven by machine learning and artificial intelligence and combines with threat intelligence to:
Detect and prevent malware and fileless non-malware attacks
Identify malicious behavior and TTPs from unknown sources
Collect and analyze comprehensive endpoint data to determine root causes
Respond to new and emerging threats that previously go undetected.
What is next-generation antivirus, or NGAV?
Though malware continues to be a constant threat, more than half of breaches today leverage fileless malware because it can bypass traditional antivirus defenses. This episode of "the 101" provides a clear definition of next-generation antivirus and why it is uniquely capable of malware and fileless malware (or non-malware) attacks.
To view this and other episodes of "The 101" click here.
Today’s attackers know exactly where to find gaps and weaknesses in an organization’s network perimeter security – and they penetrate these in ways that easily bypass traditional antivirus software. These attackers use highly developed tools to target vulnerabilities that leverage:
PowerShell scripting language
And because traditional AV only focuses on signature file- or definition-based threats, it cannot detect any of these environments from modern threats that do not introduce new files to the system.
However, NGAV focuses on events – files, processes, applications, and network connections – to see how actions, or event streams, in each of these areas are related. Analysis of event streams can help identify malicious intent, behaviors, and activities – and once identified, the attackers can be blocked.
This kind of approach is increasing important today, because enterprises like Major League Baseball, the National Hockey League, and other major sport organizations are increasingly finding that attackers are specifically targeting their individual networks. The attacks are multi-stage, personalized, and significantly higher risk – and antivirus solutions don’t have a chance of stopping them.
According to its 2017 Market Guide for Endpoint Detection and Response Solutions, Gartner now considers endpoint detection and response (EDR) as a foundational security capability. When it is combined with NGAV, companies can more accurately identify suspicious and unauthorized activities, preventing many of these behaviors outright and enabling the capabilities to respond and remediate advanced malicious threats faster and better than ever before.
To help NGAV solutions identify threats that slip past traditional AV, EDR provides a holistic approach to data collection, which in turn powers machine learning, predictive analytics, and behavior monitoring with a complete picture of the environment. Together, these technologies help companies monitor events and identify patterns that may be suspicious, turning them into attack visualizations that can be easily consumed by administrators and responders.
EDR can help discover even the most minute changes in files, registries, and networks that help security teams uncover malicious activity hidden in plain sight. From there, EDR helps responders contain the identified threats and block emerging, never-been-seen-before attacks that otherwise can slip through most NGAV solutions.
Antivirus software companies not only compete with vendors that deliver similar products, but they are also directly competing against the nefarious attackers. Head-to-head in this race, the attackers have the winning hand.
According to the State of Endpoint Security report from Ponemon Institute:
of organizations believe endpoint security risks are increasing
have seen new and unknown threats increase significantly.
believe they have the resources to minimize endpoint security risk.
The report also notes that of those organizations that experienced an endpoint attack that compromised their company, 77% percent said the attack was a fileless attack or exploit.
Clearly, antivirus software is losing this race.
To fully unleash NGAV and EDR solutions, companies must take advantage of the cloud and its immense computational power, unlimited scalability, and ease of management. Taking endpoint security to the cloud ensures a proactive, rather than reactive approach that combines big data with powerful analytics to help outsmart the latest, most threatening emerging attacks.
For example, the cloud enables streaming analytics, where normal and abnormal endpoint activity can be monitored and compared to any unfiltered historical endpoint data. By analyzing these event streams and comparing them to what looks like normal ones, the cloud creates a global threat monitoring system that not only detects attacks, but predicts ones that have never been seen before. This powerful approach is simply not possible with traditional AV solutions.
NGAV in the cloud also offers bi-directional communication with endpoints, so that all unfiltered endpoint data can be monitored and turned into predictive analytics that proactively protects companies from sophisticated attacks.
Plus, the cloud provides the infrastructure benefits that most companies are already experiencing with other enterprise software – simplified, less costly operations, faster deployment, and the latest and most innovative technology.