SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
When antivirus fails, here’s how to choose next-gen antivirus
Mon, 12th Dec 2016
FYI, this story is more than a year old

The ineffectiveness of traditional antivirus (AV) , which catches less than half of noteworthy malicious events, is causing untold damage to organisations worldwide. The harm is unnecessary as next-generation antivirus (NGAV), the natural evolution of AV, will protect computers from the full spectrum of modern cyber attacks.

So let us re-think endpoint defences and provide a checklist of items to consider while making the decision to transition to NGAV. 

Traditional antivirus was designed and built before the cybercrime explosion, and the speed at which tools and techniques are now changing. Modern attacks often utilise techniques that leverage built-in tools and scripts, much different from the days where attacks were almost always malicious binaries. 

Beyond considering the kinds of attacks, organisations need the ability to protect themselves quickly rather than waiting for their vendor to push out signatures, hoping that the endpoints receive an update before that malicious email lands in employees' inboxes.

To reduce cyber risk, IT needs an endpoint-security approach that goes beyond malware and incorporates next-generation features that target the tactics, techniques and procedures frequently used by both mass scale opportunistic attackers and advanced threats specifically targeting an organisation.

The following checklist will help IT to assess the capabilities of a current antivirus solution and provide guidance for migrating to a more mature posture. While an organisation might have unique requirements or constraints, the list will ease their shift to next-generation anti-virus.

#1 Full range of protection

Modern attackers generate malware faster than traditional AV stops it. They are mastering techniques that don't even require malware. An endpoint security solution should protect against all attacks, not just threats that involve running a malicious executable.  Beyond the initial execution blocks, there should be strong protection against particularly useful adversarial techniques like thread injection and ram scraping.

In evaluating an NGAV solution, make sure it protects against:

  • Known malware and variants including malware-based ransomware
  • Obfuscated, evasive or previously unknown malware
  • Compromised (exploited) legitimate software (Flash, Silverlight, etc)
  • Malicious scripts and interpreted code like PowerShell, Visual Basic, Perl, Python, Java
  • Memory-resident and file-less attacks
  • Document-based attacks (PDFs and macros)
  • Remote login attacks and the malicious use of valid software (living off the land).

#2  Extensible cloud security intelligence and analytics

As attackers evolve and adapt their tactics and techniques, organisations need to employ new analytic capabilities and attack intelligence to properly defend themselves – without having to redeploy security infrastructure. An NGAV should feature:

  • A cloud backend for high-powered analysis and the application of vendor intelligence
  • Multiple inspection engines that focus on reputation, behaviour, and event relationships
  • Configurable detection sensitivities to prioritize important events and reduce unnecessary alerting
  • Open and extensible threat feeds for third-party attack intelligence and for leveraging security investments already made
  • Community-based intelligence sharing and the network effect of benefiting from attacks other users witness.

#3  Visibility and context into attack and detection events

After an attack attempt, IT needs to understand what happened so they can contain and control the situation, prevent further damage and improve the overall security posture. The right context helps to do all that quickly and easily. If each attack doesn't make for stronger defence, we recommend a reconsideration of IT's approach. An NGAV solution should provide:

  • Insight into how the threat started, even before it was detected (root cause)
  • Visibility into where else in the organisation this threat might exist (scope)
  • Guidance on what's needed to recover and how to close gaps (education and maturity)
  • Data sharing data within the ecosystem (SIEM, etc) (integration and automation).

#4  Integrated rapid-response

Not every attack can be prevented. Skilled attackers can use stolen credentials and native system tools such as PowerShell to infiltrate a machine without using malware. These attacks can still be detected, and when they are IT needs to be able to respond quickly.

An NGAV solution should make it easy to: delete malware or temporary files across the organisation; stop network activity for a specific process; quarantine a system and isolate it from the network; and blacklist files from executing anywhere in the environment.

#5  Lightweight operations

We have all experienced antivirus grinding our computer to a halt while it scans the drive. Thankfully, those days are gone. Next-generation antivirus should be lightweight on the system and easy to administer so it doesn't slow users down.

#6  A platform that grows with assets, users, systems and teams

Different assets require different strategies for protection. Servers, for example, don't change often and have highly restrictive protection policies. Meanwhile, developers need more flexibility. A solution should adapt to the organisation's needs and be part of a platform that provides a growth path to a better security posture over time.

An NGAV should be part of a platform that provides: group-based policy that applies different security strategies to different systems; an upgrade path to advanced incident response and threat hunting for SOCs and IR teams; an upgrade path to default-deny and lockdown policies for sensitive or high-risk systems; and an upgrade path to app control, device control, and file integrity monitoring for servers and critical systems.