November 20, 2017

The Case for Replacing Traditional AV with NextGen AV (NGAV)

Next Generation Anti-Virus software is growing in use as a preventative measure. including ransomware recovery. In fact, a recent study on 60 cybersecurity companies who endured ransomware attacks revealed that 100% of the attacks bypassed traditional anti-virus software detection. After big headlines and numerous major data breaches, we know that the traditional AV method is inadequate in dealing with all malware attacks and businesses are unsatisfied with results.

What is NGAV?

Next generation anti-virus (NGAV) software approaches end-point security differently by examining every process on an endpoint to proactively detect and block any tools and tactics hackers use to break in. While traditional AV is focused on detecting malware at the endpoint alone, NGAV addresses a bigger range of modern threat scenarios including non-malware and ransomware attack scenarios. NGAV takes a different system-centered, technical approach to detect and block malicious activity.

NGAV prevents commodity malware better than AV as it prevents unknown malware and sophisticated attacks by looking at the whole context of the attack instead of just isolated attempts. NGAV uses this information to provide context to understand the cause of the cyber-attack and thus prevent future ones. It is deployed quickly and can be accessed via the cloud. It offers more preventative measures along with better endpoint detection and response (EDR) capabilities and in many cases can replace traditional endpoint protection products.

Are Companies Adopting NGAV?

Some organizations today such as the Major League Baseball and the National Hockey League are considering replacing current solutions with NGAV to stop these modern malware attacks, yet adoption of NGAV, as a whole, has been relatively slow. Why is this? One theory is that companies are currently meeting their compliance objectives with traditional AV software. Company leaders worry they won’t meet their Payment Card Industry (PCI) objectives if they adopt NGAV.

The main problem is PCI requirements call for a “full-system scan” which NGAV systems don’t currently do. NGAV systems only analyze files when they’ve been opened or executed. Additionally, PCI requirements necessitate the support of regular signature updates, a feature NCAV does not use simply because of its system-centered approach.

There’s good news, though. This is all changing. We are seeing more and more NGAV software support passive, full-system scanning and add signature support. This positions NGAV to become a direct security control measure for PCI and to help meet the needs for increased protection for critical data. The PCI Security Standards Council is constantly evolving the PCI Payment Card Industry Data Security Standard (PCI DSS) to strengthen security for critical data. This also includes stronger AV requirements and supporting more defense methods. Anti-malware within PCI regulations will remain in effect for the immediate term. NGAV software that meets the PCI DSS Requirement 5 anti-malware security-control obligation would offer businesses the ability to replace traditional antivirus and remain compliant.

Suitable NGAV software can offer a deep analytics approach to inspecting files, identify malicious behavior and malware that can exploit memory and scripting languages (PowerShell for example) and automate log auditing. Choosing NGAV that combines next-generation endpoint security with security policy controls, records endpoint activity and provides detailed search to facilitate security forensics and response, can be helpful.

What to Look for in a NGAV Solution

When choosing a NGAV solution, you want to make sure it meets the following criteria:

  • Prevents attacks before a breach automatically
  • Stops known malware
  • Stops variants of known malware
  • Stops unknown malware based on heuristics and machine learning
  • Stops script-based attacks from files (weaponized documents for example)
  • Has a high detection rate along with a low false positive rate
  • Low impact on users
  • Has the ability to operate offline or off the network
  • Provides deep endpoint context, visibility, analysis and forensics

Does NGAV Save Money or Reduce Operational Risks?

NGAV saves time as you do not have push out signatures or put much effort in administering your security stack. You can install it and let it work for you. The savings in time translates to cost savings, something any organization can appreciate.

NGAV software simply offers more sound system security. This, in addition to the measures being implemented to support PCI requirements, can assure organizations that moving away from traditional AV software is in their best interest.

About the Author:

Clayton Riness is the Managing Director of the Threat team at Tevora.