Connect with us

Hi, what are you looking for?


Endpoint Security

Good News! You Already Have Next-Gen AV

It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history.

It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history. Who’d dare to stick with a firewall when Gartner says you need a “next-gen” firewall?

Applied to Anti-Virus, though, the “next-gen” moniker is meaningless.  AV is, and always will be, AV. Today’s endpoint protection platforms are regularly updated with new signatures and detection engines that together represent the state of the art in pre-breach detection. In other words, if you have an endpoint protection solution you already have NG-AV – it quietly showed up this morning in the latest “.dat” file.     

Unfortunately it’s not enough. In the 2015 DBIR, Verizon noted that over 70% of breaches used malware crafted to be un-detectable by the victim organization. Attackers evolve faster than EPP vendors can adapt.  

Detection is a flawed protection strategy. It will fail – with certainty. Turing’s 1936 proof of the Halting Problem was definitive.  Though the NG-AV vendors claim to have new math, there really isn’t any. If there were, their products would work better than the incumbents. But they don’t so instead they advance a narrative that against such sophisticated foes even new math has its limits.  

NG-AV is “faux AV”, and we already know all of its limitations:

 – A false negative lets the attacker in. The endpoint is breached and you’re none the wiser.

 – A false positive may be worse – sending the security team scurrying to remediate non-attacked systems, wasting time and money and distracting them from signs of an actual attack. The Target breach is a good example.

In today’s cyberscape more than 300,000 new malware variants are discovered daily, much of it polymorphic and crypted to bypass the latest detection methods. Over 97% of malware is polymorphic and unique to a specific attacked endpoint, according to Webroot.

Advertisement. Scroll to continue reading.

It is simply impossible to train or adapt a detector and distribute new signatures or detection engines fast enough. Detection poses an impossible mathematical challenge:

“[For malware of size n bytes] …The challenge … is to model a space on the order of 28n to catch attacks hidden by polymorphism. To cover 30 byte [malware] decoders requires 2240 potential matches. For comparison there exist an estimated 280 atoms in the universe.”

Pretenders to the NG-AV throne lay claim to machine learning, AI or deep learning to give them an edge.  But the major players use these techniques already — it’s unlikely that a newcomer has an algorithmic lead. Established players also have the advantage of a global footprint and huge R&D budgets.  There is simply no room for a “next-gen” in detection – the root of the problem is the false assertion that it is possible to do a decent job of detecting malware before it executes.

Post-breach detection is critical.  Your organization may already have a breach in progress because your endpoints are likely only protected with today’s “NG-AV”.  It is critically important to adopt tools to help you quickly identify signs of compromise.  Unlike the “detect to protect” approach, post-breach detection relies on continuous low-level monitoring on each endpoint to correlate events related to application execut
ion, network activity and file system/storage activity to identify tell-tale signs of a breach or of an attacker moving laterally through your network.   

There are many approaches including centralizing monitoring data within the enterprise, sending it to the cloud (if regulations permit), or autonomous correlation of events on and between endpoints to automatically build a precise view of anomalous activity and permit you to search for indications of compromise.

Breaches are not inevitable. Adopting isolation will reduce your attack surface. Virtualization based security is a powerful architectural construct that enables you to reduce the attack surface by micro-segmenting your network and virtualizing workloads in the data center.  Even simple network segmentation would have defeated the Target attack. On user endpoints, micro-virtualization rigorously enforces the principle of least privilege using CPU-enforced isolation between tasks.  Virtualization hardware enforces isolation and transforms security. Virtualized servers and micro-virtualized endpoints can protect themselves, the applications they run and the enterprise network by reducing the attack surface and discarding the ephemeral by-products of execution every time an application is run – automatically remediating the system whether or not it has been attacked.   

Isolation revolutionizes detection before a breach:  Hardware isolation through virtualization revolutionizes attack detection because the execution environment is so robust that it is safe to permit malware to execute. Virtualization permits detailed recording of memory, file system and registry changes, together with network traffic. Such a system reports only proven attacks, without worries about false alerts, and it provides full forensic detail for the attack, permitting an automatic, real-time search on other endpoints for the same attack.

Next-gen Anti-Virus can’t help any more than traditional AV, but the principle of least privilege, enforced through virtualization based security, can stop the breach before it starts.  It can also tell you about unknown zero-day attacks and enable you to quickly search your network for other signs of an attack. 

Related Reading: Are We at the Dawn of an Endpoint Protection Revolution?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...