Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Good News! You Already Have Next-Gen AV

It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history.

It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history. Who’d dare to stick with a firewall when Gartner says you need a “next-gen” firewall?

Applied to Anti-Virus, though, the “next-gen” moniker is meaningless.  AV is, and always will be, AV. Today’s endpoint protection platforms are regularly updated with new signatures and detection engines that together represent the state of the art in pre-breach detection. In other words, if you have an endpoint protection solution you already have NG-AV – it quietly showed up this morning in the latest “.dat” file.     

Unfortunately it’s not enough. In the 2015 DBIR, Verizon noted that over 70% of breaches used malware crafted to be un-detectable by the victim organization. Attackers evolve faster than EPP vendors can adapt.  

Detection is a flawed protection strategy. It will fail – with certainty. Turing’s 1936 proof of the Halting Problem was definitive.  Though the NG-AV vendors claim to have new math, there really isn’t any. If there were, their products would work better than the incumbents. But they don’t so instead they advance a narrative that against such sophisticated foes even new math has its limits.  

NG-AV is “faux AV”, and we already know all of its limitations:

 – A false negative lets the attacker in. The endpoint is breached and you’re none the wiser.

 – A false positive may be worse – sending the security team scurrying to remediate non-attacked systems, wasting time and money and distracting them from signs of an actual attack. The Target breach is a good example.

Advertisement. Scroll to continue reading.

In today’s cyberscape more than 300,000 new malware variants are discovered daily, much of it polymorphic and crypted to bypass the latest detection methods. Over 97% of malware is polymorphic and unique to a specific attacked endpoint, according to Webroot.

It is simply impossible to train or adapt a detector and distribute new signatures or detection engines fast enough. Detection poses an impossible mathematical challenge:

“[For malware of size n bytes] …The challenge … is to model a space on the order of 28n to catch attacks hidden by polymorphism. To cover 30 byte [malware] decoders requires 2240 potential matches. For comparison there exist an estimated 280 atoms in the universe.”

Pretenders to the NG-AV throne lay claim to machine learning, AI or deep learning to give them an edge.  But the major players use these techniques already — it’s unlikely that a newcomer has an algorithmic lead. Established players also have the advantage of a global footprint and huge R&D budgets.  There is simply no room for a “next-gen” in detection – the root of the problem is the false assertion that it is possible to do a decent job of detecting malware before it executes.

Post-breach detection is critical.  Your organization may already have a breach in progress because your endpoints are likely only protected with today’s “NG-AV”.  It is critically important to adopt tools to help you quickly identify signs of compromise.  Unlike the “detect to protect” approach, post-breach detection relies on continuous low-level monitoring on each endpoint to correlate events related to application execut
ion, network activity and file system/storage activity to identify tell-tale signs of a breach or of an attacker moving laterally through your network.   

There are many approaches including centralizing monitoring data within the enterprise, sending it to the cloud (if regulations permit), or autonomous correlation of events on and between endpoints to automatically build a precise view of anomalous activity and permit you to search for indications of compromise.

Breaches are not inevitable. Adopting isolation will reduce your attack surface. Virtualization based security is a powerful architectural construct that enables you to reduce the attack surface by micro-segmenting your network and virtualizing workloads in the data center.  Even simple network segmentation would have defeated the Target attack. On user endpoints, micro-virtualization rigorously enforces the principle of least privilege using CPU-enforced isolation between tasks.  Virtualization hardware enforces isolation and transforms security. Virtualized servers and micro-virtualized endpoints can protect themselves, the applications they run and the enterprise network by reducing the attack surface and discarding the ephemeral by-products of execution every time an application is run – automatically remediating the system whether or not it has been attacked.   

Isolation revolutionizes detection before a breach:  Hardware isolation through virtualization revolutionizes attack detection because the execution environment is so robust that it is safe to permit malware to execute. Virtualization permits detailed recording of memory, file system and registry changes, together with network traffic. Such a system reports only proven attacks, without worries about false alerts, and it provides full forensic detail for the attack, permitting an automatic, real-time search on other endpoints for the same attack.

Next-gen Anti-Virus can’t help any more than traditional AV, but the principle of least privilege, enforced through virtualization based security, can stop the breach before it starts.  It can also tell you about unknown zero-day attacks and enable you to quickly search your network for other signs of an attack. 

Related Reading: Are We at the Dawn of an Endpoint Protection Revolution?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...