Cybereason Blog | Cybersecurity News and Analysis

How Endpoint Detection and Response Platforms Differ from NGAV

Written by Fred O'Connor | Sep 8, 2016 7:45:25 PM

Right now, many security teams are taking a long, hard look at their antivirus solutions. It’s no secret that they’re just not as effective as they used to be, so security folks are looking for an alternative. Enter next-generation antivirus (NGAV), which is supposed to be smarter than conventional antivirus. Most NGAVs use a combination of one or more of:

Main Differences Between EDR and NGAV

  • Signature-based detection - aka last-generation antivirus (LGAV). At their core, most NGAVs are largely based on the same methodologies as their predecessors with a few improvements.
  • Endpoint-based exploit detection. Some NGAVs include the ability - on the endpoint - to look for processes trying to execute common exploit techniques, like overrunning buffers or hijacking DLLs. You’ll hear terms like machine learning and artificial intelligence (AI) bandied around here too. However, your laptop hasn’t exactly been awesome at AI in the past - so that should make you a little suspicious.
  • Server-based analysis. In addition to the analysis performed on the endpoint, some NGAVs will forward data to a centralized server for further analysis. If the server detects malware, then it will tell the endpoint to block the offending process.

In general, NGAVs are significantly more effective than conventional AV solutions, so by deploying them you will see some improvement and cut down on chasing infections. But the effect on your overall security posture is less than you think. Here’s why.

  • NGAVs are not 100% effective. Not even close. Even if we very generously assume that an NGAV is 95% effective, that means it’s going to fail one time out of 20. Those are not great odds. And the times an NGAV fails are likely to be the most serious attacks.
  • NGAVs focus solely on malware. That one time in 20 that the NGAV fails to detect the infiltration it’s game over, thanks for playing. They do nothing to detect later stages of the attack, like lateral movement, privilege escalation and command and control.
  • NGAVs focus only on preventing attacks. If they can’t prevent it, they offer little or no visibility into what actually happened. They don’t help with investigation, forensics or any remediation activities.

We’re not saying NGAV’s aren’t useful, but they’re a hygiene tool just like LGAVs. You don’t rely solely on a hand-washing regime to protect yourself when you are sick or during an epidemic. You need specialized medicine, knowledge and expertise on hand to make sure that if you do get infected you can contain and eradicate the illness as quickly as possible, keeping the symptoms and impact to a minimum.

That’s where an endpoint detection and response (EDR) platform like Cybereason comes in. EDR platforms provide you with the visibility to understand when an NGAV has missed a threat, and evolved beyond a simple malware infection. Cybereason will automatically pull together all the related attack activities, and show you their scope and impact. Additionally, Cybereason automatically contains an attack, and gives you the context you need to completely eradicate the threat.

Some EDR tools will incorporate NGAV as an add-on module. But as with any security strategy, you need to prioritize your main problem areas and focus on having the best technology to detect and respond to all threats and attack stages.
View full post