Cybereason Blog | Cybersecurity News and Analysis

Why NGAV Displaced Traditional Antivirus Tools

Written by Anthony M. Freed | Oct 11, 2022 1:51:43 PM

Next-generation antivirus (NGAV) solutions are quickly replacing outmoded signature-based antivirus tools, and ransomware has a lot to do with it. Traditional AV tools fall short considering what we’re up against when we look at the true cost of ransomware attacks for business, and why this change was inevitable.

Before we can understand the need for a more efficient and effective solution, we have to understand the evolution of the problem: ransomware operations–or RansomOps–have evolved in complexity and are more difficult to defend against than ever.

Webinar: NGAV Redefined
October 26th | 12:00 PM ET / 9:00 AM PT

Register Here

Ransomware by the Numbers

Ransomware attacks rose by 57% in 2021, and sadly, only 8% of companies that pay the ransom get all of their data back. As of this past February, CISA reported ransomware attacks against 14 out of 16 critical national infrastructure sectors, and a recent IDC study noted that 37% of all businesses fell victim to a ransomware attack last year. 

It’s no surprise that ransomware is the top key risk area that audit departments anticipate focusing on in 2022, according to Gartner. The longtail advance of these attacks has made ransomware a force like never before. Traditional security approaches are simply not able to address the increase in RansomOps attacks. 

The problem is multifaceted, with attacks getting more sophisticated, and coming at higher volumes, creating a perfect storm for security professionals and organizations alike. We now see more sophisticated ransomware business models, with multiple players from the ransomware economy specializing in different aspects of the attacks and sharing in the profits. 

The Problem(s) with Traditional Antivirus

Traditional antivirus solutions run off a signature-based model. First there is the “sacrificial lamb(s)–the first victim(s) of a new piece of malware. Once identified, malware reverse engineers analyze the malicious code and generate a signature detection for that particular strain. 

Then, new signatures to address the newly discovered malware strains are pushed out to endpoints. A subsequent scan can alert a user if that particular malware strain is present on their device and (hopefully) remediate the threat. It can prevent infection from that and other “known” malware variants.

There are obviously several issues with this model: first of all, it is dependent on manual processes that require a human (or several) to do all the heavy lifting, and this takes time–something that works in the attacker’s favor. Given the dependency on manual processes, this means it cannot possibly scale (unless everyone becomes a malware reverse engineer). Simply altering some of the code or repacking the malware makes it undetectable and a new signature needs to be developed–the ultimate game of whack-a-mole.

Furthermore, this model does not effectively address emerging, never before seen threats, so there will always be victims before there is any protection available. While signature-based protection may be adequate for consumers, it’s easy to see how the increase in the number of attacks makes traditional antivirus a non-starter for organizations who are subject to targeted attacks. The issue is only made worse if the malicious code happens to deliver a ransomware payload.

Why do you think 2021 was such a landmark year for ransomware? It’s all of these problems combined – more attacks than ever, so many unknown ones, and antivirus solutions that aren’t equipped to catch them. No wonder Gartner reported that the threat of new ransomware models was the top emerging risk facing organizations late last year. 

Add to that the increase in Initial Access Brokers selling backdoors to compromised organizations, the RaaS (Ransomware-as-a-Service) operations that allow even the technically challenged to set up and execute a ransomware attack campaign, and all the other players in the ransomware economy who are pushing the ransom demands into the tens-of-millions of dollars, and we have a problem for which more advanced solutions are required. 

Machine Learning NGAV

NGAV represents the next natural evolutionary step forward for anti-malware protection–especially where ransomware is concerned–and aims to deliver endpoint protection against today's most sophisticated attacks. What sets it apart from traditional antivirus is a technical strategy that approaches the problem with a more holistic, system-oriented view using intelligent machine learning algorithms to identify, isolate and block the tools and methods attackers rely on to compromise modern systems. 

Instead of focusing on detecting malware based on file characteristics and behaviors like traditional AV, NGAV observes all processes in a system. That includes network activity, interfaces, configurations, and access patterns. In doing so, NGAV systems establish a baseline of the expected system and user behavior, which helps it identify anomalies that may signify attacks over the long term.

Relative to traditional malware, NGAV provides users and organizations with several critical benefits:

  • NGAV can prevent highly sophisticated attacks that use unknown threat signatures and behaviors. Rather than detecting malware, it can detect attacks based on system behavior resulting in far more reliable prevention.
  • Machine learning NGAV provides the root cause of attacks and give a system-centric view of exploited vulnerabilities
  • NGAV can work to prevent the early stages of a ransomware attack that precede the delivery of the ransomware payload, and offers further protection by also assuring that payload is not detonated on the target machine in the case where the first stages of the attack were not detected
  • NGAV is complementary to EDR and XDR solutions and offers far superior protection to traditional AV or EDR alone

While traditional antivirus approaches tend to become more vulnerable as attackers learn to work around them, NGAV protected systems naturally become more secure over time, as the machine learning algorithms learn more about user and system behavior.

NGAV aims to prevent advanced threats like ransomware and complex RansomOps attacks from infecting the network at its core. NGAV systems can anticipate and avoid both well-known and zero-day attacks over time as the first line of defense, and an NGAV solution that offers multiple prevention layers clearly is optimal.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason multilayer NGAV prevention here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.