The Last Line of Defense Is a Next Generation Anti-Virus

Next Generation Anti-Virus (NGAV) has become the latest evolution of legacy anti-virus products that for years have protected computers, servers and networks from the range of modern-day cyber attacks. The legacy products that most people are familiar with work at delivering the endpoint protection with very little effort. NGAV addresses an updated approach in the way malicious activity is detected and blocked.

Next Generation Anti-Virus

Ben Johnson from CarbonBlack describes NGAV as a “system-centric view of endpoint security, examining every process on every endpoint to algorithmically detect and block the malicious tools, tactics, techniques and procedures (TTPs) on which attackers rely”.

Johnson in the above linked article describes how NGAV has taken four important measures to protect the company:

  1. Prevent traditional malware in traditional AV.
  2. Prevent unknown malware and advanced attacks and evaluate the general background of the attack for better prevention. (Traditional AV does not do this.)
  3. Provide visibility and environment to identify the root cause of cyber-attacks and provide additional attacks and understanding of the environment (non-traditional antivirus protection.)
  4. Recovery attack (traditional AV only blocks malware.)

Johnson says, “NGAV is traditional AV on “steroids” offering superior preventions than traditional AV coupled with cutting-edge endpoint detection and response (EDR) capabilities”.

NGAV demonstrates a radically different approach to detecting and blocking malicious activities. NGAV uses a system-oriented endpoint to analyze each packet in order to detect and exclude algorithmically the malicious tools, policies, methods, and procedures on which the system is based on.

Why does traditional security not work?

Maria Korolov from CSO writes, “Traditional signature-based anti-virus is notoriously bad at stopping new threats such as zero-day exploits and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best anti-virus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller workload to deal with.

Anti-virus products create a signature for each piece of malware that is detected in the wild, but it requires someone to be infected to get the process started. "And, once an anti-virus company does this, it could be days or months for all endpoints to be properly updated with the correct signature," says Ed Metcalf, senior director of product marketing at Cylance, Inc. "By this time, a cyber-attack could easily spread throughout an enterprise and cause damage or steal data."

Virus Scanning

Virus Scanning:

Virus detection is a signature-based detection method, in which each file in the system is scanned and verified through a virus database.

Signature recognition:

Signatures need a database (.dat file) that the developer has to continually update.

Heuristic Detection:

For some time, data security organization have known and realized that virus files are evolving rapidly. The security community has responded by applying rules about the behavior of viruses. These behaviors are a collection of changes that a virus makes in its operating system or in its execution. Examples write to the Temp folder or schedule a job. Heuristic detection is useful for detecting potentially unwanted programs (PUP).

Whitelisting:

It is as simple as it seems to whitelist apps. This is the practice of specifying approved software apps that are allowed to be active on a computer system. The aim of whitelisting is to secure computers and networks from potentially harmful applications. This method requires administrative control of the operating system and a clear list of application signatures (except for virus signatures), which are analyzed by the manufacturer's signature. Whitelisting is a good practice, but it does require a deeper understanding of the applications in your organization.

Artificial intelligence (AI):

Using AI means that your agent can adapt to blocking or analyzing changes that can be made.

Blue Ridge Technology, after much research, has standardized on two solutions for NGAV for our managed service clients. These solutions are Cylance and SentinelOne.

Cylance uses a “unique artificial intelligence (AI) approach – predicting and protecting against known and unknown malware, fileless attacks and zero-day payload execution – has been deployed for more than 3,400 forward-thinking customers securing 14.5 million endpoints”.

“To merely respond is costly. You lose data. You lose infrastructure. You lose human and capital resources that could be productive elsewhere. When you catch threats before they execute, you contain the problem. You win, and the rewards add up. Read the report directly from Forrester here”. –Forrester Report: Cylance Provides 251% ROI, 99% Catch Rate. 98% Savings on Reimaging.

SentinelOne also uses state of the art, artificial intelligence or AI to “protect, detect and undo known and unknown threats”.

Attack Prevention with Static AI

“SentinelOne’s single agent technology uses a Static AI engine to provide pre-execution protection. The Static AI engine replaces traditional signatures and obviates recurring scans that kill end-user productivity.

SentinelOne’s Behavioral AI engines track all processes and their interrelationships regardless of how long they are active. When malicious activities are detected, the agent responds automatically at machine speed. Our Behavioral AI is vector-agnostic – file-based malware, scripts, weaponized documents, lateral movement, file-less malware, and even zero-days”.

For small businesses, network security may not seem important to you; most think data breaches only happen to large companies, but recent studies reported by the USA Today have shown that there is a huge increase in cyber threats for small businesses. At times, companies with an infrastructure of 50 computers or less are sometimes even more at risk for hackers as large companies with in-house IT staff, firewalls, and virus protection already in place. With the growing threat of computer hackers trying to infect as many as many computers as possible, network data security should be a high priority when setting up your business’s network. As a small to mid-size business, you need someone to keep a close eye on your network security, but you may not always have the means to hire an in-house technician; this is where Blue Ridge Technology can help you.

Make sure that your network is covered by the NGAV, if you’re not sure, contact us today!