What comes next for antivirus and next-generation antivirus software

Post by: Lital Asher-Dotan

Antivirus was once the main way to protect endpoints. This software was designed to detect malicious programs, block them from running and offer security professionals a way to remove them.

But threats have grown more advanced and malware is no longer the only threat vector adversaries use, significantly decreasing AV’s effectiveness at protecting companies. Today attackers can use fileless malware, zero-day exploits and advanced persistent threats in an attack campaign. These new threats don’t use signatures so traditional antivirus programs can’t detect and stop them.

With AV losing its edge, security vendors have named next-generation antivirus (NGAV) as the legacy product’s successor. But what exactly constitutes NGAV is unclear since there’s no accepted definition for this term. At a minimum, next-generation products need to go beyond just performing signature-based detection and incorporate some type of advanced technology. However, even with advanced technology, NGAV still has limitations that, over time, will greatly reduce its ability to detect threats.

Antivirus software and NGAV share the same fatal flaws

Next-generation antivirus products still look for certain file attributes that are associated with malicious activity. This is equivalent to scanning an endpoint for a list of specific attributes and labelling a program malicious if it contains them. In this way, next-generation antivirus and signature-based detection share the same fatal flaw.

Both AV and NGAV handle detection by looking for specific characteristics and don’t account for human ingenuity or attacker behavior. Opponents will adapt, change their tactics and eventually figure out how to get around next-generation antivirus. Neither the legacy product nor its successor offer true behavioral detection.

NGAV products only look at activity on one machine

Many NGAV products lack the ability to cross-correlate data from multiple endpoints and only know what’s happening on one machine. Cross-correlating data from multiple endpoints can generate a full attack story, allowing defenders to understand the entire attack campaign and fully remediate the threat. Only looking at data from one machine gives an incomplete attack story, leading to partially remediating the threat and still leaving the company vulnerable to the attack.

So while greater endpoint visibility is provided with NGAV, companies still have no way of knowing if a strange process on one machine is connected to an odd process running on another computer and, if reviewed together, indicate malicious activity. This is a very siloed approach to security. And, unfortunately, attackers don’t work alone in silos. They operate as teams and work together to use multiple entry points to get into an organization. NGAV needs to operate in a similar manner and leverage all of an organization’s endpoints   working together to protect the entire environment.

There’s no insight around the attacker’s tactics, techniques and procedures

NGAVs focus only on preventing attacks. For the attacks that NGAV can’t prevent, these solutions offer little or no visibility into what actually happened. Companies gain very little insight into what tactics, techniques and procedures the attackers used to infiltration the environment. They don’t help with investigation, forensics or any remediation activities.

Plus, prevention is only one part of the modern security equation. Companies need a way to detect attacks, stop adversaries that have already gotten past a company’s defenses and remediate an incident. But NGAV lacks these functions. While prevention is great for helping a SOC figure out what security concerns are legitimate, additional capabilities are needed to handle what happens when prevention can’t stop a motivated and sophisticated adversary.

Cybereason looked at the shortcomings of antivirus and why true NGAV means adding endpoint detection and response technology. Read our thoughts on this topic here.