Why next-generation antivirus requires more than building a better mousetrap

February 13, 2017 | 3 minute read

It’s become commonplace to talk about increasing sophistication of adversaries and the degree to which they are organized and effective, but that makes it no less true. You can tell the size and age of any system in nature (from language families to speciation in an ecosystem) by the degree of specialization and sophistication in that system. The “dark side” of the Internet is a rich economy with global reach, professional organization, supply chains, QA labs, SLAs and much more. If anything, it’s looking like the Dark Web is the home of a mid-sized nation in terms of economic clout, politics and diplomatic relations!

This is relevant to so-called next generation technologies because it all provides resources, practices, tools, techniques and services to attack the real world economy. In other words, there’s a world of options available to cyber criminals, nation states, hacktivist and other denizens of the nether pits of the Internet; they have a wealth of options and choices for attacking us. All of us. And this means that whatever carries the next gen label can’t just be a better mouse trap. There has to be something that changes the game, that reverses the advantage ,that effectively dedicates more than another sliver of an isolated machine to stopping the inevitable attacks that enterprises will face.

The cliff of antivirus software

Every technique in the world has a shelf life. Given an intelligent, organized opponent, it’s only a matter of time until it diminishes. You want to know how effective file hashes are? It’s next to zero. Think of a graph where the slope of the line always drops over time.  Well, on that graph, legacy AV is a cliff. It moves out a little and plunges to uselessness. That’s because the Dark Web and its economy and its innovation and explicitly its QA labs run all the AV products out there and don’t release a single attack without it getting green lights across the board.

So along come the so-called next-generation antivirus (NGAV) technologies with claims of advanced algorithms, data science, machine learning and even artificial intelligence. It’s all better mousetrap stuff.  Some of it may be true, but most of it is hyperbole and FUD. I don’t think we’re about to take a nascent intelligence, a new sapience in the universe and stick it on a marketing laptop with the purpose of stopping the next worm. If we did, I think we’d know about. And if you’re at the RSA Conference this week and someone tries to sell you that one, ask them to go a little deeper. It’s most likely not AI and is probably a simple, known machine learning algorithm (at most) from the 19th century repurposed for use on a machine stopping malware.

And it too will hit the cliff of AV.  The graph of its utility will decline faster and faster as the techniques get known until it has about as much utility as AV because bad guys adapt. The best adaptive intelligence in the world that we know, human beings, are the heart of that innovation and change.

EDR adds next gen to next generation endpoint protection

It’s simple: we need the real next gen to step up and protect endpoints. And that’s the point of what we’re introducing this week. Cybereason’s next generation endpoint protection has a mousetrap, just like the others. We also will do AV and we’ll even employ some of the same better mousetrap approaches of the current wave of next gen AV vendors. But what will really make this next gen is bring the enterprise context to bear. It’s using more than a sliver of one machine to protect a machine. It’s about bringing all the machines to the game in protecting all of the machines.

Behaviors are the best source of data for our mission. Ultimately, good guys will do good things and bad guys will do bad things. Behavioral techniques will have to keep up too and can be dodged by the bad guys, but not as easily; and the curve for behavioral techniques will survive contact with the enemy and the Uncertainty Effect. Acting on the system at scale will survive.  Behavioral analysis from endpoint data and applied back on the endpoints won’t fall off a cliff and has the potential to change the game.

It’s the notion of enterprise-wide (and wider) context and visibility into cross-machine, cross-identity and even cross-network movement and behavior that will bring the power to the machine for AV to be effective at prevention and blocking. In other words, it’s our belief that we need to bring in a cat to catch this mouse. When EDR is brought to the AV game, it’s greater than the sum of the parts and puts the next gen into next generation endpoint protection. This is our wheelhouse, and we can finally look to see the tables turned, the advantage move to the defender, in protecting endpoints and, by extension, to protecting enterprises and knocking the Dark Web back on its heels.

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry