In the world of antivirus the idea of “next-gen” AV is confusing at best. But is it ready to take on the challenge of ‘next-gen’ threats?
Anytime anyone in IT hears the term “next-gen” used, they immediately know it’s a bit of attention-grabbing marketing meant to claim that the solution includes some modern approaches its (sans “next-gen”) competition does not. However, in the world of antivirus (AV) the idea of “next-gen” AV (NGAV) is confusing at best. The term does little to help the customer understand what’s different about a supposedly amazing, advanced and new “next gen” solution. Even Gartner has given up on this marketing moniker, stating there’s no more “next-gen” in AV.
A few years ago, there was a demonstrable difference between the approaches used by “traditional” AV and NGAV solutions. The incumbent solutions relied primarily on signature-and heuristics-based detection, while NGAV developed approaches to identifying malware that relied primarily on artificial intelligence-based Machine Learning (ML) algorithms. However, in today’s marketplace, the “traditional” expanded their solutions to incorporate different approaches to detecting malware, and employed artificial intelligence in various ways to remain effective. Much of the functionality that was once considered “next-gen”, is present as a commodity part of any AV offering.
So, the AV “generational gap” is closing, if not already closed.
With modern AV solutions incorporating many former “next gen” features, it must mean today’s AV is immensely effective at stopping malware, right? The answer depends on the nature of the attack. Nearly all AV and NGAV detection is dependent on historical attack signatures, behaviors, etc. to serve as the basis for all future detection. This presents a problem when malware authors utilize evasive techniques in their malware, which is a common tactic. According to Minerva Lab’s 2017 End of year Report, 86% of exploit kits and 85% of payloads utilize some form of evasive technique that isn’t being caught by security solutions.
This is an important caveat if NGAV is (or is planned to be) a part of your security strategy–even with NGAV in place, the evasive techniques being used are purposely working to avoid detection by solutions designed to, well… detect. Take the example of the evasive technique of memory injection. NGAV solutions may watch for unknown processes, but this technique often involves placing malicious code into the memory space of known, trusted processes. To the endpoint, it’s a good process… and is unlikely to be considered malicious by detection tools. To make matters worse, cyber criminals test their newest wares against major AV and NGAV solutions to ensure their ability to successfully infect endpoints.
As long as malware authors continue to discover and leverage methods of avoiding detection, even NGAV is lacking in its ability to completely protect endpoints. Rather than replacing one endpoint protection solution for another (which only brings an incremental benefit), instead assess technologies in order to cover the gap without overlapping in existing features – one that specifically works to address evasive threats. Solutions focused on evasive malware aren’t concerned with detection; instead they use tactics to prevent evasive malware from ever running by breaking any attempt to get around existing security controls (e.g. environment scanning, memory injection, hiding in office documents, etc.).
There is no Next-Gen AV
AV (next-gen or otherwise) is stuck in a cyclical pattern of detecting threats and updating signatures, trying to close gap that remains outside the reach of AV. “Next-Gen” is now the current generation, with one solution not significantly better than another.
But, the effectiveness of AV isn’t found in trying to create some new advanced methodology that jumps ahead of anything any cyber-criminal is doing today. It’s found in carefully watching how malware techniques evolve over time, finding ways to stop them, and equally evolving AV.
In essence, there is no such thing as “next-gen”.
If anything, the next step in the evolution of AV isn’t more detection – evasive malware is making certain of that. In order to keep evasive malware at bay, the next step needs to be prevention. Make sure your endpoint security architecture is designed to prevent both standard and evasive threats, so that you can focus your detection and response energy on those threats that truly require the involvement of your investigative team.