When it comes to protecting your endpoints, there are many ways to do it. One of buzz words I still hear is “Next Generation AV” protection. This term is often used to set a vender apart from the “old school” products that offer traditional definition-based file scanning to identify malware. In most cases, the vendors I see doing this today are Endpoint Detection and Response (EDR) vendors that have added an AV component into it. Beyond the term, what really makes up NGAV? Is it actually better? Worse? How can you even tell? While there is no formal definition, ultimately NGAV is a number of layers of protection that have been added together:
- Cloud Information – The product will leverage information from the cloud (i.e. vendor network) to help create verdicts determining whether a file is safe or malicious in some way. In some cases, the product is using definition-based AV, but the definitions are in the cloud
- Machine Learning – This is another undefined term in the industry. Essentially, this means that the product employs intelligence beyond definitions and reputations. It may look at how the software was packaged for similarities to malware, build profiles of normal activity on the machine to notice changes, etc. While not definition-based, this is formulaic or recipe-based. It grades “normal” and then when something goes abnormal it can stop it
- Behavior Monitoring – Polymorphic malware can change its signature to avoid definition-based verdicts. Monitoring the behavior of the file can indicate whether it is doing something nefarious and prevent it
- File-less Malware protection – This is malware that leverages existing software on a machine to run itself, such as PowerShell. It will execute and be loaded into memory without dropping files by leveraging known-good capabilities. A traditional signature engine cannot see these
NGAG provides innovative protection layers, but it misses many of the security layers that exist to achieve better posture. Whatever your feelings are about definition-based AV products, there are many other components that your typical NGAV vendor do not provide that are still relevant today:
- Definition-based scanning (traditional AV) – Still provides protection against the low-hanging fruit, but definition size is often part of the problem
- Host firewall – If access is prevented, so is malware. Many organizations rely on the perimeter to stop network threats, but what happens the moment an incident occurs within that perimeter? Host firewalls prevent the spread of internal threats to neighbors (i.e. lateral movement). If malware cannot see a machine it cannot spread to that machine (without something else doing it)
- Host IPS – this prevents known exploits from succeeding on the endpoint (WannaCry for those around then, or RDP this year). This is especially useful in organizations with slower patch cycles or sensitive equipment that may not be allowed to patch.
- Download protection – being able to evaluate reputation and definitions prior to downloading anything malicious
- Hash blocking – Some NGAV contain this, others do not. This allows you to block very specific known bad files the moment they are seen by the product
- Alternative protections – most of the platform vendors include other methods to secure challenging endpoints such as various operating systems (Linux, Unix, Mac, Server 2003), bad-behaving application servers like that payroll system where the vendor went out of business 15 years ago, that medical device that operates similarly to a virus, and heavily-impacted machines (VDI and other non-persistent machines). Your standard NGAV vendor will lack these special case solutions, leaving you to decide if another vendor is needed or if you will accept the risk of those unprotected devices
- Encryption control – regulated industries and those that have something to protect (Intellectual Property) typically encrypt endpoints. Most platform vendors provide disk encryption solutions built in or as a blade, but so far no NGAV vendor does this
- Web Proxy – Protecting web traffic from going to malicious sites or downloading malicious content is important to reduce the load on your endpoint protections and are a smart layer to prevent issues before they are on your network
- Other Platform integrations – Vendors offering a full endpoint protection suite will often have additional protection products outside of the endpoint protection space that integrate together such as CASB, DLP, email gateways, etc.
To answer the question in the title, no, NGAV has nothing “Next Gen” about it. Pretty much every vendor today that is still on the market can call themselves Next-Gen. That does not make them good or bad. Every organization has its own challenges: size, speed of patching, skill of employees, workload of employees, funding, other protection layers in place, etc. and will have to evaluate on their own what the best way forward is for their situation. Just keep in mind that trying to remove “bloat” or “legacy” solutions may end up requiring multiple new agents to handle all of the layers that are still needed.