For too long, antivirus vendors didn’t
innovate fast enough, and more and more companies started to question the
effectiveness of AV. Understandably, there are now several vendors out there
touting “Next Generation Antivirus” as the answer. Next generation antivirus
claims to have much more advanced analysis, but there are a number of things
they will never tell you in the marketing glossies:
- They’re not as different from incumbent vendors as they
claim. In recent years, legacy AV vendors have
responded to market challenges by introducing much more than just signature
based controls. They’ve introduced better behavioral analysis and more advanced
heuristics, so these next generation vendors’ new methods aren’t as much of a
quantum leap as they’d have you think.
- Outside of antivirus they’re not as feature rich as
incumbent vendors. Most NGAV solutions still lack EPP
components like host firewalls, host IPS, disk encryption, application control
and whitelisting. This means that even if you rip and replace your AV solution,
you’re likely to still need your EPP solution in some shape or form.
- They still largely rely on “prior knowledge”. Although we all know the limitations of “signature based” controls,
and how easily they can be circumvented, NGAVs still look for indications of
known malicious activity. That might be specific tools or methods attackers
use, or specific activities attackers are known to favor, and a determined attacker
can still easily circumvent them. In fact little independent data exists to
show that NGAVs are significantly more effective than incumbents.
- They’re still in the cat and mouse escalation game. Although NGAVs claim to use more advanced methods they’re still in the
game of learning what attackers do, while attackers learn what NGAVs are
looking for. If machine learning can learn to detect malware, machine learning
can learn to avoid detection by machine learning. In
a recent article, Omri Moyal, VP Research at Minerva shared that "the
most sophisticated attackers will develop their own offensive models. Some will
copy ideas and code from various publicly-available research papers and some
will even use simple trial and error, or replicate the offensive efforts of
another group. In this cat-and-mouse chase, the defenders should change their
model to mark the evolved attack tool as malicious. A process which is the
modern version of 'malware signature' but more complex." This becomes just
the next stage in the tired battle between defenders and attackers.
This means that although “ripping and
replacing” your existing antivirus solution might seem like a great idea,
you’ll need to go through a lengthy rollout, perform large amounts of
regression testing, and re-engineer your IT processes. At the end you might
only get incremental improvement on your antivirus effectiveness, and you may
even lose functionality in the transition.
Also, NGAVS have their operational challenges. One way for a NGAV to increase their effectiveness at blocking malware
is to change their threshold and therefore also increase the rate of false
positives. This has a natural impact on resources that need to investigate each
of these alerts. Leaving the threshold at a low level to overcome alert fatigue
will have a tradeoff on the risk level.
In light of this, NGAV replacement can be very risky and costly, and be
a significant distraction from solving your organization’s highest priority
security issues. This is especially true in larger organizations that have
built well-oiled IT processes around AV management, including tweaking
policies, managing blacklists, whitelists, integrations with other systems and
so on. In fact, in mid to large enterprises implementation can take between
12-18 months and result in only marginal performance and effectivity
improvement, gaps which could have been closed by the existing tool by the time
implementation is complete.
A better idea might well be to improve upon
what you have already, but adopt a completely new approach. For companies that
want to keep their existing antivirus solution, this is what Minerva aims to
Minerva introduces a new endpoint defense
strategy which allows you to block unknown malware designed to evade existing
defenses, regardless of whether there is a known signature, behavior pattern or
machine learning model and as such augment the effectiveness of your existing
security defenses. Minerva achieves this by deception and trickery on the
endpoint, controlling how the malware perceives its environment to render it
ineffective. This includes:
- Creating a hostile environment. Minerva
deceives the malicious program into believing the environment is not safe for
execution due to a variety of security tools which appear to be on the
endpoint, resulting in the malware suspending or terminating its execution.
- Preventing injection through deception. Minerva prevents malicious software from hiding in legitimate
processes by deceiving the malware into believing the memory space is
unavailable, preventing such malicious programs from gaining a foothold on the
- Restricting document executable capabilities. Minerva blocks malicious actions initiated by document files, such as
those that employ macros, PowerShell and other scripts. Minerva deceives
document-based malicious tools to assure it that system resources like shell
commands are not accessible.
This means that with Minerva, you boost endpoint security without the
costs and risk of rip-and-replace endeavors and without requiring additional
personnel to sift through false alerts that require investigation as threats
are blocked preemptively. With Minerva the volume of events that incidents
responders need to deal with is reduced, allowing them to focus on the
incidents which are most likely to impact the business.