Traditional endpoint antivirus has outlived its usefulness. New attack techniques such as polymorphic malware, packers and wrappers can all make a known binary appear completely new and therefore undetectable by antivirus that relies on static signatures to identify known threats.
As a result, it’s becoming harder for organisations to rely on these traditional, static techniques of detection and protection, and many are moving away from antivirus solutions and embracing new technologies to protect their endpoints from malware and other forms of attack.
Is antivirus dead?
All the antivirus protection in the world can’t protect against the increasing volume of new, never-seen-before threats, that employ advanced techniques to disguise malware.
The defensive approach of protection based on existing knowledge of an attack is increasingly futile; attackers can easily alter the code or fingerprint of malware to evade antivirus detection.
They can also execute file-less attacks which can be downloaded by simply browsing a website. This type of malware easily evades antivirus and intrusion prevention solutions as it executes only in the memory, rather than the hard drive.
> See also: Forget about antivirus – cybercrime has industrialised and we need a new approach to combat it
So it looks like leaving antivirus behind is inevitable, but what do organisations need to consider when replacing it? Below you can find out more about the top four solution requirements for embracing next-generation protection:
Predicting the attack
Being able to predict when an attack will happen and what it is likely to do is the foundation of a robust defence against known and unknown threats. Predictive functionality can determine a threat’s next action based on attack patterns, techniques and crowd-sourced threat intelligence.
Monitoring systems, processes and threads can evaluate whether behaviour on a device is malicious or benign. This is especially important since attackers have learned to interfere with system processes to avoid detection.
This functionality must operate autonomously, and offline, in the event the endpoint loses network access at any point during the attack.
Prevention is better than cure
Block known and existing threats before they can execute on endpoints. The most effective approaches use the afore-mentioned crowd-sourced cloud intelligence for real-time information about potential threats. This is used to harden defences as well as employing dynamic whitelisting and blacklisting to reduce the attack surface.
Attackers use a wide range of techniques to breach a system and execute malware; drive-by downloads are particularly common. However, next generation endpoint protection incorporates anti-exploitation capabilities which protects against both application and memory-based exploits.
Remediation is key
During an attack, malware creates, modifies, alters or deletes registry and configuration settings; any change can cause system instability or malfunction. Additionally, removing a threat and restoring an endpoint to its original state is no mean feat, often requiring intensive manual administrative work. Next generation solutions are able to restore the endpoint to its pre-malware state, and provide visibility into what changed and what was successfully remediated.
> See also: Kaspersky's antivirus flaws STILL unfixed, warned Google engineer who uncovered the security alert
Clean-up and threat removal should also occur automatically. These capabilities are often lacking in many endpoint and network monitoring products.
The alternative to antivirus
When replacing antivirus solutions, organisations should consider alternatives which integrate prediction, prevention, detection and remediation to protect against advanced threats using a wide variety of attack vectors.
The need for next generation endpoint protection is greater than ever, especially now the adoption of cloud has placed endpoint devices at the centre of the IT universe.
Sourced from Scott Gainey, CMO and SVP, SentinelOne