For the past couple of decades, antivirus (AV) programs have mainly relied on accumulating malware signatures for detecting malicious software. However, in terms of risk analysis, this only takes care of “known knowns,” or threats that the AV can recognize with certainty and quickly neutralize. Signature-based AV doesn’t help much against “known unknowns,” like software that seems to pose a threat to data security until they’re actually proven to be malicious.
Furthermore, this means that such AV can’t ever do anything against “unknown unknowns.” These are threats that cybersecurity specialists are so completely unaware of that they can’t ever imagine what it is they should be watching out for.
Fortunately, the maxim “a tree is known by its fruit” can also be applied to cybersecurity. That is, studying how a cybersecurity event unfolds can help us determine what its causes may be. To illustrate, if a new computer virus strain begins propagating itself and starts encrypting data in system folders, a signature-based AV won’t be able to stop it. However, an AV that can recognize an attacker’s tactics, techniques, and procedures (TTPs) can. This is called a next-generation antivirus or NGAV.
What is next-generation antivirus software?
NGAV is an anti-malware software that recognizes known bad software programs by their signatures and unknown ones by their behaviors or TTPs. NGAV does the latter by using machine learning to power its predictive analytics capability. That is, it collects and analyzes massive amounts of endpoint data to create baselines for normal and innocuous IT events as well as threat models for abnormal and risky activities. These baselines and models enable NGAVs to determine if a set of actions or events will lead to an adverse IT incident like a massive data breach.
|NGAVs works similarly to how the human body responds to being poisoned
We can use the human body as an approximate illustration of how NGAVs work. When a person ingests something poisonous, the poison often negatively affects that person’s nervous system. They’ll feel nauseous, and their body will instinctively respond to poison ingestion by vomiting.Generally, even when there’s no actual poison involved, feelings of nausea trigger the urge to expel stomach contents as a just-in-case measure. NGAVs work in a similar fashion, though this gave rise to high incidents of false positives. To counter this, advanced NGAVs assign values called risk profiles to the anomalies they detect. Most anomalies are flagged for further evaluation by security personnel, whereas those that pose higher risk are shut down immediately.
NGAVs can go beyond detection and shut down emerging threats before they wreak havoc to your IT systems. For instance, cybercriminals leverage legitimate tools like PowerShell and other Windows scripting languages to create fileless malware, such as the New Ursnif Trojan variant. This Trojan targets banking customers, stealing email credentials stored in their browsers and data from their mail clients.
More than having no signature for a traditional AV to detect, the Trojan hitches a ride on scripting tools that IT administrators utilize for their daily tasks. Thankfully, NGAV is able to assign risk profiles to actions performed by scripting tools, essentially detecting the Trojan’s actions as different from those of IT admins. Once the NGAV’s risk threshold is breached, it uses technology like Carbon Black’s Streaming Prevention to trigger a prevention action that stops the Trojan in its tracks.
How does NGAV benefit businesses?
Traditional AV is reactive and requires that a threat’s signature be included in its list before it can do anything about it. Either a cybersecurity firm must first prove that a particular program or piece of code is indeed risky or an organization must first suffer the damage that that program would cause.
NGAV, on the other hand, is proactive. Thanks to the intelligence it gathers, NGAV can assign malicious intent upon what files and apps do and how network connections change. This means that you can respond to threats as they’re emerging, not when they’re already doing something nefarious like exfiltrating data or locking your staff out of their office computers.
The cloud makes NGAV accessible to businesses of all sizes
To detect suspicious activities, NGAV constantly monitors and analyzes your network, taking in and processing all of that data. Thankfully, a technology already exists to enable NGAV: the cloud. Due to the cloud’s incredible computational capacity and nigh-unlimited scalability, NGAV is a viable cybersecurity solution. Businesses are already familiar with the cloud, and deploying and operating NGAV is quick and cost-effective. Furthermore, NGAV complements other advanced cybersecurity tools like User and Entity Behavior Analytics.
NGAV is fast replacing traditional AV as the standard for cybersecurity. To see if NGAV and other tools fit your business, talk to our IT specialists at Athens Micro. Leave us a message or call us toll-free at 1-866-262-4461.
Like This Article?of our most popular posts