Ripping and Replacing AV – be careful what you wish for

For too long, antivirus vendors didn’t innovate fast enough, and more and more companies started to question the effectiveness of AV. Understandably, there are now several vendors out there touting “Next Generation Antivirus” as the answer.

Next generation antivirus claims to have much more advanced analysis, but there are a number of things they will never tell you in the marketing glossies:

• They’re not as different from incumbent vendors as they claim. In recent years, legacy AV vendors have responded to market challenges by introducing much more than just signature based controls. They’ve introduced better behavioral analysis and more advanced heuristics, so these next generation vendors’ new methods aren’t as much of a quantum leap as they’d have you think.
• Outside of antivirus they’re not as feature rich as incumbent vendors. Most NGAV solutions still lack EPP components like host firewalls, host IPS, disk encryption, application control and whitelisting. This means that even if you rip and replace your AV solution, you’re likely to still need your EPP solution in some shape or form.
• They still largely rely on “prior knowledge”. Although we all know the limitations of “signature based” controls, and how easily they can be circumvented, NGAVs still look for indications of known malicious activity. That might be specific tools or methods attackers use, or specific activities attackers are known to favor, and a determined attacker can still easily circumvent them. In fact little independent data exists to show that NGAVs are significantly more effective than incumbents.
• They’re still in the cat and mouse escalation game. Although NGAVs claim to use more advanced methods they’re still in the game of learning what attackers do, while attackers learn what NGAVs are looking for. If machine learning can learn to detect malware, machine learning can learn to avoid detection by machine learning. In a recent article, Omri Moyal, VP Research at Minerva shared that “”the most sophisticated attackers will develop their own offensive models. Some will copy ideas and code from various publicly-available research papers and some will even use simple trial and error, or replicate the offensive efforts of another group. In this cat-and-mouse chase, the defenders should change their model to mark the evolved attack tool as malicious. A process which is the modern version of ‘malware signature’ but more complex.”” This becomes just the next stage in the tired battle between defenders and attackers.

This means that although “ripping and replacing” your existing antivirus solution might seem like a great idea, you’ll need to go through a lengthy rollout, perform large amounts of regression testing, and re-engineer your IT processes. At the end you might only get incremental improvement on your antivirus effectiveness, and you may even lose functionality in the transition.  

Also, NGAVS have their operational challenges. One way for a NGAV to increase their effectiveness at blocking malware is to change their threshold and therefore also increase the rate of false positives. This has a natural impact on resources that need to investigate each of these alerts. Leaving the threshold at a low level to overcome alert fatigue will have a tradeoff on the risk level.

In light of this, NGAV replacement can be very risky and costly, and be a significant distraction from solving your organization’s highest priority security issues. This is especially true in larger organizations that have built well-oiled IT processes around AV management, including tweaking policies, managing blacklists, whitelists, integrations with other systems and so on. In fact, in mid to large enterprises implementation can take between 12-18 months and result in only marginal performance and effectivity improvement, gaps which could have been closed by the existing tool by the time implementation is complete.

A better idea might well be to improve upon what you have already, but adopt a completely new approach. For companies that want to keep their existing antivirus solution, this is what Minerva aims to do.

Minerva introduces a new endpoint defense strategy which allows you to block unknown malware designed to evade existing defenses, regardless of whether there is a known signature, behavior pattern or machine learning model and as such augment the effectiveness of your existing security defenses. Minerva achieves this by deception and trickery on the endpoint, controlling how the malware perceives its environment to render it ineffective. This includes:

• Creating a hostile environment. Minerva deceives the malicious program into believing the environment is not safe for execution due to a variety of security tools which appear to be on the endpoint, resulting in the malware suspending or terminating its execution.
• Preventing injection through deception. Minerva prevents malicious software from hiding in legitimate processes by deceiving the malware into believing the memory space is unavailable, preventing such malicious programs from gaining a foothold on the endpoint.
• Restricting document executable capabilities. Minerva blocks malicious actions initiated by document files, such as those that employ macros, PowerShell and other scripts. Minerva deceives document-based malicious tools to assure it that system resources like shell commands are not accessible.

This means that with Minerva, you boost endpoint security without the costs and risk of rip-and-replace endeavors and without requiring additional personnel to sift through false alerts that require investigation as threats are blocked preemptively. With Minerva the volume of events that incidents responders need to deal with is reduced, allowing them to focus on the incidents which are most likely to impact the business.