Security Experts:

Good News! You Already Have Next-Gen AV

It has become customary for tech vendors to self-categorize their solutions as “next-gen” in the hope that customers used to buying the “last-gen” can be persuaded to upgrade. They try to muscle analyst firms like Gartner into recommending “next-gen” so they can cast market leaders into the bin of history. Who’d dare to stick with a firewall when Gartner says you need a “next-gen” firewall?

Applied to Anti-Virus, though, the “next-gen” moniker is meaningless.  AV is, and always will be, AV. Today’s endpoint protection platforms are regularly updated with new signatures and detection engines that together represent the state of the art in pre-breach detection. In other words, if you have an endpoint protection solution you already have NG-AV – it quietly showed up this morning in the latest “.dat” file.     

Unfortunately it’s not enough. In the 2015 DBIR, Verizon noted that over 70% of breaches used malware crafted to be un-detectable by the victim organization. Attackers evolve faster than EPP vendors can adapt.  

Detection is a flawed protection strategy. It will fail – with certainty. Turing’s 1936 proof of the Halting Problem was definitive.  Though the NG-AV vendors claim to have new math, there really isn’t any. If there were, their products would work better than the incumbents. But they don’t so instead they advance a narrative that against such sophisticated foes even new math has its limits.  

NG-AV is “faux AV”, and we already know all of its limitations:

 - A false negative lets the attacker in. The endpoint is breached and you’re none the wiser.

 - A false positive may be worse – sending the security team scurrying to remediate non-attacked systems, wasting time and money and distracting them from signs of an actual attack. The Target breach is a good example.

In today’s cyberscape more than 300,000 new malware variants are discovered daily, much of it polymorphic and crypted to bypass the latest detection methods. Over 97% of malware is polymorphic and unique to a specific attacked endpoint, according to Webroot.

It is simply impossible to train or adapt a detector and distribute new signatures or detection engines fast enough. Detection poses an impossible mathematical challenge:

“[For malware of size n bytes] …The challenge … is to model a space on the order of 28n to catch attacks hidden by polymorphism. To cover 30 byte [malware] decoders requires 2240 potential matches. For comparison there exist an estimated 280 atoms in the universe.”

Pretenders to the NG-AV throne lay claim to machine learning, AI or deep learning to give them an edge.  But the major players use these techniques already -- it’s unlikely that a newcomer has an algorithmic lead. Established players also have the advantage of a global footprint and huge R&D budgets.  There is simply no room for a “next-gen” in detection – the root of the problem is the false assertion that it is possible to do a decent job of detecting malware before it executes.

Post-breach detection is critical.  Your organization may already have a breach in progress because your endpoints are likely only protected with today’s “NG-AV”.  It is critically important to adopt tools to help you quickly identify signs of compromise.  Unlike the “detect to protect” approach, post-breach detection relies on continuous low-level monitoring on each endpoint to correlate events related to application execution, network activity and file system/storage activity to identify tell-tale signs of a breach or of an attacker moving laterally through your network.   

There are many approaches including centralizing monitoring data within the enterprise, sending it to the cloud (if regulations permit), or autonomous correlation of events on and between endpoints to automatically build a precise view of anomalous activity and permit you to search for indications of compromise.

Breaches are not inevitable. Adopting isolation will reduce your attack surface. Virtualization based security is a powerful architectural construct that enables you to reduce the attack surface by micro-segmenting your network and virtualizing workloads in the data center.  Even simple network segmentation would have defeated the Target attack. On user endpoints, micro-virtualization rigorously enforces the principle of least privilege using CPU-enforced isolation between tasks.  Virtualization hardware enforces isolation and transforms security. Virtualized servers and micro-virtualized endpoints can protect themselves, the applications they run and the enterprise network by reducing the attack surface and discarding the ephemeral by-products of execution every time an application is run – automatically remediating the system whether or not it has been attacked.   

Isolation revolutionizes detection before a breach:  Hardware isolation through virtualization revolutionizes attack detection because the execution environment is so robust that it is safe to permit malware to execute. Virtualization permits detailed recording of memory, file system and registry changes, together with network traffic. Such a system reports only proven attacks, without worries about false alerts, and it provides full forensic detail for the attack, permitting an automatic, real-time search on other endpoints for the same attack.

Next-gen Anti-Virus can’t help any more than traditional AV, but the principle of least privilege, enforced through virtualization based security, can stop the breach before it starts.  It can also tell you about unknown zero-day attacks and enable you to quickly search your network for other signs of an attack. 

Related Reading: Are We at the Dawn of an Endpoint Protection Revolution?

view counter
Simon Crosby is Co–founder and CTO at Bromium. He was founder and CTO of XenSource prior to the acquisition of XenSource by Citrix, and then served as CTO of the Virtualization & Management Division at Citrix. Previously, Simon was a Principal Engineer at Intel where he led strategic research in distributed autonomic computing, platform security and trust. He was also the Founder of CPlane Inc., a network optimization software vendor. Prior to CPlane, Simon was a tenured faculty member at the University of Cambridge, UK, where he led research on network performance and control, and multimedia operating systems. In 2007, Simon was awarded a coveted spot as one of InfoWorld’s Top 25 CTOs.