Software companies have long tried to advertise their products as cutting-edge, and since about 2008 have been using the words "next generation" or "Next-Gen" to refer to their software as having a new technique in their category. For Anti-Virus, just what are those "Next-Gen" techniques and do you really need them?
In this blog post, I will explain what these features are, whether they are Next-Gen, and the implications for companies using prevention technology that include them.
First off let's make sure we're talking about the same category: Anti-Virus - typically referred to as Endpoint Protection (EPP) by Gartner - is software you install on your laptop or server. We'll stay away from Mobile and Network Anti-Virus because they don't use the same techniques, and would blur the lines between traditional and Next-Gen a little too much. Let's save that for (shameless plug) an MDR vendor to explain to you in a Prevention Posture Assessment. We'll begin with the traditional methods/features of AV and explore whether Next-Gen AV has them:
- Virus Scanning: Is this technique Next-Gen? Surprisingly, no.
Virus scanning is a method of signature detection (see below) which looks at each file on the file-system to match it against a virus database. It can do this because signatures are small and easy to look at thousands at a time, for each file on your OS (also typically numbered in thousands) in about an hour. If your AV does scanning it is typically the way we've been doing it for over a decade. Most Next-Gen vendors do not use this method because they don't use signature detection.
- Signature Detection: Is this technique Next-Gen? No.
Signatures are a hash or representation of a file, which means they need a database (DAT file) to be updated by the vendor to recognize new files that are viruses somewhere else. Because the file and hash can change frequently this method, though fast, doesn't always catch stuff. Ask a vendor if they do signature detection and if the answer is yes; How many signatures? How far back do they go? How often are they updated?
- Heuristic Detection: Is this technique Next-Gen? No.
For a while, companies have realized that virus files change rapidly and the AV community responded by writing rules about how a process could behave if it were a virus. Usually, these behaviors are a set of changes that a virus performs on your OS, or on how it runs. Examples include writing to the Temp folder or scheduling a task. Heuristic Detection is useful for detecting Potentially Unwanted Programs (PUPs); you know, those things that change your search engine settings, or that you downloaded to try and steal the latest copy of Microsoft Office (yes that crack is a virus - no honor among thieves).
- Exploit Techniques (The rule of 21) Is this technique Next-Gen? Yes.
This method tries to block a process which is doing an exploit or using a typical method of bypassing normal process operation. There's believed to be only a handful (21 or so) exploit techniques out there, making this an effective and very light-weight way of blocking malware. It's also agnostic to the file type as it's not looking at the file but the process instead. This method still has a draw-back: False positives. Processes and applications may do things that resemble the behavior of a virus, which can trigger this mechanism. Best to do it in environments where you can test and release this technique in waves. Understanding all your applications is key to know if something should be whitelisted.
- Application Whitelisting: Is this feature Next-Gen? Yes.
Not as simple as it sounds, application whitelisting is a process for validating and controlling everything a process is permitted to do on the operating system (and being able to prevent it from running otherwise). This method requires deep control over the OS to function, as well as a pretty well-tuned list of application signatures (different than virus signatures) which look at signing keys from vendors, file size, access locations and sub-processes. In other words, this technique is preemptively blocking everything else on the OS from doing anything but the usual. It's a good technique, but it requires a comprehensive understanding and testing of each application in your environment.
- Micro-Virtualization: Is this feature Next-Gen? Yes.
This tends to only run on devices with Intel-VT technology so don't hold your breath if you're on Macintosh. However, at its core, this method blocks Direct Execution for a process (which is a technical way of saying it runs the process in its own operating system, so it doesn't get access to yours). Like the movie Inception, it's best not to think of the permutations: A VM within a VM running a PDF, can it print? This technique eats a lot of CPU and doesn't really detect viruses so much as disable their ability to affect your operating system. Technically you could be working with a virus and never know it, or need to care. Unfortunately, this technique fails to block the mighty executable which will run in your userspace as the VM can't abstract every operation - just PDFs, Email, and Browsing, etc... So, if you download the crack for Office, you're still going to get infected.
- Machine Learning: Is this feature Next-Gen? It depends.
While everyone in the marketing community (and a few math nerds) are very excited to tell you about Machine Learning, it's important to note how it's been applied to your AV to understand whether this method is Next-Gen. For example, remember signature detection above? Well to get those signatures an AV company needs to build a lab where they can run the malware and analyze what it does. That process is called Sandboxing, and just like your toddler, if the file is in a Sandbox it can't run all over the place potentially causing damage. When the virus is determined to be malicious the AV company writes a signature or hash for the file or files it's made of and distributes it through updates to your device. Machine Learning could be used by your AV company to identify and learn (without human supervision) hundreds of millions of variants and coalesce them into signatures for you. That would not be Next-Gen since you're still using signatures (a traditional AV technique). However, use of this method via an agent to determine if your operating systems processes are misbehaving against a list of all possible operating system events across an ever-increasing number of agents would be Next-Gen. This technique enables very accurate detection and block rates. The more data, the longer it runs (if supervised by companies whitelisting), the more effective it is.
- Artificial Intelligence: Is this technique Next-Gen? Yes.
Using AI means your agent can adapt to the changes in blocking or detection that a person would. While this is glossed over by many AV companies, it's worth asking about. Understanding how this can be more effective than an analyst whitelisting something in a lab and passing you the signature update.
- EDR/Forensics: Is this feature Next-Gen? Yes.
This technique uses a large set of data collected from the endpoint like logs, packets and process behavior to fund out what happened after an infection. Typically you'll want the same information collected in the cloud from other companies (called Threat Intelligence) to see if you can match indicators of a compromise (IOCs) to known malware or campaigns. Ultimately this is what happens earlier in the process when defining signatures for companies. This puts the onus on you, the customer, to find out what happened. I've seen this implemented pretty poorly by large organizations who aren't in the business of finding viruses, and don't commit the resources to making this an effective method of blocking future attacks. Basically, unless you're a government entity with an unlimited budget or large Fortune 100, best to outsource this to an MDR vendor (second shameless plug) like ActZero.
Well, that rounds out the techniques and features of today's Next-Gen AV versus AV. Now what to do with this information? Go shopping? Pat on the back for your existing investment? Be angry that someone told you another meaning for one of the definitions? I hope you understand that these methods are nice and all, but it takes almost all of them to stop malware today. It also takes another critical step that is missed by all of these: Managed Detection and Response. Your AV is just one line of defense, and even if properly managed and tested for effectiveness, it will miss threats. You will need an organization that can provide incident response to make sure your breach doesn't put you in the newspapers, or your company at risk of identity theft, fraud or worse. Below is a link to request a demo of the ActZero MDR service, one way you can see for yourself how our service continuously analyzes your defenses and monitors for attacks.