8 Endpoint Security Considerations For Your Next-Gen AV – Part 1

The commercialization of malware through undergrounds forums means zero day threats are now accessible to anyone with enough bitcoins. 

Things like Malware evasion toolkits make it easy to spin out thousands of malware variations in seconds by tweaking just enough code to make it look different and get past known signatures

To make matters worst, file less malware is growing at a startling rate. File less malware, does not require the user to download anything at all. in fact, it takes advantage of common applications you’ve probably allowed in your network like Adobe, Firefox, MS Office and countless others 

According to Verizon’s 2017 DBIR, 51% of breaches used malware. In 2018, that number dropped to only 30%. That means 70% of breaches did not involve the user downloading a file. 

…and..

According to a recent Ponemo Institute report, “fileless attacks are ten times more effective than file-based attacks”. 

So that we know what we’re up against, the question is “how do we protect against it?”

Eight Things To Look For In Endpoint Protection 

Most of the tools in this list can be categorized as either a preventive tool, detective tool or both. In the security world, we’re not going to have 100% prevention or blocking or malicious threats, and I’d immediately have a red flag on any vendor that tells you otherwise. 

That’s why it’s critical that we detect and respond to the threats that do get through as quickly as possible. 

8. Vulnerability Scanning and Patch Management

According to Gartner, 99% of the vulnerabilities exploited by the end of 2020 will be known by the industry at the time of the incident. 

Patch management continues to be the one of the most effective ways to lower our risk and yet, it remains one of the most elusive. It’s an area even seasoned security teams struggle to maintain. 

If you dont have a vulnerability scanning and patch management policy in place, then having this built into your next AV solution is feature you can’t afford to live without. Fileless malware works by exploiting an application’s vulnerability, so patching your application and OS is the first and best line of defense against this attack. 

A good endpoint solution should give you vulnerabilities by CVE references, which should tell you the name, description, impact and action for a given vulnerability. Once vulnerabilities are identified, your next actions should be to prioritize and patch them as soon as possible. 

If you already have a patch management policy in place, chances are you already have a solution that does this for you so this may not apply to you. For the rest of you, circle this feature down as a must have in your next solution. 

7.  Advanced Threat Protection / Advanced Malware Protection (AEP)

Advanced Threat or Malware Protection is refers to protection from the dynamic threats we spoke about earlier, such as: zero days, fileless malware and other malware with evading techniques. 

And because we know signatures are pretty useless against these types of threats, we want to ask “what is the endpoint using beyonds a signature database?”. And the answer to that question will vary from vendor to vendor. 

Some vendors employ sophisticated techniques, such as ML, AI, Sandboxing or predictive algorithm to catch these advanced threats. 

Machine Learning can be quite effective at detecting millions of variants in seconds. But how the endpoint utilize the ML is the important thing to ask. Some vendors will say they use ML, but what they’re really just using ML to identify variants and pushing them out as signatures. Others will use agents on the endpoint that feed data to a cloud which does the heavy lifting. The problem is if your offline or not reachable you dont have the same protection benefits. 

AI can vary from vendor to vendor, with each one having their own models and samples.  Fundamentally, AI is looking at how the file affects different models they have programed into their AI. Depending on the behavior against a given model, a score is given to determine if a file is good or bad.  

While AI is still relatively new, it’s short sample size has proven to be quite effective at stopping threats from being executed. The more techniques the product uses the better, but because there is no silver bullet, the next item on our list is one of the most important items to consider.. 

6. Testing Reports

The truth is, the jury is still out on which technique proves to be most effective at catching advanced threats. While each one will claim to have the best solution, it’s up to us to see how they compare against industry standards. There’s a lot of new vendors out there doing some really innovated stuff to detect these advanced threats. But how do you know which one is most effective? How can you begin to compare one vendors Machine learning vs another vendors AI? 

The answer is by looking at some of the top industry testing reports and see how they stack up against real world threats. There’s a few test reports that you really want to know about: 

  • AV Comparatives
    • Host a wide range of tests
    • Product that pass are “STANDARD” rating while better products earn a rating of ADVANCED of ADVANCED+
  • VB100
    • Scores are based off percentage, with 100% being the highest score. 
    • Does monthly tests so make sure you go back at least 12 months to see how a vendor performed over an extended period of time. 
  • AV-Test
    • Rates Avs on three categories: protection, performance and usability
    • With six possible points in each category, the maximum possible score an AV can receive is 18
  • NSS Advanced Endpoint
    • NSS is newer to the endpoint testing game but are well known in the network security space 
    • While each test will have their own methodology, they can generally be boiled down to four main categories:
      • How did the vendor do against known threats? This is something every reputable  endpoint should be getting 99% detection rate and above
    • Unknown threats – This judges how well the endpoint adapted or detected threats for which it did not have a signature for. 
    • Evasions
    • Total Cost of Ownership (TCO) 



Leave a Reply

Your email address will not be published. Required fields are marked *