Why signature-based AV is no longer effective
Antivirus technologies have not evolved much over the last fifteen years. Their detection model still relies on a purely signature-based approach which has long since become obsolete, with even Gartner dropping its AV Magic Quadrant back in 2006.
On the one hand, the inadequacy of traditional AV solutions lies in the sheer number of new malware strains that cyber criminals put into circulation every day. AV-TEST registers over 75,000 new malicious programs every day. Traditional AV technology is therefore completely helpless against the majority of signature-based cyber attacks.
On the other hand, cybercriminals are increasingly using special concealing techniques such as packers or polymorphic malware specifically to circumvent signature-based protection solutions. Memory-based malware, which is only active in memory and leaves no residue behind on the hard disk, has proven very popular with cybercriminals for some time.
Multi-vendor approach vs all-in-one solution
Although many companies are aware of the shortcomings of traditional AV products, they are still widely used. IT teams often try to compensate for the obvious weak points of their AV solutions with additional supplementary security products. In many cases, different tools are available for attack detection, vulnerability analysis, attack prevention, backup processes and forensics.
However, more does not always mean better. This is shown through the sheer costs of this approach. The use of several agents per endpoint ultimately burdens CPU resources and leads to a higher administration effort and lowers employee productivity.
All of this contributes to an increase in the total cost of ownership with additional expenses being incurred when the endpoints that are too slow to run these programs need to be replaced. At the same time, the complexity of the multi-vendor approach also affects security, since misconfigurations and defensive gaps cannot be ruled out.
If companies want to protect their corporate IT whilst minimising costs, they need an all-in-one endpoint protection solution that combines prevention, attack detection, defence, remediation, and forensics within a single platform while maintaining a single, easy-to-use console.
What CIOs should be aware of
The market for endpoint protection solutions and especially all-in-one solutions has developed rapidly over recent years. CIOs who want to switch to next-generation endpoint protection are now faced with a plethora of different products from different vendors and must choose the most suitable solution for them. In doing so, it is advisable to go through an evaluation procedure with all potential solutions and to also request a test version, which enables them to get an impression of the performance of the software in their own environment.
In addition, CIOs should focus on CPU utilisation. To ensure that endpoints can work without hindrance, the security solution should ideally only require, on average, one to two percent of the CPU.
However, the most important aspect to consider when assessing products is the effectiveness of the solution in the fight against sophisticated cyber threats. This involves examining the technical methods by which the product detects and repels attacks from the individual attack vectors – including malware, ransomware, exploits and live/insider threats – and whether this also happens when the endpoint is offline.
Endpoint solutions based on dynamic behavioral analysis are particularly effective in combination with automation that identifies and automatically blocks malware infections based on their execution behaviour.
Special machine-learning skills also ensure that behavioural analysis techniques are constantly being learnt and continuously optimised thanks to the continuous flow of threat information. As a result, the number of false positives is reduced to an absolute minimum.
Integrated next-generation endpoint protection provides organisations with effective alternatives to legacy, signature-based AV solutions as well as costly and time-consuming multi-vendor solutions.
When purchasing, it is worth taking a close look at the defence technologies used as well as CPU utilisation, platform independence, scalability and update processes of the endpoint solution. Ideally, organisations will not only benefit from the highest level of security, but also from cost savings and a reduction in administrative effort.
Sourced by Alexander Kehl, regional sales manager DACH, SentinelOne