In the expansive realm of cybersecurity, you have schools of thought that will tell you that their domain is THE MOST IMPORTANT area in the vast sea of domains. The network practitioner or the application security guru will tell you that it is their area that requires the most resources and attention. To a hammer, everything looks like a nail. You will hear me say it over and over again: The absolute highest risk area in technology, no matter the context, is where technology meets the human. We all know that humans are inconsistent and able to be easily manipulated. There is a reason that Spear Phishing attacks have increased 667% since the end of February 2020. The bad guys target the most vulnerable aspects of the technology ecosystem. The human meets the keyboard at the endpoint. This is where the action happens. Protection at this critical intersection has developed rapidly over the years and can be confusing. To provide clarity, let’s take a look at how endpoint protection has evolved over the years.
“Back in the day,” endpoint protection came in the form of antivirus (AV) software (Gen 1). It was installed on each endpoint and updated regularly with “signatures” that were a representation of known viruses and malware. It didn’t take too long for the bad guys to adapt. They found that these signature definitions were easy to avoid by making small changes to the code that make up their malicious payloads. Also during this time, traditional antivirus relied on a server inside your four walls as a central repository that provided updates to the endpoints, as well as to report on compliance. This will become obsolete as mobile and cloud computing emerge.
As attack methods and technology evolved, defenders were offered a new option for protecting their endpoints: Next-Generation Antivirus, or NGAV (Gen 2). This is the first time that machine learning (ML) and artificial intelligence (AI) make an appearance in endpoint protection. This level of protection is based on the premise that speeding up the process of recognizing viruses and malware is done by training ML and AI algorithms with all available versions and permutations of the same. In other words, you cut the cycle time between discovery, research, and inoculation. The Achilles heel of NGAV has been that the bad guys are also very sharp. They now employ ML and AI to morph their malicious code faster than the NGAV can keep up.
As the antivirus category of tools matured, it gained functionality. In the third generation (Gen 3), the features of the previous two generations were layered with detection and response capabilities. These characteristics allowed security teams to be alerted immediately when a device had a potential infection and possessed built-in tools that manually and/or automatically respond to the threat. This class of security tools became known as Endpoint Detection and Response or EDR. These Gen 3 tools greatly reduced the risk of an malware infection by providing security responders with a set of tools that allowed for quick response and remediation. One issue still remained: the bad guys were still able to morph their malicious software faster than Gen 3 AV/EDR could identify and respond. Ultimately, Gen 3 AV/EDR was still looking for the bad software needle in the haystack of a device operating system.
A new set of of AV/EDR products have come to the forefront within the last year. We call them Gen 4, even though they haven’t been officially anointed as such (We are looking at you Gartner). Gen 4 has a radically different approach to how they solve the problem of detecting and eradicating malicious software. Instead of attempting to identify and recognize known malicious programs, Gen 4 AV/EDR is coded in a manner that uses the operating system as its known point of reference. Since operating system processes are mapped and known, all other processes, files, and programs are treated as suspicious by the Gen 4 AV/EDR. This evolution in AV/EDR has led to a more effective and responsive means to protect data where it is most vulnerable. From a performance perspective, Gen 4 AV/EDR is light years ahead of its previous generational siblings. With low computing resource overhead and a minuscule footprint, the impact of cutting edge protection has never been so considerable.
Why does it matter to you? With the rapid changes in the AV/EDR space, it is easy to get lulled into a comfort zone with your current AV/EDR solution. The companies that make Gen 4 AV/EDR are being quite aggressive when it comes to distribution and gaining market share. They want to get as much spread as possible in the near term. MSSPs are adopting Gen 4 at a rapid pace also, making it available to potential customers as a service at highly competitive costs. With the technological developments and subsequent aggressive pricing, it is incumbent upon you to take a look at this new technology and significantly reduce your overall risk.