Roland, Schorr, and Tower takes client security with utmost seriousness.  As such, we have recently decided to engage the A/V services of SentinalOne, a pioneer in bringing AI to the A/V world

Why?

In 2014, an executive from Symantec who was interviewed by the New York Times said that antivirus is 51% effective. To cybersecurity professionals, this wasn’t a big surprise: those in charge of keeping our networks safe were already acting under the assumption that anti virus would not help them out on a rainy day. For the rest, it was an amazing statement coming from the antivirus company who had over 25% of the market share. It begs the questions, if legacy AV is so ineffective, why stick with it and what’s the alternative?

What’s the difference between them?

Traditional antivirus software is designed to block file-based malware. It works by scanning files on the hard-drive and quarantining any malicious executables it finds. This solution was fine in the early days of security software, but attacks have evolved to bypass this kind of protection in a number of ways, here are a few:

  1. Polymorphic Malware - the same bad agent that frequently changes ever so slightly so the unique file hash used to recognize it is invalidated.
  2. Advanced Threats – malware that thwarts rule based A/V scans by changing strings and coding so the search again fails.
  3. Malicious Documents – here, we’re dealing with macros and the like, things that affect the opening application and exploit it’s vulnerabilities these can be hidden the same way as the first two, hash changes and code obfuscation to fool A/V rules.
  4. Fileless Malware – These exploits rely on using trusted portions of the operating system to do their dirty work. A module like PowerShell is hijacked to download and execute malicious code, nothing is written to disk, no files to examine.
  5. Encrypted Traffic – the very methods used to keep communications secure are being used between malware and their command/control servers making them much harder to see and detect.

A Better Alternative

Unlike traditional AV, next-generation AV (NGAV) identifies malicious activity using a system-centered, technical approach that examines every process on an endpoint. This allows next-gen AV to proactively detect and block the tools and tactics hackers use to gain entry. While traditional AV is focused on detecting malware at the endpoint alone, NGAV addresses a larger range of modern threat scenarios including fileless and ransomware attacks.   By looking at the whole context rather than just isolated incidents, next-gen AV offers a more effective means of recognizing and deterring unknown malware and sophisticated attacks  The key is to prevent anything that can be prevented pre-execution and to deal with the unpreventable by looking at the behavior of the processes currently executing.  This is effective because, despite the large and increasing number of malware variants, they operate in very similar ways. The number of malware behaviors is considerably smaller than the number of ways a malicious file might look, making this approach suitable for prevention and detection.

Next Steps

If you’d like to see more, here’s a link to the good folks at SentinelOne.  For a little ore background on the subject, the folks at AV Network have some in-depth information to share in this article.  Finally, Roland, Schorr, and Tower is available to not only provide answers to all your questions, but also to provide this service to you.  Give us a call, our sleeves are polled up and we’re ready to go!