Don’t leave for vacation if you’re not sure…
Endpoints - laptops, smartphones, tablets, desktops, networked printers, and more, provide the everyday intersection between humans and data – your data. Whether scanning paper contracts, reading and responding to emails, sending and receiving text messages, (often with attachments) your company and your data is potentially at risk.
Since 2020, cyberattacks against US businesses have increased year-over-year using viruses, malware, ransomware, and email phishing scams. Hackers and cyber criminals frequently target small and medium size businesses (SMB) based on the assumption that SMBs may not have adequate security installed and SMBs may not invest in employee security training – even regarding emails and attachments.
There is no magic cure to ensure your business is safe from cybercrime as even employee behavior (opening an email containing a virus) can accidentally unleash a cyberattack. So where do you begin? Antivirus solutions are a basic starting point, but did you know that 3 “levels” of antivirus software exist? These antivirus ‘solutions’ include:
- Traditional antivirus software
- Next-generation antivirus (NGAV)
- Endpoint detection and response (EDR) solutions
In choosing an antivirus software for your business, it’s important to understand the difference between these solutions to determine which is the right choice for you.
Endpoint protection should reflect the size, economic and risk maturity of your organization as well as the number and type of endpoints that require protection. Let’s briefly look at each option to help understand when a security upgrade makes sense for your business.
How Does Traditional Antivirus Software Work?
To understand the differences between antivirus solutions, first you need to know how antivirus software works. Think about your own immune system: when a virus enters your body and begins to spread, your white blood cells attack it – hopefully successfully. Afterwards, your body “remembers” what that virus looks like, and when it encounters it again, destroys the virus before it makes you sick.
Traditional antivirus software works in a similar way; it uses malware signatures of attacks it encounters trying to enter your business to identify that malware in the future. Signatures are built by taking a malware file and running it through a hash algorithm to generate a unique number, or “hash value” associated with the file.
As the software encounters more malware, it continues to build its list of these now-known threats. The company can build this list from either the whole or partial malware file. The list is then pushed to the endpoint (e.g., your computer, smartphone, laptop,), and all files on the endpoint are compared against the malware hash value list.
Limitations of Traditional Antivirus Software
Although these traditional antivirus software solutions work well for known attacks, they do have limitations. They will not find malware because:
- The malware has not yet been “discovered” and added to the list (aka: Zero-day attacks)
- Hackers continually make changes to the code, so the files no longer match known signatures
- The malware doesn’t use the files needed to compare against signatures
- Scanning binary files for malicious code may miss malware contained within compressed files (.zip, .rar, etc.)
A race against time: Four Additional Limitations of Antivirus solutions:
Time is a precious commodity, and as such, businesses can fall prey to the following vulnerabilities in traditional antivirus solutions:
- Scanning files can be time consuming and slow computer performance. The more files that require scanning, the longer the process takes.
- Some antivirus programs exclude large files from scans, to improve speed/ performance. Knowing this, malware creators will bloat file sizes with ‘garbage code’ to avoid detection
- Because scanning can be resource intensive, updates and scans tend to be scheduled for after-work hours, and are sometimes canceled, introducing a delay between infection and detection. (Who hasn’t been guilty of putting off a system scan on occasion?)
- Updating the signature list introduces delays in the amount of time that lapses between when malware becomes known and when the AV will detect it on an endpoint.
So even though AV solutions are inexpensive and easy to run they truly may no longer be the best business security option.
Upgraded Endpoint Security: NGAV
Next Generation Antivirus Software (NGAV) improves traditional AV solutions by incorporating the cloud, artificial intelligence (AI), machine learning (ML), behavioral detection, anomaly detection, and [new] threat mitigation. NGAV is capable of learning which files look suspicious, even if it’s never seen that malware before.
- Detect unknown threats (zero-day attacks, malware with new file signatures, etc.)
- Detect fileless threats
- Push resource-intensive hash calculations to the cloud to so scans don’t slow down local computers
- Use signatures on the cloud to reduce update speeds and simplify product updates
Despite the expanded capabilities, NGAV still only prevents attacks in progress on one specific machine.
Endpoint Detection and Response Solutions
Endpoint detection and response (EDR) tools expands upon NGAV detection to paint a much broader picture of your organization’s security footprint. EDR accomplishes this by:
- Providing malware and incident logs for investigation
- Triggering alerts on suspicious behavior that might be attack related
- Containing an attack through automated action (stop processes, device quarantine, etc.)
Though NGAV antivirus does a much better job at stopping threats, EDR solutions are more successful in threat mediation and destruction because it automatically acts when threats slip through the cracks or are already launched*.
Which Solution Is Right for Your Business?
Most small organizations tend to start with traditional antivirus because it’s inexpensive and familiar. However, against today’s sophisticated cyberthreats, more sophisticated security is necessary. Next Generation Antivirus Software (NGAV) and EDR deliver an enterprise-class security solution. When layered with the additional types of security like endpoint encryption, reoccurring employee security training, use of a security operations center (SOC), or a security information and event management (SIEM) tool will help protect end points, turning them into dead ends for hackers and cybercriminals.