What is next gen antivirus? NGAV explained

December 18, 2020  |  Ericka Chickowski

This blog was written by a third party author.

What is next gen antivirus (NGAV) and how does it work?

In contrast to legacy antivirus technology, next generation antivirus (NGAV) advances threat detection on the endpoint by finding all symptoms of malicious behavior across an endpoint system rather than fixating on looking for known malware file attributes. NGAV uses artificial intelligence (AI) and machine learning algorithms to examine files, processes, applications, network activity, and user behavior to identify atypical activity that could indicate malicious attacks are unfolding on the endpoint.

The AI that NGAV depends upon is constantly learning from historical and ongoing system behavior to develop baselines for what 'normal' looks like on a given activity. These baselines can then be used to compare real-time activity. The predictive analytics get better over time at pinpointing anomalies that are likely to track to malicious behavior. This approach makes it possible to block new attack techniques in real-time, before they've ever been identified and catalogued by security researchers.

Comparing NGAV vs. legacy antivirus

NGAV development progressed in response to the shortcomings on traditional file-based signatures and heuristics, which depend upon previous knowledge about malware characteristics and behaviors to flag potential infections.

Attackers learned a long time ago how to evade such signature-based detection methods by creating polymorphic malware and otherwise changing up attributes of their malware on a consistent basis so that the life of a malware signature is so short as to make it ineffective nearly instantly. According to recent figures, some 70% of all malware attacks today involve zero-day malware that evade signature detection with previously undocumented characteristics or behaviors.

NGAV picks up on emerging threats like these because it doesn't require creating complicated rule sets in advance of the attack. Instead, it seeks out differences between the activity and the baseline to spot new behavior that's suspicious because it is outside the norm.

Additionally, cybercriminals also increasingly utilize fileless attack techniques to avoid leaving tracks that could be detected through signatures. This includes utilizing macros, scripting engines and platforms like PowerShell, in-memory attacks, and other 'living off the land' attacks that don't require dropping files to carry out malicious ends.  According to a recent analysis, the most common critical-severity cybersecurity threat to endpoints was fileless malware, followed closely by dual-use PowerShell tools that are used in exploitation and post-exploitation behavior. All told, those make up 54% of threat tactics, compared to traditional malware like worms, banking trojans, and remote access tools (RATs), which all together only comprised 14% of tactics.

Utilizing NGAV makes it possible to pick up on behavior from fileless attacks since it is not tied just to what the malware drops on the system, but instead keeps tabs on how the entire system is working.

Why NGAV matters to cybersecurity programs

According to Ponemon Institute, the average economic loss of a single endpoint breach now adds up to $8.94 million. More than five in 10 organizations say that their endpoint security solutions can't detect advanced attacks—respondents estimate that their legacy AV products miss an average of 60% of attacks. Respondents are also increasingly unsatisfied with traditional antivirus not only for what they don't detect, but also due to a high number of false positives and complexity of management.

“Corporate endpoint breaches are skyrocketing, and the economic impact of each attack is also growing due to sophisticated actors bypassing enterprise antivirus solutions,” explained Larry Ponemon, Chairman and Founder of Ponemon Institute.

A recent analysis by SANS Institute finds that an increasing number of organizations are utilizing AI and machine learning NGAV mechanisms to detect anomalous behavior. However, more than one in three programs still do not tap into NGAV technology leaving them at a potentially greater risk of attack.

NGAV vs endpoint detection and response (EDR)

NGAV works to protect systems at the individual endpoint level, while Endpoint Detection and Response (EDR) technology collects and consolidates data across an entire portfolio of endpoints. NGAV is at the spear-tip of endpoint security programs, while EDR provides the broader visibility for analysts to carry out ongoing incident response and threat hunting operations. EDR can provide the information analysts need to identify widespread endpoint problems and to backstop automated NGAV detection with further threat hunting and analysis that could uncover stealthy attacks.

EDR and NGAV work hand-in-hand as part of a well-balanced cybersecurity program, but organizations are far less likely to implement EDR today. SANS institute reports that fewer than half of organizations today utilize EDR, and just under 32% of organizations use centralized EDR system management interfaces to analyze and consolidate endpoint data for prevention and detection.

The biggest impediments to utilizing technologies like these are a lack of time and money. According to SANS, 62% of organizations report budget and management support as a barrier to implementing better endpoint security and 56% report skills shortages as a barrier. Organizations should look for solutions that can do EDR and NGAV from a single agent that have easy to use tools and/or managed services to assist with securing endpoints.

Share this with others


Featured resources



2024 Futures Report