Endpoints are where human interactions happen between your data, your network and, unfortunately, malware.
So, you know you need endpoint protection for these devices. But where do you begin?
Traditional antivirus software (AV)? Next-generation antivirus (NGAV)? Or something more substantial, like endpoint detection and response (EDR) solutions?
Superficially, there’s not much difference between these choices. Once installed, an average user often can’t tell the difference between them.
And, even when your software catches an attack, it might be your security team that feels the difference more than the user.
So, what’s the difference between these? And, more importantly, which is the right choice for you?
Endpoint protection should reflect the economic and risk maturity of your organization. Of course, that requires understanding the difference between these options, and when the adoption of more advanced technologies make sense.
Let’s take a look at some of the pros and cons of each, and shed a little clarity on when an upgrade makes sense for you
How Does Traditional Antivirus Software Work?
To understand the differences, you need to know how antivirus software works.
Think about how your own immune system works: a virus enters your body, begins to spread, and your white blood cells attack it. Afterwards, your body ‘remembers’ what that virus looks like, and when it encounters it again, destroys it before it makes you sick. At least, hopefully.
Well, tradtional antivirus software works in a similar way.
It uses malware signatures of attacks it comes across to identify that malware in the future. Signatures are built by taking a malware file and running it through a hash algorithm to generate a unique number, or hash value, associated with the file.
As the software comes across more malware, it continues to build its list of known threats. The company can build this list from either the whole or partial malware file.
The list is then pushed out to the endpoint (e.g. your computer), and all files on the endpoint are compared against the malware hash value list.
Limitations of Traditional Antivirus Software
Although these traditional antivirus software solutions work well enough for known attacks, they do have limitations.
They will not find malware if:
- The malware hasn’t yet made it to the list (aka: Zero-day attacks)
- The creators of the malware make changes, so the files no longer match known signatures
- The malware does not use the files needed to compare against signatures
Traditional antivirus also can be problematic because:
- Updating the signature list introduces delays between when malware is known and when the AV will detect it on an endpoint
- Scanning files can be time consuming and slow down computer performance. And, the more files that need scanned, the longer the process takes.
- Some antivirus programs exclude large files from scans, to improve performance. Knowing this, malware creators sometimes bloat file sizes with ‘garbage code’ to avoid detection.
- Scanning binary files for malicious code may miss malware contained within compressed files (.zip, .rar, etc.)
- Because scanning can be resource intensive, updates and scans tend to be scheduled for later times, or even canceled, possibly introducing a delay between infection and detection. (Who hasn’t been guilty of putting off a system scan on occasion?)
- Antivirus software runs on the local computer and does not share information with other devices.
So, as easy to use and inexpensive as AV solutions are, they’re not always the most secure.
Upgraded Endpoint Security
So, if traditional antivirus software has limitations, what’s the next step in addressing them?
Well, next-generation antivirus software improves traditional AV by incorporating the cloud, artificial intelligence (AI), machine learning (ML), behavioral detection, anomaly detection, and exploit mitigation.
Essentially, it’s capable of learning which files look suspicious, even if it’s never seen that particular malware before.
These technologies allow NGAV to:
- Detect unknown threats (zero-day attacks, malware with new file signatures, etc.)
- Detect fileless threats
- Push resource-intensive hash calculations to the cloud to so scans don’t slow down local computers
- Use signatures on the cloud to reduce update speeds and simplify product updates
But, despite the expanded capabilities, NGAV still only prevents attacks in progress on a specific machine.
Endpoint detection and response tools take things a step further, expanding upon the NGAV detection to paint a much broader picture of your organization’s health by:
- Providing malware and incident logs for investigation
- Triggering alerts on suspicious behavior that might be attack related
- Containing an attack through automated action (stop processes, device quarantine, etc.)
So, while next-gen antivirus does a much better job at stopping threats, EDR tools go even further, automatically taking action when threats slip through the cracks.
Which Solution Is Right for Your Business?
Most organizations start with traditional antivirus because, well, it’s cheap and easy to install.
However, like bald tires on a car, AV works fine for good conditions, but not so well when facing hazardous environments.
Once an organization grows past a startup stage and starts generating more significant assets, then more security becomes needed. But, even with growth, most budgets remain limited.
So, many organizations upgrade to NGAV, since they’re familiar with the technology and it generally doesn’t require expanding the IT support team.
Then, as the organization grows and develops more sophisticated security needs, they’ll invest in EDR and the security team, security operations center (SOC), or security information and event management (SIEM) tools to manage it.
While NGAV and EDR can be more expensive than traditional antivirus software, they often provide ROI in other ways.
For example, the light-weight new technologies improve computer performance, delaying the need for expensive computer upgrades. And, since they don’t slow down performance with intensive file scanning, your team’s workflow remains uninterrupted.
When coupled with the additional security these solutions provide, most security-conscious organizations find them to be the perfect fit.
Making the Choice
While your business might be fine if it’s a smaller start-up with few assets to protect, you’ll probably want to look for a more in-depth solution if it’s grown in size, or needs to guard more sensitive client data.
Although we defined prototypical AV, NGAV, and EDR options, the real-life products all have features that make them fall somewhere on a spectrum between the specific technology definitions.
For example, some traditional antivirus software does come with limited ‘next-generation’ features, like detecting unknown malware files. And, not every next-gen antivirus comes packed with the same features.
Like any other product, it depends on the software developers and companies involved.
Sure, understanding the nuances of the technologies can be challenging and time consuming.
And, although more advanced choices also require advanced setup to take advantage of the capabilities, there’s no reason to go it alone.
For help navigating through your options, contact Ideal Integrations at 412-349-6680, or fill out the form below.
Our experts will provide an in-depth, no-obligation review of specific technologies available and help your team evaluate how NGAV, EDR, or even managed cybersecurity can save your company money by reducing risk.