Are conventional antivirus solutions dead? The advanced detection and threat response capabilities provided by EDR (Endpoint Detection & Response) is not disputed, however, it is not always the right solution for every organisation. When is EDR a better solution than conventional Antivirus solutions?
When discussing the merits of each solution, it is important to understand the difference between these solutions in order to determine when you should use one, the alternative or even both! Even though the question feels redundant and we all assume that EDR is better than a conventional antivirus, we should still ask ourselves “Why? ”. The answer can be more confusing than you may think…
DETECTION METHODS: SIGNATURE AND HEURISTIC ANALYSIS
All antivirus solutions use signature-based detection as part of their basic functionality.
What is a signature?
A digital signature is a mark that is specific to a malicious file (malware, ransomware, Rootkit etc.) or a malicious action (digital exchanges with an IP or domain of an attacker).
Each antivirus program contains a database of digital signatures that is routinely updated by the developer (by default) and sometimes by other third-party sources as part of more advanced configurations.
If a file is downloaded onto a system or an action performed that contains a mark which corresponds to one of the signatures present in the antivirus database, then the antivirus will detect the file or action and perform one of the associated remedial actions.
Limitations of signature-based detection
A large proportion of antivirus software solutions rely on signature-based detection which is only useful if the database is updated regularly.
Unfortunately, this detection method is also limited in scope as the detection of threats is only effective if the signature can correctly identify the threat. The threat must therefore already be known to the antivirus program. If the malicious action is new or dissimilar to those previously identified then the signature-based detection has almost no chance to detect the threat: you have lost the fight.
Heuristic analysis attempts to identify threats at the source by analysing the structure of the file (static analysis) or the behaviour of the file during runtime (dynamic analysis – Sandboxing).
Contrary to what other articles on this subject claim, particularly those authored by EDR vendors, this is not a feature specific to EDR. In fact, this function is also present in some advanced antiviruses (often offered as an option in most cases). The following antivirus programs offer such features for example: Kaspersky Endpoint Security 10, ESET NOD32 or Bitdefender Total Security.
Limitations of heuristic analysis detection methods
Antivirus programs which use heuristic analysis detection methods are able to detect malicious files that have never been previously encountered and are not listed in any database. However, this detection method is only possible if the operating mode or structure of the file resembles another known strain of a malicious file (referred to as a variant). If the file structure or behaviour is too dissimilar and does not reflect other known strains or utilises a new attack method (especially in the case of 0-day attacks), then the heuristic analysis cannot detect the threat.
RESPONSE TO A DETECTION
Where an antivirus program detects a threat, the responses to the threat are essentially limited to the following actions:
- Execution of the malicious file will be blocked
- The malicious file will be removed
- The malicious file will be quarantined
- The alert will be reported to a central detection console
EDR: THE KING OF ENDPOINT SECURITY
DETECTION METHODS: BEHAVIOURAL ANALYSIS AND ARTIFICIAL INTELLIGENCE
Firstly, all detection methods provided by an antivirus (signature-based and heuristic analysis) are also provided by EDR (with limited exceptions). In this section, we will discuss the additional detection capabilities provided by EDR compared to a conventional antivirus solution.
Behavioural analysis and detection
This detection capability is arguably the stand-out advantage of EDR when compared to conventional antivirus solutions. This detection method consists of correlating a sequence of events and identifying malicious behaviour within that sequence. Regardless of known signatures, this method attempts to identify suspicious behaviour and compares the behaviour to known attack patterns.
The potential for attacks is endless but the number of distinct techniques used as part of these attacks (TTP) is quantifiable and often evolves much less frequently than the number of malware strains. Many cyber defence teams rely on the ATT&CK matrix provided by MITRE, which provides extensive information and references for known attack techniques. If you can model behaviours based on all of these attack techniques and translate them into behavioural detection rules for use as part of EDR, you can detect everything!
In reality though it is almost impossible to achieve such a model. Firstly, each attack technique can itself cause a multitude of different potential behaviours that are difficult to quantify, but also it is important to recognise that some of these behaviours are similar to legitimate ones: a solution that drowns you in false positives is not a viable detection solution. (so EDR will never be able to detect everything).
But no matter what happens, EDR has behavioural analysis capabilities that can greatly enhance your detection capabilities.
Artificial intelligence (and related analogues: Machine Learning, UEBA, Deep Learning etc.) is present in a large number of EDR solutions and is used to complement behavioural analysis and detection. Artificial intelligence learns from behavioural analysis; the habits and behaviours carried out on the Endpoints which it helps to protect. The AI actively identifies potential deviations and anomalies in behaviour and raises an alert where required.
Artificial Intelligence is a feature promoted by EDR vendors that is often misunderstood by end-users and by sales representatives who present AI as a magical solution to all threats. Artificial Intelligence is not a magic cure-all and is the product of algorithms that have been developed and tested following many years of research. Nevertheless, the algorithms should be adapted to the environment in which they are used to ensure effective deployment.
RESPONSE TO A DETECTION
The detection response methods provided by conventional antivirus solutions are also available with EDR. In addition to the actions mentioned previously, EDR offers the following additional capabilities (non-exhaustive list):
- Provision of an intuitive interface and access to strategic intelligence data
- Remote control by a qualified incident response analyst
- Investigative search and scan of the workstation file system by the analyst
- Quarantine and isolation of the workstation from the rest of the network
EDR: Excellent incident detection and threat response
From a functional perspective, there is no need for EDR to be jealous of their “ancestor” the antivirus. EDR is the ultimate product in terms of endpoint detection and threat response and outperforms conventional antivirus solutions in these categories by a considerable margin.
EDR: a tool that requires expertise
However, the detection and response capabilities of EDR require a degree of expertise to unlock their full potential!
Firstly, we should make it clear that the advanced detection capabilities provided by the behavioural analysis and artificial intelligence should be implemented with caution: these detection techniques are known to generate a larger number of false positives than a more reliable signature-based detection method. It is important that such false positives are correctly controlled and limited to ensure effectiveness of the solution. The rules must be properly adapted to the environment. It is also worth noting that despite this adaptation, many of these rules will not produce an automatic response and will require human analysis and intervention. It is likely that you will need to employ a security analyst.
Secondly, the remedial actions and incident response capabilities also require a certain amount of expertise to be implemented effectively: the investigation tools are intended to be used by qualified incident response experts only.
Antivirus, unlike EDR, only uses detection techniques that produce a very low false positive rate. As a result, the antivirus is able to perform remedial actions autonomously without human intervention. Antivirus was designed to work in this manner and remains the reason why it is used in companies and private homes alike.
When should I choose EDR instead of a conventional antivirus?
EDR provides much better detection and threat response capabilities than any antivirus solution. However, to truly benefit from these features, it is necessary for the user to possess specialist knowledge of information systems security. Integration and operation of EDR is quite expensive (due to the human and software costs involved).
As such, no organisation should implement such a solution unless an assessment requires that they implement the 42 security measures contained in the ANSSI healthy Information System Guidelines.
EDR is the solution to implement when your organisation has reached an advanced level of understanding regarding information systems security and includes operations teams with the requisite cybersecurity skills (SOC analyst / Incident Response).
In all other cases, we advise that you keep your antivirus, and eventually upgrade your conventional antivirus to a more advanced solution (Next-gen antivirus) that includes advanced analytical functions such as heuristic analysis that can be activated through additional options when you feel this is required.