When Legacy Tools Fail, Next-Generation Antivirus Solutions Can Defuse Endpoint Security Risks

Today, many businesses and corporations are stuck between a legacy antivirus endpoint security solution and the path forward. These solutions tend to be highly reactive and labor-intensive. Most legacy antivirus (AV) solutions are merely signature file- or definition-based attempts to meet the increasing security demands of today’s complex IT infrastructures.

Many critical infrastructures as seen in the financial, health care, defense and other sectors rely on this failed approach. With each new emerging threat, a reactive signature file needs to be created, distributed and verified throughout each business’ environment. To maximize efficiency and defuse endpoint security risks, organizations should review their legacy AV solutions and consider adopting more robust next-generation tools to monitor and protect their endpoints.

Exploiting Endpoint Security Gaps

Threat actors capitalize on gaps in legacy antivirus protections and failures in critical vulnerability patching across various operating systems (OS) and environments. Malware tactics literally change overnight, and 53 percent of IT breaches use absolutely no malware at all. Traditional legacy antivirus solutions leveraging signature files don’t typically capture those threats. Those same legacy solutions can only capture 47 percent of malware, and only if that malware is a known threat with a signature file or pattern previously identified, created and distributed so that the antivirus software agents have predefined instructions to react to.

Threat actors are constantly learning, updating and evolving their methodologies. They code and recode to evade detection so they can live yet another day to lurk, learn, siphon and steal. They are relentless and more persistent than ever in pocketing your intellectual property or other corporate crown jewels.

Nowadays, many attacks are built around memory-based schemes, remote login, macros, PowerShell commands and even insider threats that might kick corporate doors wide open to reveal an exploit. Fraudsters continuously hunt for these fruitful opportunities, and threat campaigns are now more targeted and customized than ever. Malware can be tailored to a specific business sector, a single business or even an independent building.

There is an abundance of malware version types that connect to attacker-owned command-and-control (C&C) servers or server farms. These connections enable the malware to pull down and receive new instructions. The malware embedded in the compromised environment may learn and report information back to the C&C servers so it can mutate and mature. It may also use legitimate end-user credentials to beat once-championed machine learning techniques.

The IT Skills Shortage and Other Professional Pain Points

We can extract several derivatives based on some of the aforementioned pain points. Legacy solutions tend to have security gaps. For perspective, however, a 47 percent gap is not a gap, but a canyon of security shortfalls and neglect. At what point does this professional pain become self-induced? What are the market options?

The skills shortages in the cybersecurity industry is estimated to reach 1.8 million unfilled positions by 2022. If the security sector doesn’t physically have the people to deliver the needed skills and solutions, it further drives the urgency for more streamlined approaches.

Legacy AV drives up labor and doesn’t view the full threat landscape. If it takes more bodies to deliver a legacy security solution, and if the solution itself is generating professional pain, data loss, risk and infrastructure churn, it may not be the best choice. It should be removed from the overall architecture and replaced with a more effective tool.

With legacy AV, someone needs to be monitoring and reporting the signature file levels in the environment. Typically, that is labeled “system currency.” This is simply the monitoring of all the endpoints within an infrastructure to ensure that they are sitting on the most recent acceptable level of definition file releases. Endpoints that are not pulling down the most acceptable level of releases from the central management console need to be resolved in some manner, typically via incident management processes. Tickets to correct these noncompliant endpoints equates to time, and time equates money.

System currency is only one compliance variable that needs to be monitored. The AV agent version levels are always a top concern because there are end of life (EOL), communication, vulnerability and compatibility issues within any environment. For legacy AV agent package deployments, that is typically done via a mature deployment tool set. However, AV package deployments are usually large, impact bandwidth and need to be monitored closely with proper change management. In addition, teams with intersecting demarcations require visibility and coordination. This preplanning, coordination and overall risk acceptance takes time and money.

Reducing Complexity With Cloud-Based Solutions

Personally, I prefer a next-generation antivirus solution that is designed for greater visibility into the attack chain and touts a lightweight and resource-conscious agent with proactive enforcement features, detection and response capabilities, and the ability to leverage threat feed technologies that can be centrally hosted out of a cloud instance.

Unless there are specific compliance needs or mandates for a noncloud option, I would simply prefer to deliver a cloud-based endpoint security solution to my clients. After years of managing on-premises solutions, I have come to endorse a simplified architecture that has fewer moving parts. The more moving parts an infrastructure has, the more that can go wrong with it. The on-premises solution requires more monitoring, incident alerting and maintenance — which, again, equates to more labor and higher costs.

With cloud-based technologies and the removal of signature file monitoring due to threat feeds, a large portion of costs are removed from the support model. That means no more system currency.

For the endpoint agents, many are much more lightweight and easier to deploy and administer. One agent and one cloud-based management instance means reduced complexity in the architecture solution. Many packages install in less than 15 minutes per endpoint and have resource usage as low as 4 MB per day for network traffic, less than 1 percent of the CPU, less than 1 percent of the hard disk drive (HDD) and 15 to 40 MBs of memory.

Of course, this will vary from product to product, and will depend on overall policy selections and feature enablement, but the resource savings are significant when select endpoints in your server environment are accustomed to a traditional AV solution chewing up 97 percent of processor utilization on a consistent and recurring basis. When it is cheaper to enable a service, the service costs typically fall.

MSSP and Multitenancy

My next favorite feature is multitenancy (MT). From a managed security services provider (MSSP) perspective, MT is a single vendor cloud instance capable of housing multiple client cloud management consoles. A tabbed-out super console in the cloud, if you will.

With MT truly designed for MSSP, you save resources and time because you’re not funding highly skilled personnel to perform simplified tasks such as logging in and out of systems multiple times per day. It seems small, but when you’re the largest MSSP on the planet, logins and mouse clicks add up very quickly.

The ease and capability to seamlessly move from one instance to another is advantageous. Unlike other MSSPs that deliver endpoint solutions, our teams truly leverage the insights and cost savings these cloud consoles provide. We extract meaningful data and reciprocate our findings through standardized offerings that truly outperform our competitors in the value-add space.

Many of our IBM services, such as Endpoint Managed Security (EMS) and Managed Detection Response (MDR), leverage the cloud instances for insight. We can bring additional value to our service offerings by using these types of tools instead of simply plugging the syslog output from an instance into a managed security information and event management (MSIEM) tool. MSIEM is a major component to building out a successful security posture, but when coupled with a true endpoint service offering, it becomes a robust and a powerful tool to manage threats.

Adopting Next-Generation Tools to Defuse Endpoint Security Risks

The endpoint market has transitioned. If you have not already, now is the time to reassess your endpoint security posture. It’s important to consult experts with true endpoint delivery and consultancy experience when making the next decision for your infrastructure or vendor selections.

If you are renewing legacy solutions without studying differentiators or the advantages of modern AV technologies, you may be embracing more of that professional pain described above. An effective next-generation solution can help any organization defuse these endpoint security risks and protect corporate data from threats lurking on the network.

Read the white paper: Stop endpoint security attacks in their tracks with managed detection and response

Share this Article:
Adam "Griff" Griffin

CyberSecurity Architect - Manager - MSS - Infrastructure & Endpoint Security

Adam "Griff" Griffin is an IBM Security Services leader & innovator in Managed Security Services.