ANALYZING THE ACRONYMS: MOVING TARGET DEFENSE VS. AV, NGAV, EDR, EPP…

Posted by SHELLEY LEVESON on April 15, 2019

analysing cybersecurity endpoint security

It seems that the only thing constant about cybersecurity (besides change) is our love of acronyms. We get it, time is too short for wasted words. But this can make it even more difficult to wade through the varied, often overlapping claims, of an already confusing space.

Breaking it down

AV – Antivirus

Let’s start with the easiest one, AV, i.e., antivirus. Traditional antivirus first appeared in the late 1980s and has evolved along with the types of malware it stops. Essentially it compares incoming files against a database of known malicious signature and blocks any that match.  The more frequently the database is updated, the better its protection. Most AV tools these days also use some form of heuristic detection, which means they analyze the file for possible behavior anomalies. Many have incorporated ML or AI (yet more overlapping acronyms) to broaden their scope of analyzing and detecting. With ML/AI, the match doesn’t have to be exact, but use similar constructions or techniques.

The good: It is cheap or even free and still quite effective at what it does – which is preventing known threats.

The bad: Updates and scans can significantly slow down processing times. Heuristic and ML methods often cause false positives. Most importantly, it cannot prevent new, unknown threats, fileless attacks and those that use evasive techniques to hide identifiers.

NGAV – Next Generation Antivirus

Here we already run into problems. What is the difference between AV and NGAV? Basically marketing, according to Gartner, who refuses to use the term and pleads for its quick demise. Machine Learning and AI used to be associated exclusively with NGAV but no longer. Generally, products that call themselves NGAV have advanced ML/AI capabilities as well as additional features, such as basic exploit and fileless attack protection, that distinguish them from standard AV. For example, they might look for overrunning buffers or hijacking DLLs. They may also have integrated EDR capabilities, further confusing the field, but let’s leave EDR out of it for now.

The good: They are very effective at preventing known threats and threats that have similar characteristics or behaviors to previous threats. They have access to huge, constantly updated repositories, to compare to, learn from and make predictions based on. They can stop some memory exploits.

The bad: Network connection is required to access the most up-to-date repositories so off-line protection is not as robust. They tend to generate many false alerts – especially if you configure the system for maximum protection – and you need trained security personnel to sift through them. The number of alerts can be reduced with granular whitelisting, but this is time-consuming to set-up. Generally, exploit/memory protection, if included, is an added monitoring capability that eats up more CPU cycles. It also is limited to known memory exploit techniques.  In the end, NGAV has the same limitation traditional antivirus has always had, namely that it must somehow identify a threat before it can stop it. This means it does not prevent brand new attacks or threat variants that are different just enough to avoid triggering recognition. NGAV vendors know this, so they may include EDR capabilities or have separate EDR modules to later catch what slips through.

EDR – Endpoint Detection & Response

EDR is the response to the fact that antivirus and its descendants are never going to be able to prevent every cyberattack. EDR assumes that threats are going to bypass prevention defenses, so it focuses on monitoring endpoints to detect behaviors that indicate malicious activity, and it captures data for forensic and security investigations in order to respond. Most have some level of automated response but, depending on the threat dwell time before it is discovered, there can still be a considerable amount of remediation required. As with NGAV, EDR solutions use ML/AI to extrapolate and determine if behavior is malicious based on enormous datasets that are constantly updated as new information becomes available. They often leverage reputation engines for another layer of detection and may include or have an option for sandbox detonation and analysis of suspicious files. And, like NGAV, EDR these days is rarely pure EDR. EDR solutions generally include NGAV prevention functionality.

The good: They are very good and fast at extrapolating from data to detect and hunt for threats. They are better than the NGAV set at detecting fileless attacks. They gather a lot of intelligence that can be used by other security tools. Depending on their level of automated response capabilities, they can speed up remediation efforts.

The bad: Let’s start with the obvious – EDR operates post infiltration. Your systems are already compromised. They also have a high-rate of false positives (depending on strictness of security levels), are complex and time consuming to operate and require teams of analysts to sort through the data generated. In fact, most organizations cannot manage this on their own and must use a Managed Detection and Response (MDR) service (which some of those same vendors conveniently supply at additional cost). The monitoring functions often come at high performance penalties – this particularly poses issues in protecting servers. They also are only as good as their data and require internet connectivity to have access to the most up-to-date information. Which brings up the last point – they have the same blind spot as all detection technologies – they can’t spot threats using completely new techniques.

EPP – Endpoint Protection Platform

EPP is a catch-all phrase that means different things to different people – and it’s evolving. Generally, it’s an integrated security solution with different protection capabilities. Gartner updated its definition of EPP to be “A solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”

We won’t get into the good and the bad here, as an EPP is basically the sum of its individual components.

Moving Target Defense – Sometimes known as MTD

Last but not least, we get to Moving Target Defense. Moving Target Defense is the easiest to understand from the point of view that it doesn’t overlap with any of the other endpoint acronym categories.

In fact, at Morphisec we rarely use the MTD acronym. That’s because the full name conveys so much. If you constantly move around your environment, rather than keeping it static, then attackers can’t find their targets. Simple concept, powerful in action. Morphisec technology applies moving target defense by dynamically morphing the memory space so attacks can’t find resources to exploit. Given that over 75% of breaches are caused by fileless in-memory attacks, by making this space unreachable to attackers, you eliminate the biggest chunk of remaining risk.

With Moving Target Defense, the type of attack is irrelevant as it doesn’t need to detect or identify an attack in order to prevent it. Basically, the attack was prevented before it was even conceived. The timeline below of an Adobe Flash exploit explains this best:

morphisec

The good: Morphisec’s Moving Target Defense-based solution stops the new, unknown and advanced evasive threats that bypass the other acronymns. It has no run-time components, no updates, no scans, so it does not slow down systems at all. It works whether an endpoint is on or offline, does not generate false positives and does not require skilled resources to analyze data as part of ongoing operations. However, it does capture detailed forensic data about each attack it prevents, which is readily available to analysts and system tools if the organization wants to use that information.

The bad: None – or at least none of the negatives you see with the AV, NGAV or EDR. However, Morphisec does have a requirement – as it addresses unknown, sophisticated evasive threats, it should be accompanied by an antivirus for known basic attacks. That can be any AV or NGAV your organization prefers – Windows Defender antivirus that comes embedded in Windows 10 can be a good choice (learn more about Defender+Morphisec in this whitepaper).

Leave a comment