Why legacy antivirus can’t outsmart the latest cyber threats
Tom Kinnaird
Cyber Services Practice Lead
Antivirus technology has been in existence for 25 years, but relying on conventional, legacy antivirus is no longer enough for organisations to detect and respond to cyber attacks. Legacy antivirus software, though occasionally successful, is hampered by the nature of its design. But the shift from reactive to proactive defence is transforming the way organisations approach cybersecurity. In this blog, we will show why detecting and stopping cyber attacks requires Endpoint Detection and Response (EDR) at a minimum.
Is legacy antivirus dead?
Legacy antivirus (AV) relies on signature-based methods to detect malware. This means it searches for known and recognisable elements within the malware or attack technique, such as byte patterns, file hashes, or heuristic rules inside the file. Additionally, legacy antivirus tools often disregard the possibility that attacks can be fileless, infecting memory and writing directly to RAM rather than file systems, as well as using common system tools to evade detection.
Meanwhile, threat actors and cybercriminals keep creating new malware variants that evade these signature checks. In fact, a study by SentinelOne found that traditional AV solutions failed to detect approximately 50% of known malware samples. As cyber attacks become more targeted, zero-day and fileless threats continue to grow, rendering legacy AV an ineffective defence against the onslaught of increasingly advanced threats.
How do threat actors evade legacy antivirus tools? They employ various masking techniques to evade security software, leaving endpoints, workstations and servers vulnerable to an attack. They can modify malicious code to transform a known binary into something apparently new and unknown in order to bypass security measures. This can be done manually, but the task is often simplified by using downloaded or self-made tools. These get even more powerful with malware variants that morph and evolve each time the malware runs. Polymorphic malware was problematic enough on its own, and now, it’s powered by AI.
In addition to masking techniques, hackers use various vectors or attack paths to deliver malicious code and execute their attacks while bypassing legacy antivirus tools.
How does Endpoint Detection and Response detect what legacy AV cannot?
Modern Endpoint Detection and Response (EDR) platforms, such as SentinelOne’s Singularity Platform and Microsoft Defender for Endpoint, have been designed to combat the limitations of legacy AV solutions. Rather than relying on just static signatures, EDR uses advanced machine learning algorithms and behaviour-based analytics to look for anomalous behaviour. Rather than being one step behind the latest attack techniques, next-generation antivirus solutions like EDR are designed to flag suspicious-looking behaviour, even while the latest attack techniques attempt to cover their tracks.
From reactive to proactive defence
But Endpoint Detection and Response tools do more than just passively detect indicators of compromise that might be cyber attacks. They can also be used to stop cyber attacks in progress. Built-in tools and functions enable users to quarantine attacks, remove attackers from the network and (with some platforms) roll the endpoint back to a safe state.
Ultimately, EDR platforms need the support and management of a Security Operations Centre (SOC) to run effectively. Powerful tools still need human operators. To investigate the threat and respond to it by quarantining and eradicating attackers before the attack evolves, requires expert SOC analysts monitoring the security alerts generated by your endpoints.
Organisations can improve their detection capability with Endpoint Detection and Response platforms, but to stop cyber attacks in their tracks before they can progress to inflict greater damage, it takes a multi-skilled and experienced SOC, who respond to alerts 24/7/365. Claranet’s EDR solution does exactly that: supported by expert SOC analysts, we assess the risk to your organisation, plan the best response and act on it immediately.
Can attackers slip through the net?
Even modern tools like Endpoint Detection and Response can be evaded, and attackers are constantly developing new methods to bypass them. Trained SOC teams also use threat hunting to search the network for signs of a threat actor operating in the network even if they have gone undetected. Scouring through event logs for suspicious-looking activity requires time, skill and expertise. If you have a Managed Detection and Response service, threat hunters correlate log data from the SIEM across your network (including IDAM services and your cloud environment) with detailed endpoint telemetry from EDR tooling to build complete attack timelines.
How Endpoint Detection and Response outshines legacy AV
Here are some of the key advantages of modern EDR solutions over legacy AV:
- Protection against unknown, zero-day, and fileless threats: EDR platforms analyse and identify the intent and behaviour of malware, recognising malicious files even if they have not been encountered previously.
- Faster threat detection and response: By continuously monitoring endpoint activity, EDR solutions can rapidly detect, block, and remediate threats, minimising potential damage.
- Real-time threat hunting and investigation: EDR solutions allow security teams with the right skills, expertise and time to proactively search and identify potential threats across all endpoints.
- Comprehensive visibility: EDR platforms provide in-depth visibility into the endpoint landscape, making it easier for security teams to identify patterns and track suspicious activities.
Here is a comparison table highlighting the key differences between legacy antivirus and Endpoint Detection and Response:
Legacy antivirus | Endpoint Detection and Response | |
Methodology | Signature-based detection | Primarily behaviour-based analytics, although some EDR tools also use other detection engines focusing on container and VMs, AI-based malware analysis, for example. |
Unknown threats | Limited capability to detect unknown threats and therefore requires regular signature updates | Efficiently detects unknown threats by employing advanced machine learning to detect new attack types, without relying solely on signature updates from the vendor |
Monitoring | Limited surveillance capabilities | Continuous real-time monitoring |
Detection and response | Delays in detection and response, less effective | Rapid detection and remediation |
Approach | Reactive approach | Proactive threat hunting and investigation |
Centralised decision | Relies on a central server for decision-making | Depending on the type of detection, some execute detection locally while others rely on cloud verdicts |
Additional features | None | Vulnerability management, device control |
Going beyond the endpoint
Being able to detect and stop sophisticated cyber attacks starts with adopting an advanced EDR solution such as SentinelOne’s Singularity Platform and Microsoft Defender for Endpoint. Organisations get the most benefit from such tools when they are monitored 24/7/365 by SOC analysts who have the experience and expertise to advise on the best course of action in the event of a cyber attack.
But endpoints, workstations and servers are just one type of IT asset targeted in cyber attacks. Eventually, the most sophisticated attackers progress their attack to other parts of your IT network. To detect these you need a broader dragnet, collecting data from more sources across your IT network. For this, organisations need Managed Detection and Response, which provides the same ability to collect data on suspicious-looking behaviour but from a broader range of sources across your IT network.
Going even further, Extended Detection and Response (XDR) enables teams to unify telemetry from a range of log sources across endpoint, identity and access tools, internal infrastructure network and your cloud environment to spot multi-vector attacks. XDR enables response actions across these different technologies, such as adding a block rule to a firewall, disabling a user account, isolating an endpoint. While actions such as quarantining attackers and rolling back your network to a safe state are available in standard EDR and MDR tooling, XDR enlarges your capability to carry out such action in harder to reach parts of your network.
For more information about how Endpoint Detection and Response could help you stop cyberattacks in their tracks, get in touch today.
