Next Generation Antivirus
Next-Generation Antivirus (NGAV) Defined
NGAV is the natural (and much needed) evolution of traditional AV that protects computers from the full spectrum of modern cyber-attacks, delivering the best endpoint protection with the least amount of work. NGAV speaks to a fundamentally different technical approach in the way malicious activity is detected and blocked. NGAV takes a system-centric view of endpoint security, examining every process on every endpoint to algorithmically detect and block the malicious tools, tactics, techniques, and procedures (TTPs) on which attackers rely.
Protection Beyond a Typical IPS
- Prevents commodity malware better than traditional AV
- Prevents unknown malware and sophisticated attacks by evaluating the context of an entire attack resulting in better prevention.(traditional AV does not)
- Provides visibility and context to get to the root cause of a cyber-attack and provide further attack context and insight (traditional AV does not)
- Remediates attacks (traditional AV simply stops mass malware)
Data Loss Prevention (DLP)
Data loss prevention (DLP) systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns. For example, imagine an organization uses data classifications of Confidential, Proprietary, Private, and Sensitive. A DLP system can scan files for these words and detect them.
Pattern-matching DLP systems look for specific patterns. For example, US Social Security numbers have a pattern of nnn-nn-nnnn (three numbers, a dash, two numbers, a dash, and four numbers). The DLP can look for this pattern and detect it. Administrators can set up a DLP system to look for any patterns based on their needs.
An endpoint-based DLP can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer. Administrators would configure the DLP to scan the files with the appropriate keywords, and if it detects files with these keywords, it will block the copy or print job. It’s also possible to configure an endpoint-based DLP system to regularly scan files (such as on a file server) for files containing specific keywords or patterns, or even for unauthorized file types, such as MP3 files.
DLP systems typically have the ability to perform deep-level examinations. For example, if users embed the files in compressed zip files, a DLP system can still detect the keywords and patterns. However, a DLP system doesn’t have the ability to decrypt data. A network-based DLP system might have stopped some major breaches in the past. For example, in the Sony attack of 2014, attackers exfiltrated more than 25 GB of sensitive data on Sony employees, including Social Security numbers, medical, and salary information. If the attackers didn’t encrypt the data prior to retrieving it, a DLP system could have detected attempts to transmit it out of the network.
A patch management review ensures that patches are evaluated as soon as possible once they are available. It also ensures that the organization follows established procedures to evaluate, test, approve, deploy, and verify the patches. Vulnerability scan reports can be valuable in any patch management review or audit.
Hard Disk Encryption
Encryption is an important element in security controls, especially in regard to the transmission of data between systems.
Sensitive data should be stored in such a way that it is protected against any type of loss. The obvious protection is encryption. As of this writing, AES 256 provides strong encryption and there are many applications available to encrypt data with AES 256.