Analyzing the Acronyms: Moving Target Defense vs. AV, NGAV, EDR, EPP…

It seems that the only thing constant about cybersecurity (besides change) is our love of acronyms. We get it, time is too short for wasted words. But this can make it even more difficult to wade through the varied, often overlapping claims, of an already confusing space.

Breaking it Down

AV – Antivirus

Let’s start with the easiest one, AV, i.e., antivirus. Traditional antivirus first appeared in the late 1980s and has evolved along with the types of malware it stops. Essentially it compares incoming files against a database of known malicious signature and blocks any that match. The more frequently the database is updated, the better its protection. Most AV tools these days also use some form of heuristic detection, which means they analyze the file for possible behavior anomalies. Many have incorporated ML or AI (yet more overlapping acronyms) to broaden their scope of analyzing and detecting. With ML/AI, the match doesn’t have to be exact, but use similar constructions or techniques.

The good: It is cheap or even free and still quite effective at what it does – which is preventing known threats.

The bad: Updates and scans can significantly slow down processing times. Heuristic and ML methods often cause false positives. Most importantly, it cannot prevent new, unknown threats, fileless attacks and those that use evasive techniques to hide identifiers.

NGAV – Next Generation Antivirus

Here we already run into problems. What is the difference between AV and NGAV? Basically marketing, according to Gartner, who refuses to use the term and pleads for its quick demise. Machine Learning and AI used to be associated exclusively with NGAV but no longer. Generally, products that call themselves NGAV have advanced ML/AI capabilities as well as additional features, such as basic exploit and fileless attack protection, that distinguish them from standard AV. For example, they might look for overrunning buffers or hijacking DLLs. They may also have integrated EDR capabilities, further confusing the field, but let’s leave EDR out of it for now.

The good: They are very effective at preventing known threats and threats that have similar characteristics or behaviors to previous threats. They have access to huge, constantly updated repositories, to compare to, learn from and make predictions based on. They can stop some memory exploits.

The bad: Network connection is required to access the most up-to-date repositories so off-line protection is not as robust. They tend to generate many false alerts – especially if you configure the system for maximum protection – and you need trained security personnel to sift through them. The number of alerts can be reduced with granular whitelisting, but this is time-consuming to set-up. Generally, exploit/memory protection, if included, is an added monitoring capability that eats up more CPU cycles. It also is limited to known memory exploit techniques.  In the end, NGAV has the same limitation traditional antivirus has always had, namely that it must somehow identify a threat before it can stop it. This means it does not prevent brand new attacks or threat variants that are different just enough to avoid triggering recognition. NGAV vendors know this, so they may include EDR capabilities or have separate EDR modules to later catch what slips through.

EDR – Endpoint Detection and Response

EDR is the response to the fact that antivirus and its descendants are never going to be able to prevent every cyberattack. EDR assumes that threats are going to bypass prevention defenses, so it focuses on monitoring endpoints to detect behaviors that indicate malicious activity, and it captures data for forensic and security investigations in order to respond. Most have some level of automated response but, depending on the threat dwell time before it is discovered, there can still be a considerable amount of remediation required. As with NGAV, EDR solutions use ML/AI to extrapolate and determine if behavior is malicious based on enormous datasets that are constantly updated as new information becomes available. They often leverage reputation engines for another layer of detection and may include or have an option for sandbox detonation and analysis of suspicious files. And, like NGAV, EDR these days is rarely pure EDR. EDR solutions generally include NGAV prevention functionality.

The good: They are very good and fast at extrapolating from data to detect and hunt for threats. They are better than the NGAV set at detecting fileless attacks. They gather a lot of intelligence that can be used by other security tools. Depending on their level of automated response capabilities, they can speed up remediation efforts.

The bad: Let’s start with the obvious – EDR operates post infiltration. Your systems are already compromised. They also have a high-rate of false positives (depending on strictness of security levels), are complex and time consuming to operate and require teams of analysts to sort through the data generated. In fact, most organizations cannot manage this on their own and must use a Managed Detection and Response (MDR) service (which some of those same vendors conveniently supply at additional cost). The monitoring functions often come at high performance penalties – this particularly poses issues in protecting servers. They also are only as good as their data and require internet connectivity to have access to the most up-to-date information. Which brings up the last point – they have the same blind spot as all detection technologies – they can’t spot threats using completely new techniques.

EPP – Endpoint Protection Platform

EPP is a catch-all phrase that means different things to different people – and it’s evolving. Generally, it’s an integrated security solution with different protection capabilities. Gartner updated its definition of EPP to be “A solution deployed on endpoint devices to prevent file-based malware attacks, detect malicious activity, and provide the investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.”

We won’t get into the good and the bad here, as an EPP is basically the sum of its individual components.