Why Is a Centralized Corporate Antivirus No Longer Enough?
Corporate Antivirus: Just 39 seconds pass between one hacker attack and the next. By mixing this information with the 4.24 million dollars of average cost of a data breach (IBM), an even gloomier picture is obtained, which requires immediate intervention regardless of size, organizational model, and the industry in which it operates the company. A study by the University of Maryland came to this conclusion a few years ago, underlining how necessary it was to run for cover in the face of a now rampant phenomenon.
So how to set up the company’s defense, its data, documents, and business continuity in a constantly evolving cyber context? Is a corporate antivirus still an adequate solution?
Corporate antivirus: how it works and why it’s not enough
To understand how the antivirus is positioned in today’s cybersecurity, it is necessary to have a clear understanding of its operating dynamics, which, however, do not differ from those of tools for personal/private use.
Let’s start by saying that the company must defend its endpoints since they are – in fact – the point of contact between the company and the market, and therefore also with the bad guys. The concept of endpoint protection is fundamental in the modern enterprise, regardless of the type of business.
Enterprise antivirus has been the (unique) synonym for endpoint protection for decades.
There are two categories of antivirus: the unmanaged one, used above all at a personal level or in companies without structured IT, and the managed one, or with centralized management. The first version is installed on individual machines, and it is configured; rules and frequency of updating are defined, after which it is started and left to operate automatically. In the second case, however, the antivirus is installed on the server and protects the endpoints connected to it. Users manage unmanaged antiviruses and do not require intervention by corporate IT; in the second case, centralized management is required.
Detecting only “known” viruses is a key feature of traditional antivirus. Their operating mechanism is quite simple and is based on the availability of signatures (signatures) that identify individual malware: the software compares the incoming files/data with the signatures available to it and, in case of a match, blocks the execution of the file and places it in quarantine (or deletes it, as the case may be).
In the contemporary cyber landscape, traditional antivirus faces many limitations. Between these:
- It cannot recognize Zero-Day attacks, i.e., those not yet known. In an era where attacks are becoming more frequent and sophisticated, it is necessary to move to more advanced systems that reach unknown threats.
- Unmanaged antiviruses only protect the endpoints where they are installed. All of this is hardly compatible with a working model that involves the use of many different endpoints, from the corporate desktop to the notebook, from the smartphone to the tablet. Not for nothing, antivirus was especially effective in the (only) desktop era.
- The attacker can modify the malware at any time to bypass the antivirus protections.
- Traditional antivirus signatures were updated cyclically, introducing a delay between the discovery of malware (and the creation of its signature) and the effective protection of the machine.
- Full system scans require the allocation of significant computational resources, resulting in slowdowns. Because of this, scans were often paused and never restarted.
Today’s Threats, From Zero-Day to Ransomware as-a-Service (RAAS)
The limits of traditional corporate antivirus push companies to look for more advanced solutions, which blend better with even complex corporate environments and, above all, provide real protection against today’s and tomorrow’s threats.
We have already mentioned Zero-Day malware, but let us also consider the phenomenon – particularly widespread nowadays – of RaaS, or Ransomware as-a-service. It is a service in which the team that develops the malware code (in this case, ransomware) provides it to third parties – sometimes together with low-code platforms – who configure and modify it to target specific companies. Then think of the surge in phishing in the early days of covid or how sophisticated social engineering attacks have become in recent years. In all these cases, a classic antivirus would be ineffective.
In a panorama of this type, however greatly simplified, the hypothesis of protecting the endpoints only with an antivirus, however centralized, would not be in step with the times.
The solutions: from Next Generation Antivirus to XDR
Over time, corporate antiviruses have become Next-Generation Antivirus (NGAV) by incorporating various advanced technologies such as Machine Learning, behavior analysis, and anomaly detection technologies to extend the range of action and effectiveness towards new malware and, above all, modern attack dynamics.
The most significant step forward is linked precisely to Zero-Day threats, which become manageable with an NGAV. Then there are other benefits, such as the synergy with the cloud, which not only makes the solutions always up-to-date and state-of-the-art but can direct the most expensive operations in terms of computational power towards the cloud, offloading the endpoints from a burden not recently.
The limit of NGAV solutions, now very widespread, is mainly one: like the traditional antivirus, its modern version also operates at the level of individual endpoints. For this reason, NGAV is integrated into the most advanced cybersecurity strategies as a prevention tool, while EDRs – which will be discussed later – are the first line of defense.
Defense against cyber threats goes beyond antivirus. Each company can decide the best solution to adopt according to its organization, the number of endpoints to protect, the industry in which it operates (some, such as pharma and healthcare, are highly regulated), budgets, and, far from secondary, the availability of competent IT personnel. Unlike antivirus, all systemic solutions require dedicated skills to operate effectively. Alternatively, cybersecurity management can be delegated to a specialized partner, a perfect operation in a world that evolves daily.
Endpoint Detection and Response (EDR) solutions are the next step to corporate antivirus. They adopt the concept of holistic protection of the whole organization. EDR solutions perform centralized monitoring of the behavior of all endpoints (detection), forward alerts to security teams, and implement automatic responses (responses) in the event of a high probability of attack. The use of AI technologies – in particular Machine Learning – provides these platforms with a powerful ability to recognize patterns and, therefore, detect the first signs of attacks.EDR platforms and NGAVs are part of a paradigm of security solutions that constantly evolves and includes even more advanced and integrated solutions such as XDR, an acronym for Extended Detection and Response, and the most advanced frontier of corporate Cybersecurity. XDR was created to extend corporate protection beyond endpoints, in the awareness that only integrating different data sources (e.g., endpoints and SIEMs) can ‘build’ and monitor accurate Indicators of Attack (IoA). XDR solutions, therefore, represent an essential step forward in the perspective of holistic protection against increasingly sophisticated attacks.