Introduction of Next-Generation Antivirus and the Insider Threat

This is a satirical website. Don't take it Seriously. It's a joke.

2059 25059 Shares

Lamsam2019@^_iil

Lampaku; Cybersecurity Analyst:

Next-Generation Antivirus (NGAV) refers to the natural evolution of traditional antivirus that protects computers from the full spectrum of modern cyber-attacks. It also delivers the best endpoint protection with least amount of work(Ben, J. 2016). NGAV speaks to a fundamentally different technical approach in the way a malicious activity is detected and blocked. NGAV takes a system-centric view of endpoint security, examining every process on every endpoint to algorithmically identify and prevent the malevolent tools, tactics, techniques and procedures (TTP) on which attackers rely (Loraine, L. 2016). Since its introduction in the late 1980s, antivirus (AV) has been the first line of defense against known malware. Traditional AV relies on malware signatures and behavioral analysis to uncover threats to critical information endpoints: servers, applications, workstations and mobile computing devices. Research over the past ten years, however, continues to indicate that traditional antivirus products are rarely successful in detecting smart malware, unknown malware and malware-less attacks. Apparently, this does not mean, however, that antivirus is “dead,” as market researchers have been claiming since 2007. According to the 2016 SANS Endpoint Security survey, Antivirus remains one of the most effective means of capturing impactful events. Concluded in the study, AV along with intrusion prevention system(IPS) alerts, caught 57 of impactful events that had occurred at respondent’s organizations. Traditional AV solutions have dominated the endpoint protection marketplace for years. However, their ability to defend against unknown attacks have declined significantly. This dynamic has propelled the rise of a new class of endpoint protection technologies referred to as next-generation antivirus. Traditional antivirus as Chris Sherman 2016 noted, struggle at preventing unknown or 0-day malware. 0-day malware is a term used to define previously unknown threats. Additionally, they have also reduced file-less malware
protection, limited endpoint visibility, and weak off-network performance. NGAV on the other hand automatically prevents attacks before a breach occurs, stops unknown malware, stops file-less attacks (which can be weaponized by Microsoft Office documents). NGAV also operate offline and off-network, offers low endpoint visibility and offers the ability to utilize forensics. NGAV, therefore, is the best tool to use in the fight against insider threats.
Determining key players - NGAV
To keep corporate data, people, processes, and technology safe, it is relevant, to holistically address and mitigate the risk of insider threat. The best ways to solve this is through the use of Next-generation Antivirus tools. Determining the critical players in NGAV space, it is essential to assess industry recognized reports, as a tool for identifying and analyzing who the key players are. Reports used for the analysis were from Gartner. These include; Gartner January 2017 Magic Quadrant for Endpoint Protection Platforms, Gartner’s February 2016 Magic Quadrant for Endpoint Protection Platforms. Others are Magic Quadrant for Endpoint Protection Platforms, Gartner’s December 2010, Magic Quadrant for Endpoint Protection Platforms, Gartner’s December 2014, Magic Quadrant for Endpoint Protection Platforms, and Gartner January 2013, Top 10 Endpoint Detection and Response Solutions. The reason for choosing these reports from Gartner was based on the fact that it has same results with Forrester and other recognize reports, hence using other reports from different writers will yield same results as using these five reports from Gartner. By assessing all the five reports, a total of 39 providers emerge. Determinant tools were narrowed down to six key players within the pool of 39 for easy analysis. This normalization process can be, by the number of times each provider appears in all the five reports. A simple count of how many times a provider appears was used to consolidate the list of 39 NGAV providers. Gathered five reports helped to observe players like Symantec, Trend Micro, Sophos, Kaspersky, Panda Security and Eset, it is, therefore, possible to determine that these six products are the key players in the market space and hence can be isolated/selected from the initial 39 pool for comparison against each other. The purpose of comparison of these six products against each other is to come out with the best top one that is suited for mitigating insider threat.
Collecting Data and Establishing Criteria
To determine which Next-generation antivirus tool is appropriate for customers to mitigate insider threat. Multivariate criteria used were analyzing the relationships by comparing and evaluating vendors. Technical Capability, Pricing and Market Presence were the three core criteria used along with sub-criteria of each. For instance, the Technical Capabilities(TC), which will be measured against seven sub-criteria; automated behavioral protection, machine learning, cloud and on premise flexibility for management, automatic lateral movement detection, enterprise deployment scalability, environments supported, and built-in email security. Market presence Core-criteria; vendors are evaluated based on the cost of their product, years active, number of employees, estimated revenue, endpoints protected, countries, and customer portfolio. Considering these sub-criteria, will help rank and determine what NGAV solution has the most substantial foothold in the market space. Apparently, this is relevant to the insider threat because the desired NGAV solution will have the most chances of mitigating the insider threat. The sub-criteria are established to measure the NGAV solutions compatibility and capability to stop the insider threat. Pricing is the last sub-criteria; vendors takes in to account the accessibility and affordability of various NGAV tools. If an entity or agency cannot afford to purchase these tools, they will not have the likelihood of stopping the insider threat. Effectiveness and efficiency of a tool is measured by it usage, only through this that we can determine which tool has the likelihood of mitigating insider threat, affordability therefore becomes paramount as the only means through organizations can acquire NGAV tools. Binding these criteria will subsequently help in comparative analysis.
Normalization - NGAV
Reference to the earlier section, Determining Key Players in the entire scope of NGAV, providers were narrowed down to six for easy analysis and resources and time limitations. To determine what NGAV provider is best suited for stopping the insider threat, all top six NGAV products assessed, should be put on a grading system with a standard set of core-criteria. This can be done, side-by-side comparative analysis through visualization within a Microsoft Excel sheet. It is possible to visualize the NGAV products in a comparison pattern side-by-side with each other. Putting together these products in this mode will serve as a tool in the ranking process. It is this ranking process that will make up the bulk of the analysis in further sections.
Shown in the table below are companies, and their corresponding products arranged once above the other. The empty cells to the right represent the yet to be filled out sub-criteria around market presence as per the table, below.

Correlation - NGAV
Next-Generation Antivirus (NGAV), Is a great tool for addressing and mitigating the insider threat. A set of criteria was established to determine which NGAV solution is most efficient at stopping the inside threat. The core-criteria categories will be rank and represent the entire groups. As indicated in the data collection and establishing criteria; technical, market presence and pricing will be defined further by sub-criteria for observations. Core-criteria category, such as technical capabilities, for instance, will be measured against seven sub-criteria: automated behavioral protection, machine learning, cloud and on premise flexibility for management, automatic lateral movement detection, enterprise deployment scalability, environments supported and built-in email security. Market presence can be viewed as a medium in which a product can be marketed, it also represents consumer adoption of NGAV product. The market space could see the critical NGAV product around the globe, however, it will not be effective in mitigating the insider threat if nobody is using it. Market presence includes the following sub-criteria: company years of active, number of employees, estimated revenue, endpoints protected, and countries presence. Binding, the five sub-criteria categories will be used to rank the top six NGAV products against each other. The NGAV product with the lowest score will represent the product with the most sound footing in an entire market space. Technical capabilities represent the core component of the NGAV solution. Having the ability to mitigate an attack constitutes the goal of a defense solution. Market presence and technical capabilities core-criteria have sub-criteria. These includes, prevention, machine learning, scalability, and environment supported. The four sub-criteria will represent the whole profile of the technical capabilities core-criteria category. Single metric core-criteria category has no sub-criteria division as it is a single
measurable metric. The lowest pricing model will be awarded the most average score for ranking purposes.

Analysis:
Analysis of the six products in review was conducted by first populating the desired data points in the comparative analysis Excel document. Trend Micro, Eset, Symantec, Kaspersky Lab, Panda Security and Sophos websites were used to obtain open source dataset. Marketing materials and products information of the companies were available at the website, other information's that were not available can be sourced through third party product assessment. The methodology around assessing these core products against each other should be focused around grading scale. Products will be ranked in order of 1 through 6. The number 1 representing the place that product ranks when compared to its peers. All ranking scores of each sub-criteria will add up to conclude the overall rank for the core-criteria. The lower the score, the higher the ranking. This is shown in the table below:
Capabilities Areas > Market Presence
Company Product Years of Active Years of Active Ranking Number of Employees Number of Employees Ranking Estimated Revenue Estimated Revenue Ranking Endpoints Protected Endpoint Protected Ranking Countries Countries Ranking Customer Portfolio Customer Portfolio Ranking Market Presence Score Card
Eset Eset Endpoint Security 25 5 1300 6 22.1m 5 109 4 23 6 Market presence in more than 180 worldwide
almost one thousand employees 5 31
Kaspersky Lab Smart Protection Suit 20 6 3500 3 619m 4 400 1 200 1 270,000 corporate clients 3 18
Panda Security Panda Adaptive defense 27 4 1500 5 4.746m 6 216 2 54 3 Has more than 15,000 corporate customers globally. 4 20
Sophos Endpoint Protection Suite 32 2 2,699 4 478.2m 3 90 5 150 2 over 100 million users in more than 150 countries 6 22
Symantec Symantec Endpoint Protection 35 1 11000 1 4.019bn 1 175 3 35 5 A Quarter of all Endpoint Deployment worldwide and nearly 350000 customers. Deployment at typically in organization with 700 employees and above 1 11
Trend Micro Smart Protection Suite 28 3 6700 2 1.163bn 2 Unknown 6 50 4 500000 companies globally 2 19
NOTE: M=Million, BN=Billion
From the table above, Symantec Endpoint Protection rank top with a score of 11, beaten it closest competitor Kaspersky Lab Smart Protection Suite, with a score of 18 points. The total assessment of this ranking system places Symantec Endpoint Protection in the lead over its competitors in the Market Presence core-criteria category.
Technical Capabilities core-criteria category has binary data points. Automatic prevention using behavioral protection as an observable data point. Because of the binary nature of several of the sub-criteria points, a score of a 0 or 1 will be assigned to data points. Zero will be awarded for a response of "yes" and one for a response of "no". As shown in the table below.
Capabilities Areas > Technical Capabilities
Company Behavioral
Protection
Behavioral
Protection
(Ranking) Machine
Learning Machine
Learning
(Ranking) Cloud and
On-prem
Option Cloud and
On-prem
Option
(Ranking) Automatic
Lateral Movement detection Automatic Lateral Movement detection
(Ranking) Enterprise Deployment scalability Enterprise Deploym-ent scalability
(Ranking) Environment supported Environm-ent supported
(Ranking) Built in
eMail
security Built in
eMail
security
(Ranking) Technical Capabilities
Score card

Eset Yes 0 Yes 0 Both 0 No 1 Ability to deploy on cloud and on-premises 2 Window Server version:
Microsoft Windows Server 2016, 2012R2, 2012,2008R2,2008,2003
Windows Server Core 2012R2,2012,2008R2,2008C 3 NO 1

7
Kaspersky Lab Yes 0 No 1 Both 0 No 1 Deploy on cloud, on-premise with granular setup 4 WindowsVista,SP1,Windows7,SP1
Microsoft Windows 8
Microsoft Windows8.1Enterprise TH1,TH2,RS1,RS2,RS3 4 Yes 0

10
Panda Security No 1 Yes 0 Cloud only 1 Yes 0 Centralized management from the cloud 5 Windows 7,10, R2,Mac OS X,,Linux, vista, SPI, 6 Yes 0
13
Sophos Yes 0 No 1 Both 0 No 1 Cloud deployed and on-premises 3 Windows
2003/2000 Pro or Server/XP Pro
Mac OS X Versions 10.4/10.5/1
Linux Server 2008/Server 2003/2000
vSphere4/ESX 3.0, 3.5/
Server 1.0 Microsoft Hyper-V 2008
Citrix,XenSr 5 Yes 0

10
Symantec

Yes

0

Yes

0 On-prem
Only

1

No

1 Not cloud
Deployed.
Drawback manually deployed on-premises only

6 Mac OS, CentOS, RedHat,
Linux Server 7.0 or higher,
El Captian, Yosemite,
Mint, Cinnamon, Windows XP

2

No

1

10
Trend Micro

No

1

Yes

0

Both

0

No

1 Hybrid Deployment or On-premises

1 MicrosoftWindowSever2016(x86/x64)
Agentoperatigsystem:windowxp,vista7,8,8.1,10sever2003,2003R2,2008,2012,2012R2,2016WindowembeddedenterprisePOSReady72009 standard 7, XPe, standard 2009, and client,APIExtensions, ISAPI,linux

1

Yes

0

4

From the table above it can be observed that Trend Micro with a score of 4 cards, making it the best core criteria under the technical capabilities, Eset been its closest competitor with a score of 7 cards under this criteria.
As every organization has a scalable and pricing model. Pricing is determine by the structures, terms of the product deal, and the size of the environment. Customers may be provided with discounts depending on whom they deem as having a strategic value. However, because of the uncertainty and variation in price models, open source information gathered from corporate websites and third party assessors will be relied on to make this assessment. For example, in a sample of 500 seat environment. Sohos Endpoint protection suite ranks number 1 as the most affordable solution at $18.10 per seat, with Trend Micro as it close competitor at $19 per seat.
Core-Criteria> Pricing
Company Product Pricing Structure for a 180,000 seat environment Pricing Score Card
Eset Eset Endpoint Security $29 per seat 3
Kaspersky Lab smart protection suite $33 per seat 4
Panda Security Panda Adaptive defense $50 per seat 6
Sophos Endpoint protection suite $18.10 per seat 1
Symantec Symantec Endpoint protection $40 per seat 5
Trend Micro Smart protection suite $19 per seat 2

Combining all the three core- criteria(Market Presence, Technical Capabilities and Pricing) saw Trend Micro in a lead with a total score of 25 cards, followed by its closest competitor Symantec with a score of 26 cards. As shown in the table below.
Company Product Total Score Card
Eset Eset Endpoint Security 41
Kaspersky Lab smart protection suite 32
Panda Security Panda Adaptive defense 39
Sophos Endpoint protection suite 33
Symantec Symantec Endpoint protection 26
Trend Micro Smart protection suite 25

Predictions:
Assessment of all the key players within the NGAV space, makes it possible to predict who the emerging NGAV tools are. Symantec has the strongest footing in the NGAV market space with an estimated revenue of $4.019 billion annually. However, in technical capabilities, it rank lowest among its competitors. NGAV market are more concerned with function over name brand, as it can be seen from the analysis, the newer and upcoming companies have more technical capabilities than some of the companies that have existed for long, and overall they are very tight in other criteria areas . There is high possibility that, Trend Micro will dominate and overtake Symantec in the next ten to fifteen years to come as we see from the analysis, Sophos leads in the Pricing criteria and Trend Micro tops in the Technical Capabilities criteria.

Conclusion:
Automatic lateral movement detection, machine learning, and automatic prevention are critical in conducting comparative analysis of what tools is best in detecting insider threat.
Though the NGAV market are more concerned with function over name brand. Beside considering technical capabilities as the topmost priority and most relevant key factor in determining the NGAV market space. Considering which NGAV tool is best in mitigating insider threat, it becomes paramount to account for all component of each player in the market, rather than just relying on only technical capabilities. Hence all criteria categories mentioned should be considered.
Determining the endpoints protected by each NGAV products was challenging, some companies indicated the endpoints in which they are on through their advertisement, others do not. Making it challenging to determine industry standard for measuring this metric. Beside some of these challenges, a significant amount of data were available to the public. Per those available data, it is possible to come to a conclusion that Trend Micro’s Smart Protection Suite is the strongest NGAV provider for mitigating insider threat, followed by Symantec Endpoint Protection, Kaspersky Lab Smart Protection Suite, Sophos Endpoint Protection Suite, Panda Security Adaptive Defense and Eset Endpoint Security respectively.

References:
Fossi, M., Egan, G., Haley, K., Johnson, E., Mack, T., Adams, T. & Wood, P. (2011).
Symantec internet security threat report trends for 2010. Volume XVI.
Koch, R. (2011, June). Towards next-generation intrusion detection. In Cyber Conflict (ICCC),
2011 3rd International Conference on (pp. 1-18). IEEE.
Matrosov Aleksandr, R. E. (2012). Stuxnet Under the Microscope, ESET.
Gartner(January 2017).Magic Quadrant for Endpoint Protection Platforms
Nachenberg, C. (2002). Behavior blocking: the next step in anti-virus protection. Security Focus, March.Van Oorschot, P. C. (2003, October). Revisiting software protection. In International
Conference on Information Security (pp. 1-13). Springer, Berlin, Heidelberg.Gordon, Ford 1995. Real-World Anti-Virus Product Reviews and Evaluation .
Kephart, J, et al 1993. Measuring and Modeling Computer Virus Prevalence From the.
Edwards, J. (2001). Next-generation viruses present new challenges. Computer, 34(5), 16-18.
Firewall, S. E. (2001). Symantec Enterprise VPN, and VelociRaptor Firewall Appliance
Reference Guide.
Heller, S. R. (1998). Symantec ACT! 4.0 for Windows. Journal of Chemical Information and
Computer Sciences, 38(4), 772-772.
Pescatore, J., Stiennon, R., & Allan, A. (2003). Intrusion detection should be a function, not a
product (pp. 1-5). Research Note QA-20-4654, Gartner Research.
Eric,C (2015)Insider Threats and the Need for Fast and Directed Response, SANS survey.Retrieved from https://www.sans.org/reading-room/.../insider-threats-fast-directed-response.
Hunker, J., & Probst, C. W. (2011). Insiders and Insider Threats-An Overview of Definitions and Mitigation Techniques. JoWUA, 2(1), 4-27.
Ben, J(2016). new threat intelligence security technologies and the difference between managing endpoints and securing endpoints. Retrieved https://audioboom.com/posts/4744413-ben-johnson-co-founder-and-chief-strategist-for-carbon-black-discusses-new-threat-intelligence-security-technologies-and-the-difference-between-managing-endpoints-and-securing-endpoints.
Stewart, J. (2003). DNS cache poisoning–the next generation. 2007-08-25). http://www. secureworks. com/research/articles/dns-cache-poisoning.
Dhanjani, N., Rios, B., & Hardin, B. (2009). Hacking: The Next Generation: The Next Generation. " O'Reilly Media, Inc.".