Last Updated on June 19, 2021
Even among cybersecurity professionals there is substantial puzzlement and disagreement around today’s “next-gen antivirus” tools like endpoint detection & response (EDR), network detection and response (NDR) and even extended detection & response (XDR).
What do these budding buzzwords mean? And how do the tools behind them differ from “good old-fashioned antivirus” (AV)?
To clear the air on this topic and get to the underlying value propositions, Chris Nyhuis, President and CEO at Vigilant, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show as always.
“What happens a lot in this industry is the consumer gets tired of hearing the same thing over and over again,” Chris observes. “They just want something new and exciting. But they want [security technology] to be new and exciting because they inherently feel that it’s not working.”
Chris continues: “XDR came out last year. Well, XDR is really just getting data from all the things, and doing something with it, right? Trying to compress it in the same data sets, so you can look at it. Endpoint detection and response (EDR) is really taking a client on an endpoint, desktop, laptop, whatever it is, getting data out of it, and then reacting to it proactively. So, the methods, the ability, the things like that, that we used to do with AV, it’s really more wrapping a service around it, right? … Ten years ago, there weren’t a whole lot of services out there.”
“I think most people are comfortable with the concept of antivirus, and they think of signatures, right?” asks John. “How much of EDR is still living in that signature, where we have concerns about zero-day? How much of it now has kind of moved into artificial intelligence, machine learning? How much of it is interpretation by people? Tell me a little bit about what happens. Like you said, you’ve got this client sitting there, and it sees something…”
As Chris points out, what happens under the hood with these tools depends a lot on what businesses are willing to pay for. Automation is less costly than human-supported analysis, but also less effective, despite artificial intelligence (AI) and machine learning (ML) advances.
“When you look at the endpoint, the system itself, when something triggers, what it’s evolved to, is very specific detection automators,” Chris explains. “Because what automation does, is it minimizes the workload for the analyst on the back end.”
“Why did everyone really hate Norton Antivirus so much about 15 years ago?” posits Chris. “They hated Norton Antivirus because it bogged down systems, and it became very noisy, right? And so, for about six months, the entire industry went, ‘Well, let’s go to something else.’ Six months later, Norton came out, and said, ‘Hey, we’re a lot faster. We’re much faster, much better, we’re better.’ But what happened in that scenario is they tuned it, they took out some detection algorithms, they took out some of the processing things that they were looking for, and they tried to make a little bit more efficient.”
“So, to follow that path, when you have… anything running on an endpoint, and a piece of malware pops on there, it’s primarily, in today’s world, looking for something that it already knows about, to be able to detect it,” clarifies Chris. “When you enter in things like machine learning and AI, what they’re trying to do is minimize the time it takes for that technology to know about what’s there.
“So, in a lot of cases, it’s still about trying to detect what you know about…,” Chris summarizes. “And then that [tool] sends an alert to somebody, who then does something, whether it’s done automatically by the technology or by some analyst somewhere.”
If you’re looking to really analyze the value of EDR and related solutions for your organization, you’ll love this podcast with Chris Nyhuis from Vigilant.