Skip Navigation
BlackBerry Blog

Ten Signs It’s Time to Review Your Endpoint Protection

/ 08.01.18 / Rob Collins

The next generation of endpoint protection (EPP) against code-based attacks has been around for a few years now, but many organizations still run their legacy solution simply because they don’t know about the benefits of the newer solutions. They take the easy road and just renew year after year.

They assume they have sufficient protection, or that their jobs depend on spending all day managing the tools. So how do you know when it’s time for a change? Here are ten signs that it’s time to upgrade:

You Are Still Using Signature-Based Antivirus (AV)

Signature-based technology is too slow to keep up with zero-day attacks, malware morphing or being recompiled with packers. There will always be victims until the signature is created by the vendor, pushed to customers, tested and rolled out – a process that can take days from the initial malware identification.

Devices that haven’t updated, even just for a day, are vulnerable to the latest malware. Dormant virtual machines, vital for business continuity in the event of a malware outbreak, are also highly exposed until they can be updated with the latest signatures. If one of your cybersecurity metrics is the number of machines with up-to-date signatures, then it’s time to review your EPP. 

The other problem is that signature sets cannot be infinitely large, so legacy AV vendors drop signatures for malware they consider ‘in the zoo’, rather than ‘in the wild’. I often see old malware detected on file servers by Next Generation AV and have even heard of WannaCry infections occurring over a year after the initial outbreak. Next gen solutions are typically signature-less.

You Think Ransomware is ‘Business as Usual’

The large number of ransomware outbreaks in the last few years is an indication that legacy AV solutions have failed us. As a workaround, many businesses improved their backup processes, implemented rollback software and application whitelisting and became better prepared to react to ransomware attacks. I speak to organizations where responding to ransomware became a ‘business as usual’ process and consider three outbreaks a year to be manageable.

The nice thing about ransomware (if there is such a thing), is that it is ‘noisy’ and lets you know that you have been compromised. But if ransomware can run, so can Remote Access Trojans (RATs), keyloggers and Advanced Persistent Threats (APTs) that can silently steal your data. Next Generation solutions can prevent ransomware and other advanced malware and zero-day attacks.

You Are Still Doing Regular Background Scans

Daily or weekly scans are required by legacy AV so they have a chance to detect malware on the local drives with the new information received in the daily data-file updates in the signatures.

Users often postpone the scans (sometimes for many consecutive days), leave their machines on overnight or set their breaks around when these scans happen. Why? Because they slow the device down. Next Generation AV does not require background scanning.

You Just Bought New Machines but They Seem Slow

Legacy AV, together with the additional solutions needed to protect a PC due to legacy AV’s shortcomings, uses a far greater percentage of system resources than Next Generation AV.

You Are Still Using an On-Premises Server for AV Management

It’s 2018. If you are not able to manage your AV from the cloud, it’s time to update. But be careful – some Next Generation AV solutions require constant Internet connectivity to be effective, while others remain effective even when disconnected.

You Spend Too Much Time Managing AV

Managing AV adds no value to your business. Next Generation AV requires less management overhead – simple policies, no false alarms, no tracking daily updates or background scan rates and no management server(s) to maintain. You can re-purpose staff to value-adding activities or proactive (and more interesting) cybersecurity tasks like threat hunting.

You Spend Too Much Time Responding to Alerts that Turn Out to Be Nothing

While signatures work well in stopping known malware and tend to not have many false positives, the additional features added to stop new malware can result in many false alarms. Heuristics, behavior-based identification, sandboxing, Host-based Intrusion Prevention, URL and Reputation Filtering all add the potential for noise and false positives.

You Have No Faith in Your EPP

Are you looking at Application Whitelisting, Host-Based IPS, Reputation Filtering, sandboxing, Data Loss Prevention, Behavior-Based malware detection or Host-Based Firewalls? If you follow the money, there is little incentive for traditional AV vendors to fix their core product. They would prefer to sell you any number of augmentation technologies and push the ‘defense in depth’ approach. (Or is that ‘expense in depth’?)

You Are Looking at EDR Because You Have No Faith in Your EPP

Endpoint Detect and Response (EDR) is the new darling of an industry looking for ways to extract more money from your business. There are two schools of thought on EDR – one is that it is yet another layer of in-depth defense that organizations can use in parallel with their failing legacy AV solution so they can identify and roll back any damage done by malware.

The other is that EDR can be preventative and provide more intelligence about how a piece of malware got to an endpoint, identify and prevent attackers living off the land, provide powerful searching capabilities for indicators of compromise and detect/ prevent indicators of attack such as hosts file modification, malicious PowerShell usage or log deletion.

Either way, if you’re looking to supplement your EPP because you have no faith in it, why not start by reviewing what the Next Generation of AV can offer?

You Have to Upgrade Your Operating Systems Because Your AV Doesn’t Support Older Versions

We know that hospitals and retail are notorious for running older operating systems, preferring to direct their budget into saving lives or hiring more staff than paying to upgrade something that is not considered broken.

Operational Technology environments are frequently locked-in to using the operating systems that were deployed initially and can’t be upgraded. The good news here is that the lightweight nature of some Next Generation AV products makes them suitable for older machines running older operating systems, so there is no need to leave them unprotected.

Conclusion

The time to review your endpoint protection is now. Don’t keep having restless nights worrying about the next outbreak or becoming front page news because of a breach. Don’t keep burdening your IT staff with managing servers, monitoring updates/ scans and chasing up false detections when they could be doing more productive and proactive things.

Don’t keep buying additional layers of security – it adds to control friction, slows down machines and leads to a rise in shadow IT. The next generation of AV products will give users back performance, provide better protection and free up security staff for more value-adding activities.

Rob Collins

About Rob Collins

APAC Director of Pre-Sales Systems Engineering at Cylance.

Rob Collins is the APAC Director of Pre-Sales Systems Engineering at Cylance. He started his career in cybersecurity 15 years ago at a ‘Big Pharma’ company as a Regional Information Security Manager and then made the jump into security vendors with a three year stint at Blue Coat as a Pre-Sales Systems Engineer, followed by Trend Micro, WatchGuard and Firemon. Rob has a Masters in Business Administration specializing in technology management, and has worked with many kinds of organizations to help them better secure their information.