At a certain point, almost every organization reaches the conclusion that there is a need to move past just the standard AV and firewall stack in order to soundly protect their environment. The common practice in recent years is to gain extra protection through implementing either EDR\EPP solutions (represented by vendors like Crowdstrike and Carbon Black) or Network Traffic Analysis/NDR solutions (such as Darktrace and Vectra Networks). Fortune 500 companies who have large security teams, would usually choose to buy and implement both.
A recently published guide, ‘Advanced Threat Protection Beyond the AV’ (download here) is the first resource that not only guides security executives through the pros and cons of each solution type but also outlines a best-practice approach that allows the “non-Fortune 500” companies to combine the advantages of both approaches – without actually buying both.
The proliferation of advanced threats in the decade has gradually led CISOs and other security professionals to acknowledge that both perimeter protection, as well as signature-based endpoint protection, cannot protect against the sophistication and creation volume of polymorphic malware, fileless attacks, exploits, the numerous post-exploitation techniques for reconnaissance, credential theft, lateral movement, and data exfiltration.
This insight has led to massive growth in solutions that implement either one of two approaches:
- Place your protection on the Endpoint – this approach is founded on the notion that since malware execution is a substantial part of most, if not all attacks. The solution for advanced threats should come from monitoring both executed files and running processes, using innovative technologies to identify and block/alert malicious files or processes without relying on known signatures. In terms of market categories, it falls into the Endpoint Protection Platform (EPP), Next Generation Antivirus (NGAV) and Endpoint Detection and Response (EDR).
- Place your protection on monitoring the Network Traffic – this approach is founded on the notion that malicious presence and activity within a compromised environment, inevitably entail anomalous endpoint, network and user behaviors that would never occur under normal circumstances. Following this logic, continuous monitoring of these entities’ behavior as reflected in the network traffic they create, enables the establishment of a behavioral baseline and identify attacks based on the deviations they create. In terms of market categories this approach falls into Network Traffic Analysis (NTA) and Network Detection and Response (NDR).
While each of these approaches provides substantial protection capabilities comparing to legacy, signature-based solutions they radically vary from each other in their implantation, infrastructure and most importantly, in the type and scope of threats each approach protects from.
The Advanced Threat Protection Beyond the AV Guide dives deep to explain the differences between the endpoint and network-based approaches, specifying the pros and cons of each and leading to the conclusion that the best protection against cyberthreats entails combining the capabilities of both approaches.
The Advanced Threat Protection Beyond the AV is an ideal knowledge resource for several types of security buyers:
- Large enterprises that have a well-resourced security team that operate an already existing multi-product security stack. These organizations ultimately will deploy both solutions side by side but need to prioritize and evaluate them against the products they already have in place.
- Mid-market companies that would typically make a single ‘advanced security’ investment, and need to gain precise knowledge on the nature of protection this investment translates to.
- Any organization that historically deployed a solution from either approach and is actively experiencing a security gap. This type of buyer should have the tools to learn if these gaps can be addressed by a solution from the other approach