5 Steps to Selecting an Enterprise Anti-Virus Replacement

by Roark Pollock

April 18, 2019

access_time 19 min read

If you’re in the market to replace or upgrade your existing anti-virus (AV) solution and you spend much time researching enterprise endpoint security software solutions, you might begin to envy the often referred to “Cat Herder”.

After all, cat herding looks easy compared to clearly understanding endpoint security these days. There is so much information, mis-leading information, and downright confusion, it’s hard to know where to start. Additionally, the industry is full of confusing jargon that not everyone uses consistently.

Blog Purpose

My goal in this blog is to give you simple framework for how to go about selecting a replacement for your legacy enterprise anti-virus software. And hopefully I can do so without much jargon. The key steps I outline below are:

  • Step 1: Answer the Question: What is Wrong with Your Current AV Solution?
  • Step 2: Define your Operational Requirements.
  • Step 3: Focus on the Most Important Protection Capabilities.
  • Step 4: Get Built-in Endpoint Detection and Response (EDR).
  • Step 5: Find Out What More Can I Get?
  • Step 6: Bonus Pro Tip

Most marketing content I read is too focused on the vendors product and in my opinion tries to get the reader to jump right to the answer (i.e. buy the vendor’s product). Let’s start this exercise differently.

Step 1: Answer the Question: What is Wrong with Your Current AV Solution?

Before researching new endpoint security solutions to replace your current AV or next-generation AV (NGAV), start with documenting what’s not working today. I consider this the most important step in this framework. Everyone thinks they know what’s not working anecdotally, and that the entire team agrees. That is rarely the case and it’s rarely that simple. Do the following:

  • Write down what’s not working - It doesn’t matter if you do this in a Microsoft Word document, Google doc, or if you use a number 2 pencil. Just write it down.
  • Quantify it if possible - Now for each item that you’ve written down that isn’t working, try and quantify the scale of the miss. This helps build a baseline we can use to measure success at the end of this purchasing process.
  • Socialize it and get agreement - This is usually the most surprising part of the exercise. Review your issue list with as many IT and security team members as possible - anyone that touches those endpoints - be they workstations, laptops, servers, or virtual machines. Try to achieve a broad consensus.
  • Document what future state you want to achieve - Finally, once you have agreement on the current state and what’s not working, try and write down what future state you want to achieve. This does not have to be perfect, but it will help serve as a guide as you go through the next several steps in this framework.

To get you started, below are some examples I hear when speaking with customers that you might have issue with in your organization.

  • Our AV product simply fails to stop many threats / attacks.
  • AV causes too many laptop performance issues for users.
  • We have little to no visibility or data on what’s actually happening on the endpoint.
  • End user productivity is reduced because they have to manually deliver laptops to IT for analysis and remediation.
  • It takes us way too long to investigate and respond to endpoint alerts.
  • We have too many endpoint tools in addition to AV. AV is not the only issue.
  • Our AV product costs too much.

This is not an exhaustive list, but simply something to get you started thinking. Often the problem is more spread-out than you first assume.

Step 2: Define your Operational Requirements.

This step is usually much easier for technical teams than the first step. Define your operational environment, and what requirements you will have for the solutions you review. This should involve answering the following questions, but you may certainly have additional items on your list.

  • Do you have an inventory of endpoints on your network that need protection? If so, what device types / endpoints are you trying to protect? This might include laptops, desktops, workstations, tablets, smartphones, servers, rack servers, virtual machines, virtual desktop infrastructure, etc.
  • What operating systems are running on those devices? Windows, Windows Server, macOS, Linux, Redhat Linux, Ubuntu Linux, CentOS Linux, Fedora, Scientific Linux, iOS, Android, etc. List the versions of each operating system as well, especially if you have really old versions.
  • Do you want a cloud-delivered endpoint security software solution, or will you require an on-premise deployment of the backend architecture?
  • Will you deploy on only company owned endpoints, or does this include employee owned endpoints?
  • Who will ultimately be using the endpoint security solution you put into place? This could be a single person or many different teams such as security operations (SecOps), IT operations (IT Ops), helpdesk / end user support, server support, development operations (DevOps), and even governance, risk management and compliance.
  • What systems integrations would you like to set up? This can often include malware / sandboxing solutions, security incident and event management (SIEM) systems, ticketing or orchestration systems, vulnerability assessment and patch management systems, and other data analysis tools.

Step 3: Focus on the Most Important Protection Capabilities.

"Focus on protection efficacy against unknown, zero-day malware, and file-less attacks like weaponized documents and in-memory attacks."

Traditional or legacy enterprise antivirus solutions are all about threat prevention. All NGAV and endpoint security software solutions also deliver this same function. The key is knowing where to focus your efforts in evaluating the efficacy of these solutions. To simplify the discussion let’s divide the types of endpoint threats to be addressed into 3 categories:

1) Known, file-based malware

2) Unknown or zero-day, file-based malware

3) “So-called” fileless attacks

The first category of threats, known malware, is largely a solved problem by all traditional AV and NGAV products whether based on signatures, heuristics, behavioral analysis, or machine learning. This is certainly not to say that there are not differences in efficacy but think of these attacks at “background radiation”. All the endpoint protection tools out there should do a good job in protecting against these attacks. And more importantly, these threats are becoming less of an issue in successful attacks because most of the AV tools do work well against them. So do not focus your efficacy evaluations on this category of protection. Take this for granted.

The key area to focus on is protection against the other two categories of threats, zero-day malware, and file-less attacks.

For years now, successful malware attacks on enterprises predominantly are single-use or employ polymorphic techniques. As far back as 2015, Webroot in their Threat Brief found that up to 97% of successful enterprise malware infections were single-use or polymorphic. Thus, protection against these zero-day malware threats is a huge area to focus on in your evaluations.

Unfortunately, even stopping even zero-day malware isn’t enough these days. When evaluating endpoint security solution efficacy our third category of attacks is another area we need to investigate. This category of file-less attacks primarily consists of:

  • Phishing and spear-phishing attacks via Office documents
  • Weaponized PDF attacks
  • Direct to memory Powershell attacks

Why? In Symantec’s 2019 Internet Security Threat Report, they found that 48% of malicious email attachments are Microsoft Office files, up from 5% in 2017. And IBM in their X-Force Research in 2018 found that 57% of successful attacks leverage direct-to-memory Powershell techniques.

So, while protection against known malware is nice, it is no longer enough or an important differentiator in evaluating an AV replacement.

Focus on protection efficacy against unknown, zero-day malware, and file-less attacks like weaponized documents and in-memory attacks.

Step 4: Get Built-in Endpoint Detection and Response (EDR).

Cybersecurity professionals have all moved beyond that idea that threat protection can be fully automated and 100% effective. That’s why there is so much attention paid to detection and response capabilities in today’s endpoint security discussions.

The basic premise behind EDR is to find those threats, whether external or internal, that have bypassed our protection efforts and are now resident inside the enterprise. Once found, it is critically important to analyze the threat kill chain to determine the full scope of the attack going back in time to the original root cause of the successful attack. Then apply that knowledge to quarantine and eliminate the threat.

When you first start looking at EDR there are a few key questions you’ll want to ask internally.

  • Is it a Nice to Have? Are you getting EDR as a “nice to have”, or do you fully intend to implement regular threat hunting and response? Either answer is OK but knowing the answer will help you determine how much time to spend evaluating the EDR details.
  • What level of time commitment and expertise is required? Will you conduct threat hunting and response internally or will you want to outsource the function?
  • What level of visibility does the solution provide? In evaluating the product, given that the average dwell time of threats in the enterprise is typically measured in multiple months, does the EDR solution maintain collected endpoint visibility data long enough to allow you to “ferret” out the original intrusion point? Or is that visibility data deleted to save storage costs before you need it? This is a super important point, and a simple one to answer for any solution.
  • What response and remediation actions are available? Do these fit your needs and will they solve your original issues in step 1. Does the solution allow for response on remote endpoints? Is a workflow available for investigation and response?
  • Do you want to automate response actions? If so, what is available for your future use?

Typically, the most important aspect that EDR solutions provide is the granular endpoint visibility provided that can be of immense usefulness to a variety of teams within the organization, and for a variety of purposes.

Step 5: Find Out What More Can I Get?

Good endpoint security starts well before any AV or endpoint protection tool starts inspecting a file to determine if it is a threat or not. It starts with maintaining good endpoint hygiene in order to keep the attack surface as small as possible. These endpoint hardening practices are by far the most effective threat prevention available.

And since leading endpoint security software solutions now provide rich endpoint visibility some are starting to incorporate these functions as well.

If you want to get more from your endpoint protection platform, look for functionality that includes items like:

  • Endpoint discovery and inventory. Many endpoint protection platforms can now comprehensively discover, fingerprint and inventory all connected devices, even infrequently connected devices. This helps to find and possibly eliminate rogue devices.
  • Application discovery and inventory. This can include a detailed cataloging of the applications installed on each and every managed endpoint. It can also be used as means to discover the use of unauthorized applications by insiders.
  • Endpoint vulnerability discovery and prioritization. Given that security agents on the endpoint monitor the OS and applications in real-time, they may provide for detailed vulnerability tracking with no additional agent or external scanning or scheduling required.
  • Configuration hardening and compliance. Additionally, these endpoint security agents may be able to continuously monitor the endpoint security controls in place and report on or remediate endpoints that are non-compliant to your security policies.

Additionally, the endpoint visibility gained through these endpoint protection platforms can also be of use to teams internally like the IT helpdesk. Examples you might look for include:

  • Proactive discovery of endpoint performance issues. Quickly identifying application performance and/or intermittent behavior issues can help dramatically reduce MTTR for the IT helpdesk. Not to mention that these performance issues can sometimes indicate or signal a possible security breach.
  • Track endpoint and application usage. Continuously tracking and inventorying connected systems can assist IT in hardware refresh management. And further, tracking detailed application usage metrics can be invaluable in license rationalization efforts.

At the end of the day, endpoint visibility is valuable across the entire organization, not just to the security team.

Step 6: Bonus Pro Tip

Depending on the uses of whatever endpoint protection platform that you evaluate and eventually select, look at the possible return on investment (ROI) that you might be able to justify. Demonstrating a positive ROI will surely help you justify an upgrade from your existing AV solution. So how might you demonstrate an ROI from an endpoint security tool? Look for the following:

  • Can you replace multiple existing endpoint products with your new endpoint protection platform? Certainly, it will replace your AV tool, but do you have a NGAV tool as well it will replace? What about an existing, standalone EDR tool? Or an incident response solution? Or a vulnerability scanner? Get creative and see if you can make it pay for itself.
  • Additionally, use it to save lots of money on those over provisioned Adobe and Microsoft Office licenses that may not be getting used. Anything you can do here might help you get a new endpoint security software solution for next to nothing. Heck, if you’re lucky you might even save money.

If you want to read more about replacing your anti-virus solution with Ziften, check out some of our additional resources at https://ziften.com/replace-your-anti-virus/.