In the past couple years, we've seen the emergence of a new product descriptor: next-gen endpoint protection (NGEP). It's now gotten to a point where many businesses are trying to decide whether to replace or supplement their antivirus software with something new. But what exactly does NGEP mean, and how can IT and security professionals make sense of the plethora of NGEP products being marketed to them?
As is often the case, the name NGEP emerged independent of any industry standard or broad agreement on a definition. What is clear is that the name was perpetuated by new vendors looking to distinguish their products from the existing crop of endpoint protection solutions.
If there's anything that can be considered a unifying theme for NGEP products, it's the rejection of "signature-based" technology. Even that, though, is a bit vague. After all, hash lookups—querying a database to identify known malware—are part of nearly every NGEP product. Couldn't a hash be considered a unique signature of a file? Some would draw a distinction between hash lookups and pattern matching, where the "signature" is a specific pattern that security software looks for to convict a file as malicious.
In any case, NGEP solutions seem to be those that reject some types of signatures and incorporate new technologies. Which technologies are used varies from product to product. Here's a partial list included in various solutions currently on offer:
- Pre-execution analysis based on machine learning
- Centralized event collection & analysis (e.g., root cause analysis)
- Exploit prevention or mitigation
- Detection based on behavior analysis
- Ransomware behavior detection and blocking
- Sandbox analysis
- Rollback of changes after detection of an event
- Endpoint isolation in event of a detection or suspicious event
- Retrospective detection (i.e., identifying previously infected machines after a file is identified as malicious)
But many of these technologies are also popping up in "traditional" endpoint protection products, making the lines between NGEP and legacy endpoint protection even more blurry. Does software that uses both signatures and machine learning count as NGEP? What about a product that has innovative exploit prevention but does nothing to stop social engineering attacks? Is that NGEP?
Perhaps we're asking the wrong question.
In a world where both the threats and the defenses are constantly evolving, a better question is, "what's the right solution for my business?" Answering that requires a broader understanding of how all aspects of the product—features, usability, integration, value, and more—fits into your overall security strategy. In my next post, I'll dig deeper into this question and the many factors involved in selecting the best endpoint protection—next-gen or otherwise—for your organization.