Anti-Virus software was originally developed to prevent, detect and remove computer viruses. Detection method is based on files signature to identify harmful files. This detection method is now outdated since most of malware files are polymorphic, so signature changes constantly and threat are not detected. Also new threats are not detected since their signatures are not already known.
Next Generation Anti-Virus and/or Endpoint Protection improves detection by adding more advanced features to close the security gaps of traditional Anti-Virus: Real-Time Protection, Heuristics Detections, Rootkit Detections, Sandbox, Firewall, URLs Filtering, Privacy Control, … But still not enough to present day threats.
According to Gartner, the next generation of Endpoint Protection Software, EDR - Endpoint Detection and Response Solutions is defined as solutions that:
- Record and store endpoint-system-level behaviours.
- Use various data analytics techniques to detect suspicious system behaviour.
- Provide contextual information.
- Block malicious activity.
- Provide remediation suggestions to restore affected systems.
EDR solutions must provide the following four primary capabilities:
- Detect security incidents.
- Contain the incident at the endpoint.
- Investigate security incidents.
- Provide remediation guidance.
EDR gives the ability to monitor endpoints for suspicious behaviour and record every single activity and event. It then correlates information to provide critical context to detect advanced threats and finally runs automated response activity such as isolating an infected endpoint from the network in near real-time.