Antivirus replacement is one of the hottest topics in endpoint security today. The headlines are rife with reports of organisations that have been breached successfully, despite having traditional endpoint protection in place when they were attacked. How is this happening? Because attackers now assume that these predictably ineffective AV protection solutions will be present, they have adapted their tactics accordingly, employing more evasive methods such as dumping credentials, scripting or even dispensing with malware completely.
As a result — and not surprisingly — more and more customers are looking to replace their current legacy AV with a more effective and forward-looking, solution. However, finding the right AV replacement for your organisation can be daunting given the number of solutions available. With each one claiming to have the most effective “next-generation” technology, it’s difficult to know where to start.
To help you navigate the crowded waters of AV replacement options, here are four simple steps you can take to help arrive at the best decision for your organisation:
Step one: Clearly define your goals: Remember that a change is worth making only if you’re going to gain benefits compared to what you already have. The best replacement should provide both better protection — offering a better level of security and filling the gaps left by your current solution — and better performance, in that a solution should improve system performance rather than degrading it. Many standard solutions have “bolted on” features that increase the burden on endpoints and can slow performance to a crawl. In some cases, the losses in performance and the resulting end user frustration may outweigh any minor improvements in protection.
Step Two: Tone down the cacophony of vendor claims: Vendors tend to tout identical features, but capabilities can differ widely under the hood. Also, some vendors get as confused as customers by the endpoint security market. Don’t take for granted that a vendor’s claims are accurate. Do your own due diligence and validate the information you are being given so you can tune out the “noise” and focus solely on technologies that truly meet your needs.
There are few ways to sort out the truth. One is to see for yourself by conducting a “bake-off” or proof of value (POV) exercise. This will be the ultimate validation of the vendor's’ claims. But even before you try an evaluation, requesting customer references from companies with requirements similar to yours — same industry, compliance regulations, size, etc. — is another way to find out how a solution performs in production.
Step Three: Consider time-to-value: While you may like the feature set and price of a given solution, if it takes months to deploy or requires complex management that will consume IT resources, the replacement effort may be a waste of time and money. Some organisations have invested significant sums in acquiring complex security solutions, only to have them sit on the shelf because they are too resource-intensive to be practical. As part of your due diligence, be sure to consider time-to-value as well as protection and performance.
Step Four: Ask the right questions: Posing the right questions will help clarify vendors’ claims and abilities, and can also help you clarify what you’re really looking for in a comprehensive security solution. Here are some examples of questions you may wish to ask:
●Can the new solution help me maintain compliance? If you are subject to compliance regulations, this question will help you make a first triage decision.
● What techniques do you use to block malware pre-execution? This will help sort out vendors who don’t have true anti-malware protection (whether machine learning or signature-based) and are only able to detect post-execution.
● What techniques do you use to block attacks that use exploits and malware-free attacks? If signature files are required, how often are they updated? Such questions will help you evaluate how well the product can fill the security gaps created by legacy AV.
● What level of prevention do I get when I’m offline? Does it prevent malware pre-execution if I’m not connected to the Internet? This will help you distinguish vendors who need a cloud connection to prevent malware from running.
● What is the footprint on the endpoint, including CPU, RAM, bandwidth usage and disk space requirements? This information will allow you to measure the performance impact on your endpoints.
●Which products include which features? Some vendors will pitch their entire portfolio under one umbrella. For instance, they will claim they can replace AV with “Product A” and show 100 percent prevention test results — except the test results only apply to “Product B.” It’s critical that you force the vendor to be clear about which product they are referring to and how many products are required to fulfill all the claims they make.