From the early 1990s until 2007 or so, antivirus (AV) software based on the principle of looking for the presence of unique file hashes (signatures) and then blocking the malicious programs was usually sufficient to protect the endpoint.
When a new form of malware was discovered in the wild, AV researchers could deconstruct and analyze the code to understand its unique signature. Then they updated their AV program code to look for and block that signature to protect the computers running the AV software.
Beginning in about 2007, however, the number of malware variants began to explode, making it impractical—and eventually totally impossible—to create a signature for every piece of malicious code in the wild.
As a result, the efficacy of detecting malware based on signatures alone plunged to the point where there is little value in using signature-based AV by itself today.
In fact, in 2014, Brian Dye, Senior Vice President for Information Security at Symantec proclaimed that antivirus software as we know it is “dead.”
What he was trying to say is that signature-based AV alone is insufficient to protect endpoint computers in the new era of mass-manufactured malware.
The next generation of EDR solutions is focused on prevention rather than detection; i.e., not even allowing malicious activity to execute on the endpoint at all, rather than trying to quickly detect when it does execute.
This new approach does not use human-created file signatures at all. Instead, it uses artificial intelligence (AI) that is based on machine learning to automatically—without human intervention—distinguish good (benign) files or activity from bad (malicious) files or activity based on mathematical risk factors.
Once this good/bad classification is made, then it’s possible to teach a machine to make the appropriate disposition decisions on these files in real time.
This paper details how adopting a prevention strategy leveraging AI based anti-malware technologies can significantly reduce event alerts, resource consumption, and the expenses associated with system downtime caused by perpetual signature updates, scans, and incident response following a successful cyberattack.