Page 104 - index
P. 104
Behavioral Analysis - Next generation Threat Detection
by Lisa Vaas
Original intrusion detection solutions were based on blacklists and threat signatures that required
extensive user customization and maintenance. Threat detection vendors today are, thankfully, moving
to the far more proactive technologies associated with behavior analysis: an evolution to prevent
malevolent guests from getting onto your networks and into your databases.
Malware, says Rob Rachwald, is weird. It has no manners. It's always sniffing around on the network.
Before you know it, it's slipping off to connect back to an attacker, establishing a connection to your now-
violated network. "That's not normal network behavior," Rachwald, senior director of research at
FireEye, explained to SearchNetworking's Sally Johnson.
But it's exactly this sort of abnormal behavior that the next generation of information security
technologies are using in order to identify potential data threats. FireEye, maker of malware detection
technology, is just one of an increasing number of vendors trying to better tackle weird, and potentially
malevolent, behavior, whether it comes over the web, through email, through mobile devices, or even,
in the case of DB Networks, through SQL injection from a web application.
As it now stands, an intrusion detection system (IDS) that seeks out statistical anomalies can look at a
range of factors when trying to figure out what's normal vs. what's abnormal behavior. At the network
level, for example, an IDS can figure out pretty standard network activity by looking at metrics such as
typical bandwidth use, traffic volume, which protocols are normally used, or which ports and devices
generally connect to each other. An IDS looking for abnormal network traffic alerts an administrator
when traffic strays from these normal parameters and instead starts acting funny, like that misbehaving
malware.
Blacklist / Whitelist Flaws
Vendors' increasing tendency to sniff out weirdness through behavioral analysis makes perfect sense,
says Eric M. Fiterman, founder of Spotkick. As it is, the traditional model of threat protection, based on
barring entry via blacklists, has one big problem. Namely, during the time lag between brand-new bad
stuff emerging, it being detected as such and, finally, the new signature being added to a database of
blacklisted signatures, you've left the gate wide open for those new threats to successfully launch an
attack.
“Where security companies, and the security industry at large, are at right now is the realization that it's
easier to characterize intended behavior," rather than trying to predict what new ways attackers are
going to try to get past your defenses and keep your blacklists/whitelists up-to-the-minute, says
Fiterman.
With blacklisting, Fiterman says, you're trying to keep up with what seems to be an infinite number of
ways that attackers can get around your security defenses. "There are a thousand ways to walk around a
wall," he says. "A lot of good people, or companies, are getting attacked, and [that can be] because they
don't think like attackers. But it's harder to get engineers to think like criminals, who are very adept at
104 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
