Page 28 - index
P. 28
refine a baseline of what is “normal” for different applications and users. Then, traffic is
examined in real time using behavioral analysis to recognize previously unknown advanced
threats and to identify abnormal actions.
Techniques like behavioral analysis have become increasingly important in the fight against
advanced threats because modern, professionally written malware often uses a combination of
methods to evade detection by traditional, signature-based scanners.
In particular, code-morphing is widely used by thieves to ensure that no two samples of a given
piece of malware look the same.
However, many of these differences are just cosmetic. Verizon found in its 2015 Data Breach
Investigation Report that 70% of attacks come from variants of just 20 families of malware.
While most attacks look different on the surface, underneath many behave in similar ways.
These similarities make it possible to identify threats that have never been seen before.
Statistical analysis of malware samples from around the world has shown that many families of
malware exhibit patterns of behavior that can be identified quickly and represented compactly.
New network security devices match these patterns against network traffic in real time to
discover potential threats even if the particular form they are taking has never been seen before.
In addition to watching for potentially malicious code that should be blocked, such network
security devices also examine the behaviors of traffic associated with users and applications on
that network.
These systems typically examine a wide variety of Layer 3 through Layer 7 parameters, ranging
from connections per second and bandwidth to URL formation and POST/PUT ratios within
HTTP traffic.
This makes it possible to detect not only patently obvious unusual activity such as denial of
service attacks and scanning, but also less obvious transfers of data at strange times that might
be indicators of compromise or theft (whether by malicious programming or people).
In perimeter deployments, these two types of continuous monitoring complement each other:
keeping watch for threats coming in as well as for sensitive data leaking out. However, they also
are playing an increasing role internally as organizations cope with the growing number of ways
that employees are transferring information into and out of the network.
Rather than assuming the company network is “clean,” many organizations are starting to
aggressively segment their network, putting security-monitoring devices throughout.
This way, they can watch for activities that might be particularly unusual for different
departments, such as late night transfers from inside Finance or intermittent probes of
Engineering systems.
This “behavioral intelligence” enables the devices themselves to be proactive in identifying risks.
28 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
