Warding off the effects of malicious code by denying specific, illicit application behaviors is IT security's version...
of thinking outside the box.
Ideally, having behavior-based application-layer security software in place would allow users carte-blanche when it comes to opening e-mail attachments and other currently frowned-upon practices. Viruses could in theory be executed only to have their impact neutralized by software that monitors applications for particular behaviors and denying those.
"What every virus tries to do, similar to a hacker, is grab hold of an application and make it do something it's not supposed to do," said Tom Turner, an executive with Okena, a Waltham, Ma.-based vendor of behavior-based application-layer protection. "Outlook is the popular application viruses attack, trying to replicate itself by sending itself to everyone's address in the address book, for example. If this behavior is denied, the virus is rendered ineffective and doesn't have something to execute or leverage."
Proactive defenses, however, are not prevalent yet. Proponents point toward benefits like no longer needing to wait for an antivirus vendor to create a virus signature in the early stages of an outbreak. Opponents, however, point toward performance issues (these products often monitor operating system calls and some believe they drain CPU performance), false positives and the lack of skill sets in most enterprises to write and implement updated policies.
"I don't see behavior-based protection completely replacing signature-based in the near future," said Robert Lonadier, president of Boston-based RCL Associates. "Both can play a role as part of the threat-management cycle. Behavior-based could fill the gap between the time when a virus is released to when it is recognized as a threat and a signature file is created. Behavior-based can provide an early-prevention capability until signature files can be updated."
Signature-based protection is the current method of choice, with most enterprises employing AV protection from vendors like Sophos, Trend Micro, Symantec and Network Associates among others. Corporate familiarity with AV products give the space long shelf life, but Okena's Turner and Hurwitz Group analyst Pete Lindstrom see a shift in thinking as attacks become more sophisticated and begin to easily elude signature-based AV.
"Antivirus software is always one step away (from viruses). You don't want to be the sacrificial lamb," Lindstrom told SearchSecurity in June at its Security Decisions conference in Chicago.
"The biggest advantage of truly proactive prevention is the ability to stop the unknown," Turner said. "No one argues that Norton or McAfee don't do a good job once an attack is under way. Behavior-based protection stops attacks, not because it knew an attack was under way, but it stops the attack from doing what it was programmed to do."
Turner also said that behavior-based protection eases the burden for administrators having to manage thousands of virus signatures on desktops and make sure they get deployed.
Products like Okena's, KaVaDo, Finjan and others arrive with policies written out of the box with room for customization. Writing and implementing adequate policies, however, is sometimes daunting, and that's a downside to application-layer security.
"These skills sets must be learned, and they're not prevalent in most enterprises," Lonadier said. "It's a problem of definition, deployment and enforcement. You need a diverse skill set to take a business policy and apply and enforce it on hardware and software. That's quite a challenge."