Enterprises are pretty used to doing things the old-fashioned way. In this case, that means using signature-based defenses to secure their infrastructures and assets. You advocate a behavior-based model that specifically monitors the behavior of applications and either allows the behavior or shuts down the application. Why should enterprises take this approach?
The problem of Web application security has always been pretty clear to us. Five or six years ago, it was not clear to the world. Security then used to be about network security, firewalls, intrusion detection and encryption algorithms. We spoke with some high-level executives inside American enterprises about Web application security, telling them that applications were the most vulnerable point in their networks because there are ways for attackers to enter their firewalls legally (for example, by opening an online banking account and obtaining a legal user name and password). The question then becomes: 'How robust is your application now that a hacker may be nearer to your most sensitive information?'
We would come in and do ethical hacks on clients and we would show them the threat to their Web applications, and we'd always manage access to some incredible stuff. In one bank, we opened an account and created money, depositing $1 million in the account. At another brokerage firm, we used a vulnerable Web application to gain control of 10,000 user accounts. With that access, in one day, we could impact the Dow and Nasdaq worse than any terrorist.
Let me start by pointing out that 99% of the industry chooses to approach and adopt a negative security model. A negative security model is all about trying to build a hacker model that monitors traffic on the Web or data transactions, and when it identifies signs that a specific transaction falls under the hacker model, it blocks the transaction. These are common, signature-based, rule-based models like antivirus, intrusion detection, firewalls and proxy servers. This is a great technique for past attacks that you have faced. But this is useless against hackers and techniques that you have not faced in the past. If there is no model for it, you can't monitor for it and you can't block it. One way to try to solve this problem is with frequent updates; some vendors offer them daily or even hourly. But it's a race that was invented to fail because you are not able to keep track of everything. Security is a science of the weakest link. One hole in an application is enough to compromise an entire security model. How does a positive security model differ?
A positive security model focuses on the legal actions a user may perform. Web application security products monitor server-side traffic and extract policy from that traffic by determining what is legal behavior. It also monitors client-side requests and enforces the extracted policy on those requests. With this approach, you are not required to write a policy or update it when an application or site content is changed. Unlike a negative security model, where all behaviors are legal except what is known to be illegal, in a positive security model everything is illegal except what is known to be legal. This saves an administrator the need to update, as with a hacker model, and all they have to do is focus on what the expected behavior of a user is to be on a Web application. Anything out of those expected bounds is illegal. How do behavior-based models compare in price to signature-based?
Behavior-based models reduce the total cost of ownership for companies because they save the need for patching and updating a system with every vendor patch. A typical enterprise with a Windows server, an Oracle database and a BEA (Systems) application server would be doing three- or four-way updates. Some of those need daily patches, and this is a very expensive and tedious task. Behavior-based models are more expensive on purchase day, but they give back a higher return on investment over time. Is behavior-based security technology a replacement for signature-based defense, or a complement to them?
It depends on the space we're talking about and the problem. With respect to antivirus, that industry could not live without signature-based defenses. Antivirus software carries with it a history of thousands of virus signatures. You don't want to throw that legacy information away, so it's definitely a complementary defense. When you look at the Web application space, the number of different platforms and the level of customization of Web applications in a product environment create a situation where rule-based and signature-based products are useless. Does the mindset of the enterprise need to be changed for this approach to become widespread?
People are always hesitant to change from what they've always done. Part of it is also educating enterprises. Another factor is the severity of the problem. The number of dynamic Web systems and applications connected to the back end was minimal compared to today. With XML and SOAP standards, more corporate infrastructures are connected to the Web front. And that's great for business, but it's dangerous in terms of securing corporate assets.