Current antivirus and IDS methods of signature-based threat detection are not unlike penguins' reaction to threats. When threatened, penguins huddle in a circle and a few get picked off. In a sense, the same holds true in the security world, according to John Pescatore, Gartner Group's vice president for Internet security. "A few of the penguins get eaten and then the signatures come out and save the rest."
The problem is a good number, and not just a few, are getting gobbled up. According to a 2003 enterprise security survey by the Yankee Group, 83% of respondents were hit by worms and viruses despite information security investments.
So vendors are moving away from signatures and instead providing products that are based on behaviors and rules. These approaches can be network- or host-based.
"If you care about a worm, one of the things you can do is start looking for changes to your network traffic," said Pete Lindstrom, research director of Spire Security. That assumes, he noted, a stable and well known baseline of network activity.
Examples of network-based solutions include those from TippingPoint and Juniper Network's Netscreen. Mirage Networks and DeepNines Technologies also make network security appliances, although the first sits inside the network while the second is placed outside before the router. Ann Arbor, Mich.-based Arbor Networks uses router-supplied information to measure and monitor network traffic via its Peakflow products.
Dave Harcourt, network security manager for British Telecom, uses Peakflow to help defend his company. Protecting the host is Harcourt's preferred method but that's not always possible. A small percentage of vulnerable systems in a large network can pour out a lot of worm-driven packets.
"As a result, you want to do a level of network-based detection," said Harcourt.
According to Gartner's Pescatore, nonsignature host-based products aren't as technically mature as those on the network side. He cites recent McAfee offerings as a good example of where things are headed. He expects the next year will bring a market shakeout and a technology maturation as host-based security products incorporate both behavioral- and signature-based elements.
However, he doesn't look for signatures to vanish and doesn't foresee a static security solution because threats and applications change daily. As Pescatore said, "It's a chess game and the bad guys have the white pieces. They get to go first."