Signature-based threats: Moving beyond 'picking off penguins'

By Hank Hogan, Contributing Writer 06 Jul 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Current antivirus and IDS methods of signature-based threat detection are not unlike penguins' reaction to threats. When threatened, penguins huddle in a circle and a few get picked off. In a sense, the same holds true in the security world, according to John Pescatore, Gartner Group's vice president for Internet security. "A few of the penguins get eaten and then the signatures come out and save the rest."

The problem is a good number, and not just a few, are getting gobbled up. According to a 2003 enterprise security survey by the Yankee Group, 83% of respondents were hit by worms and viruses despite information security investments.

So vendors are moving away from signatures and instead providing products that are based on behaviors and rules. These approaches can be network- or host-based.

"If you care about a worm, one of the things you can do is start looking for changes to your network traffic," said Pete Lindstrom, research director of Spire Security. That assumes, he noted, a stable and well known baseline of network activity.

Examples of network-based solutions include those from TippingPoint and Juniper Network's Netscreen. Mirage Networks and DeepNines Technologies also make network security appliances, although the first sits inside the network while the second is placed outside before the router. Ann Arbor, Mich.-based Arbor Networks uses router-supplied information to measure and monitor network traffic via its Peakflow products.

Dave Harcourt, network security manager for British Telecom, uses Peakflow to help defend his company. Protecting the host is Harcourt's preferred method but that's not always possible. A small percentage of vulnerable systems in a large network can pour out a lot of worm-driven packets.

"As a result, you want to do a level of network-based detection," said Harcourt.

According to Gartner's Pescatore, nonsignature host-based products aren't as technically mature as those on the network side. He cites recent McAfee offerings as a good example of where things are headed. He expects the next year will bring a market shakeout and a technology maturation as host-based security products incorporate both behavioral- and signature-based elements.

However, he doesn't look for signatures to vanish and doesn't foresee a static security solution because threats and applications change daily. As Pescatore said, "It's a chess game and the bad guys have the white pieces. They get to go first."

Tags: Network Intrusion Detection (IDS),  Network Intrusion Prevention (IPS),  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Intrusion Detection (IDS) Preventing SQL injection attacks: A network admin's perspective Lifecycle of a network security vulnerability Best Intrusion Prevention and Detection Products Rogue AP containment methods SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation Network Intrusion Detection (IDS) Research Network Intrusion Prevention (IPS) Aligning network security with business priorities Best Intrusion Prevention and Detection Products Port scan attack prevention best practices Lesson 4: How to use wireless IPS Lesson 1 quiz: Risky business Hacker attack techniques and tactics: Understanding hacking strategies SIMs tools and tactics for business intelligence IPS and IDS deployment strategies I'll be watching you: Wireless IPS Know when you need IDS, IPS or both Network Intrusion Prevention (IPS) Research Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Diffie-Hellman key exchange  (SearchSecurity.com) Einstein  (SearchSecurity.com) HIDS/NIDS  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) ultrasound  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary