Security today is flawed. It’s all based upon “negative” signatures. In other words, signatures of things that are known bad. This has many flaws, not the least of which are:
Zero day. How do you know it’s bad until it has already done damage somewhere?
Can we really create signatures in a world of large botnets and polymorphic threats?
Just because it isn’t recognized as bad, does it mean it’s good?
It usually only works for threats from the outside trying to come in. After it’s in already, the approach is meaningless for the most part.
Can you really tell “intentions” without observing actions?
We ought to really only allow things we want (positive or white list model) and then make sure the allowed applications aren’t misused.
The above is a short list, but lets take a look at a different security stack model. Lets imagine a security stack with solutions that:
Allow a company to whitelist appropriate behavior and applications
Determines a threat by sandboxing attachments and checking what the behavior is
Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
Use profiling techniques to log individual attackers and threats
Log events from above for legal or compliance concerns
This is a very different way, far simpler as it turns out. Negative based models fall short, create numerous false positives (barking dogs) and don’t protect against sophisticated cybercrime and corporate espionage. We have to start looking at what threats are actually attempting to do or their actions. It’s the only way to assess their damage potential. Sandboxing is a way to take files, run them through multiple virtual machines and see without question what the file is attempting to do or not do. For instance, is it attempting to alter a Windows registry? Is it attempting to access files? If it is altering the system, it’s a threat. Honeypots are ways to detect activity, basically they are like motion detectors. If you detect motion inside a closet that houses your valuables and nobody should be there, there’s a problem. Furthermore, if you give that threat greater and greater challenges and they continue to break through the various more challenging honeypots, you now have a capable and determined threat, action is required and it’s just a matter of time.
At Altaware, we offer all the standard existing infrastructure based solutions, but we also offer solutions for the more discerning and demanding customers that want to go beyond compliance and into the world of true security.