Computerworld - Many security products on the market today detect malicious attacks, but few take action to prevent them. Even more confusing for IT and security professionals is the debate over the best way to detect and prevent hacking activity: signatures or behavioral rules. Each approach has advantages and disadvantages, but by combining the two, enterprises can ensure that servers and data are fully protected.
Best practices dictate that companies adopt a defense-in-depth method of protection, which includes using the best of both technologies. One technology can't take the place of the other: Behavioral rules allow the servers to be protected from new and previously unknown attacks. However, the coverage of behavioral systems is limited, many attacks aren't covered, and the system generates many more false positives. For full forensics capability, the signature is critical in identifying attacks, so security managers can know what sort of attack is being directed at their systems.
Here are the pros and cons of both technologies and an argument for why combining the two provides the best protection.
Behavioral-based methodologies
There is a lot of hype around behavior-only technologies. In a behavioral model, the focus is on user or application behavior and not on a specific attack pattern. The goal is to distinguish between malicious and nonmalicious behaviors. The promise of such systems is great: Theoretically, this type of solution can deal with all attacks, both known and unknown. Moreover, it promises to free the user from having to keep the system updated, since there is no use of attack signatures.
A behavioral solution either defines the "good" behavior and flags any other behavior as malicious or, alternatively, defines what the "bad" behaviors are and regards all the rest as nonmalicious. In both cases, the challenge of distinguishing between good and bad behaviors is significant and more difficult than in the case of attack-signature systems. As a result, the system is less accurate, leading to an increased rate of false positives.
Yet another obstacle faced by pure behavioral systems is limited security coverage. There are many cases in which it is extremely difficult to detect malicious behavior. As an example, let's consider directory traversal attacks against Web servers.
The most straightforward directory traversal attack is to send a URL with combinations of the characters ../, which could allow the attacker to access files outside the virtual tree or files within the virtual tree for which access is otherwise prevented. Vendors have prevented these simple attacks by providing patches, but malicious hackers using coding tricks (such as
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
