With the proliferation of web threats, reactive security technologies do not provide companies enough protection. Malware comes streaming through firewalls and other defenses like a sieve. A layered defense using both pro-active, behavior-based security technologies along with traditional, signature-based security technologies is currently the best protection.
The universal availability of the virtual world, the Internet, and the huge commercial opportunities it offers, have made it an attractive target for criminal elements and organized crime. Moreover, locally-enforced laws and regulations have not advanced to the point where they can address malicious/criminal behavior on the Web, which is a global/universal entity. As a result, the Web is now in its golden age of criminal invention.
These criminals act quickly and smartly to collect assets of any kind to promote their own business interests. It is no secret that the Web has already been coined as the world’s largest crime scene.
Reactive vs. Proactive Security
Security professionals subscribe to two basic security approaches when it comes to securing corporate users from malicious content arriving from the Web: reactive and proactive.
Reactive security relates to systems and methods that either 1) allow everything to pass, and blocks only what is known to be malicious, or negative; or 2) block all network traffic and allow only what is known to be non-malicious, or positive.
Proactive security, on the other hand, relates to systems and methods that inspect content for suspicious computer operations, function calls, commands or operations – negative information. Using these findings and some smart algorithms, proactive security methods build the expected execution model of the content – looking for dangerous execution paths that might compromise the end-user machine.
Anti-virus, URL filtering and intrusion detection systems are a few examples of popular reactive-negative solutions that were well accepted in the market. Anti-virus uses known signatures, i.e., negative patterns, to identify the malicious content. As long as no signature was found in a given file, the file is considered safe. Given that the signature was created after the malicious content was released or exploit was written, the anti-virus approach is known to be reactive-negative.
URL Filtering solutions work in the same manner. They hold a list of Web addresses, negative patterns, which are known to be malicious. As long as the requested URL is not within the list, users can access the site.
Network firewalls are an example of the opposite approach, i.e., reactive-positive. The firewall is designed to block all traffic by default. Only traffic or protocols that were explicitly defined as trusted content, i.e., positive patterns, are allowed to enter the trusted network. All other traffic is blocked. Given its reactive-positive approach, unknown traffic is blocked by default without content inspection.
Each of the above methods – reactive-negative and reactive-positive - has a specific domain in which it is most effective: Reactive-negative works best with known and static content; while reactive-positive works best when protocol specifications are known (e.g., RFC), or with known content schemas (e.g., XML).
The Need for Proactive Security on the Web
Reactive security methods are here to stay. The benefits of using these reactive methods cannot be ignored. However, reactive methods alone do not make the Web safe for browsing. Reactive methods are unable to deal with the dynamic and rich content offered on the Web. New viruses, for which a signature has yet to be created, or a newly established spyware or phishing site, can only be detected by reactive anti-virus or URL filtering solutions after the initial attacks have been reported.
For these reasons, security professionals have developed proactive systems and technologies, based on behavior analysis rather than signatures or databases, in order to detect malicious or inappropriate web content.
Proactive-negative is now the most popular and accepted security method to secure end-users from unknown and dynamic content we have on the Web. Behavior-based monitoring and blocking are the most common and effective technologies using this security approach.
The proactive-negative security approach can be used either for static or dynamic inspection. Static inspection, usually performed on gateways, scans content for suspicious computer operations, function calls, commands or operations in the requested content. Based on an analysis of the content, the expected execution model of the content is built – looking for dangerous execution paths that might compromise the end-user machine.
The example below illustrates common proactive-negative security using static inspection:
Dynamic inspection is usually performed as agents installed on end-user machines. Dynamic inspection includes the interrupting of operating system calls made by an executable and comparing them with a security policy to determine malicious behavior.
The example below illustrates common proactive-negative security using dynamic inspection:
The key difference between the reactive-negative, e.g. anti-virus, and the proactive-negative, e.g. behavior-based monitoring, is that the reactive-negative is looking for known negative signatures of existing vulnerabilities and exploits; while in the proactive-negative approach it is looking for suspicious computer operations and execution paths that violate an organization’s security policy and might compromise end-user machines.
Here is an example for each method:
Reactive-negative – scan content for virus or exploit patterns like: “00 A0 FF FF” or “I Love You,” indicating a known malicious content that should be blocked.
Proactive-negative – scans content for computer operations or function calls like: DeleteFile, CreateObject, OpenConnection that on a given execution path might compromise a machine.
Unlike the reactive security approach, where a vulnerability or exploit must be in the wild and reach the security vendor’s lab for inspection and creation of a signature, in the proactive security approach, identified execution paths that violate a security policy are sufficient to prevent or block the malicious content from execution on the end-user machine.
It is the proactive-negative, behavior-based approach, that enables us to make the Web safe for use. Behavior-based security is a proactive approach that best functions with unknown, dynamic and rich content – complementing the major weaknesses of the traditional reactive security approach.
Proactive-positive is an emerging security approach that is still not ready for primetime. In this approach, the security system modifies the content and forces it to use specific harmless computer operations and function calls - this is not sandboxing! Without knowing the exact execution path of the content and without having any signature indicating whether this content is malicious or not, the proactive-positive approach places the unknown content in a “restricted environment” for execution. The term “behavior enforcement” was coined to describe this approach.
Unlike the traditional sandboxing security technology, where executable’s APIs are replaced with “dummies” or “adaptors” for data inspection, behavior enforcement technologies change execution paths and content while maintaining the normal execution of the content.
The diagram below visually shows the different security approaches discussed above:
TMCnet LOGIN
Webinars
