ALCiT

Long Live Behaviour Monitoring - (Why) Signature Scanning is Dead

Written by ALCiT Team | Apr 6, 2021 11:30:00 AM

Between the mass of security products and methods available these days, what should you pick when it comes to IT security? Of course, all products will carry benefits, but getting 360° protection is difficult and you need to make wise investments that guarantees value for money. 

On this topic there’s a running debate about signature scanning vs behaviour monitoring. Although both carry value, let’s show you why behaviour monitoring is fast becoming a crowd favorite; and what you should implement in your network.  

 

Signature Scanning 

Defined 

Signature scanning is also called signature-based security. It uses a static type of analysis and will detect malware by the signature hidden in its code. The code is identified as being malicious after the software compares code to an existing database of known threats.  

 

Advantages and Limitations 

This is an effective method against known threats and it’s helpful that this is a fast process of identifying threats. It’s a simple system that can form part of other security tools such as a next-gen firewall. Thanks to existing databases of known viruses, you can easily have base level security in place.  

 

Unfortunately, signature scanning only works for protection against the threats the industry already knows about. Your database must also be up to date and include information about the particular threat in order to pick up on the threat. 

 

If an attack uses an entirely new threat—called zero-day threats—the system has no way of knowing it’s potentially harmful. This is how certain attacks infiltrated systems in recent years, even though advanced signature scanning was in place.   

 

In addition, new attack methods exist that enables a threat to change its code if it detects signature scanning is being done. This change means it won’t be detected or blocked.  

 

Behaviour Monitoring 

Defined 

A more effective method—dynamic analysis—of identifying a threat is to look at its behaviour. Behaviours that will alert behaviour monitoring software includes: 

  • An attempt to discover a sandbox 
  • Trying to disable a security feature 
  • Unknown software downloads and installations 
  • If it attempts to shut down any system service 
  • Trying to delete, alter or add system files 
  • User account modifications 
  • Wanting to connect with malicious sites 

 

This monitoring software will analyze each line of code in order to determine all it’s capable of. This provides insight into whether it’s designed to cause harm to the system.  

 

The software can even open a threat in a neutral place called a sandbox. How it reacts when opened provides information on how it will impact the network it’s trying to access.  

 

It’s important that these products aren’t too rigid, since each system is unique and different behaviours will be harmful in different networks. For this reason, in most cases this software is flexible. The type of code it identifies as harmful will be determined by a security provider who sets up rules for the software to follow.   

 

Advantages and Limitations 

In an environment where threats evolve quickly, a behaviour-based security system provides more peace of mind that malicious software can be identified. There’s no need to update a database and rely on such a library, so more threats that come your way can be blocked, even if it’s new.  

 

You can imagine this dynamic analysis takes some time to complete, so it can cause delays. Also, new, more advanced threats see the light all the time and some can now make it through the security system by tactics such as anticipating sandboxing.  

 

You also need more hardware for this security feature, which means more expenses.  

 

A practical challenge is the ability to clearly define incorrect behaviour. If not done correctly when setting up rules, this could lead to false positive alerts.  

 

Best Practice: Hybrid Solutions 

It’s clear that in the modern environment, behaviour based security systems provide more peace of mind and in most cases will be more effective. However, no system is 100% secure. Instead of picking one of these approaches, the best option is actually to use both technologies.  

 

Rather than viewing them as separate options, determine how they can work together, complement each other and create an optimal system drawing on both options’ strengths: 

  • You’ll have the resources to identify known threats as well as new ones. 
  • False positives are kept to a minimum thanks to the static—signature based—system.  
  • If malicious coding isn’t picked up by the signature-based system, the dynamic behaviour-based technology will act as backup. 

 

Conclusion 

When there are effective solutions at your disposal, it’s wise to invest in them, rather than take the chance of being vulnerable to attacks like malware. The cost—in terms of time and money—to resolve the consequences of an attack is often much higher than your expenses to implement security products.  

 

But it’s only really valuable if you pick the right options, which these days include behaviour monitoring. 

 

How up to date is your security plan? Talk to Us About Practical Solutions