Unless the vendor is specifically selling security, it tends to be ignored. And there is good reason for this. End-users don't buy products because of their security credentials. We may complain about vulnerabilities, but when was the last time you walked away from a productivity application because its designers paid little attention to security?
This is good news for the bad guys. The hacking community continues to get exponentially more sophisticated and more automated.
And anti-virus vendors often take as long as 60 days to develop signatures for new malware variants, leaving end-users exposed to zero-day attacks for a long time.
Scanning only packet headers, firewalls do a poor job of stemming more sophisticated attacks that target other layers of the protocol stack. Traditional firewalls do what they do well: they block ports and they inspect the transport layer of the protocol stack. They play a crucial roll in your overall security posture.
Since most information-age organizations must keep several network ports open to conduct business over the internet, hackers with new types of malware know that once they bypass the network-layer firewall, they can exploit vulnerable apps. The firewall won't inspect deeply enough to see the attack, and the anti-virus program will need to see the attack infect its user base before it can develop signatures.
Any number of attacks will bypass traditional firewalls. Moreover, traditional firewalls were designed for corporate networks that had few links to the outside world. In this age of service oriented architecture (SOA) and Web 2.0, more communication is being done on an application-to-application basis. Without protection in place, those apps pose serious risks.
The spike in new types of malware and the need for application-layer inspection add up to one thing: a call for a new security strategy.
Traditional anti-virus software and firewalls focus on what is bad. A better approach is to figure out what is normal and acceptable, rather than scrambling to figure out the nearly infinite ways hackers can exploit application vulnerabilities.
By focusing on good behaviors, even certain acceptable behaviors will raise flags if they are unusual. For instance, outbound email is permitted, but if an email client is sending out volumes with attachments, it should trigger an alarm.
The truth is that behavior-based protection has been around for years in the form of application (or proxy) firewalls. Why then, haven't they enjoyed greater adoption?
Security always balances convenience versus protection, but the early generation of application firewalls impinged convenience too much to see broad adoption.
The latest generation of application firewalls has overcome the performance barrier and should be considered as a means for protecting against the risks introduced by web applications, SOA and outsourced applications.
The acceptable-behavior approach has also expanded beyond application firewalls to include “anti-malware.” Whereas an application firewall looks at traffic, having an internet focus, anti-malware focuses on the endpoint, controlling program file executions, locking down the registry and policing the operating system.
Ideally, the future will see better application design, so we aren't constantly forced to adopt new security tools to counter the latest hacking techniques. Until then, however, think about changing your security focus.
Defining good behavior is much simpler than trying to figure out the ways hackers will try to exploit you.
Michelle Drolet is CEO of Towerwall, a Boston-area IT security services firm.