The age of heuristics

February 10, 2009
Anton Zajac, CEO, ESET, LLC

The security threats we face today are rapidly increasing in volume and complexity. The lone attacker is the exception and criminal organizations with specialists in many fields are driving the majority of attacks. A criminal network may include experts in hacking, coding, encryption, social engineering, money laundering, and even traditional business management. Technology is used to automate rapidly changing attacks. The tools we use to defend our networks and data need to be much smarter and more adaptable than they historically have been.

In the previous century, an anti-virus scanner could get by with virus signatures. Today, heuristic approaches are required to provide anything approaching reasonable protection. A modern scanner will evaluate the behaviors of programs in order to ascertain the probability of malicious intent. Heuristics are also required for most all other security approaches.

The traditional firewall would simply block traffic based upon the port being used. Either all traffic was allowed or denied, or specific exceptions were manually added. Port 80 is the port that web browsers use. The nature of internet protocols allow data to be hidden as it passes through port 80. In part this is a feature and in part it is a vulnerability to your business. A modern firewall must have the ability to monitor traffic passing through the port and based upon content, provide blocking and/or alerting.

Access control, such as user names and passwords, does not block unauthorized access, but limits access to authorized accounts. If an authorized account is hijacked then unauthorized access is granted. This serious attack vector has been a critical point of failure in recent breaches of Twitter and Heartland, as well as in the well-known TJ Maxx breach. The lack of heuristics in using access control makes the exploitation of access control far easier than it should be.

Standard layers of defense are not up to the challenge of modern attackers, a smarter approach is required. Basics, such as encryption, firewalls, and antimalware, must be enhanced with sophisticated heuristic approaches. Simply authenticating a username and password is insufficient for granting access to a critical database. Even the use of hardware-based encryption devices, such as smart cards, in conjunction with standard user authentication is not enough. Evaluation of context is essential. Does it make sense for this user to be accessing this data at this time of the day? Does it make sense for this user to be accessing data from a specific location? Should this user even have access?

Auditing of logs is essential, however auditing is reactionary. What is required today is the real-time evaluation of alerts with the integration of data provided by all defensive technologies. The firewall, the anti-virus, intrusion prevention and detection software all have meaningful data to contribute to a smart system. The dynamic evaluation of actions and events is precisely the type of heuristic approach that has become required in the security landscape of today.
prestitial ad