One thing we at TruShield are often asked about is the difference between signature detection and behavioral analysis. If you’re a CTO looking for a structured behavioral analysis of a user base program, this is for you.
Signature detection is the traditional approach to looking at programs like an antivirus or a firewall, which look for known threats, or things that have been seen before. For a virus that has been seen before, somebody has written a digital fingerprint for it and can pick it up quickly just by looking for that fingerprint. It’s a very effective methodology for viruses that are known, but it leaves a big gap for what’s unknown. Since there are new viruses and malware written every day, businesses are going to miss what is called zero days. Zero days are new vulnerabilities or new exploits that do not have a signature yet.
Businesses need to have some ability to pick zero days up as well. That’s a very challenging problem to tackle. It relies upon what’s called behavioral analysis. The intent behind behavioral analysis is to look for anomalous behaviors. These are things that have not happened before or things that are suspicious that you can pick up by monitoring traffic in a way. There’s a couple ways that TruShield looks for abnormal behaviors.
First off, TruShield monitors identity and access management very closely, looking for administrative account lockouts or potential purpose escalations. Others are much less creative if someone is trying to pull off a brute force attack, or an attacker that’s already in an environment trying to escalate their privileges. That’s one aspect of it. Another is that TruShield is looking for abnormal network behaviors, like new traffic or new data flows from one segment to another. If it hasn’t happened before and our system has monitored an environment for a while, it will likely be something TruShield’s going to want to investigate. TruShield looks for network flows from one network segment to another, new protocols being used, or substantial amounts of data moving from inside to an outside network.
Recently, TruShield’s system observed a very large amount of traffic moving from within an organization’s PCI enclave to the outside. What this ended up being was a potential data breach, which we were able to help them stop. Just being able to pick up that large piece of data and move it from a protected environment to a less trusted environment was very helpful to that customer. You must be looking for that anomalous activity and doing something about it when happens. Being able to detect it was very helpful for that customer.
It’s something that any MSSP certainly should be doing and it’s one thing that TruShield does extremely well. For more information on prevention and detection, click here.