Anomaly Detection Emerges as a New Approach to Threat Management

Many different security technologies are built upon the premise of recognizing potentially malicious activity and stopping it before it can do harm. How they recognize these activities though is what separates detection from false alarms and security from catastrophe. The most common form of recognition is signature or “fingerprint” matching. Whether we are talking about anti-virus software or intrusion detection, the idea of matching packets to a database of known malicious attacks is the backbone of many security products and services. Properly managed, signature-based intrusion detection continues to be an excellent approach to detecting threats so you can respond to them quickly, and getting insight into the real security challenges impacting your infrastructure. Of course signature-based matching has its drawbacks. First of all to capture traffic, analyze it, match it to a signature and then try to block or stop it can introduce latency into the equation. Perhaps even more important is that in order to match malicious activity, you first have to have a signature of it to match to. This means that you have had to already seen this type of attack or virus before and classified it as malicious. In an age where new attacks are unleashed by the hundreds every day, signature based detection alone has become increasingly less effective. Zero day attacks by definition are new attacks for which signatures don’t exist. Luckily, the security industry has developed other means to recognizing malicious activity besides signature or fingerprint matching. One promising technology is anomaly detection, which has made terrific strides over the past few years as a way to recognize that something unusual is taking place in your environment. If something doesn’t fit the normal patterns, it is an anomaly and it needs to be investigated. That sounds easy, but in fact it is not. A tremendous level of expertise, experience and intelligence goes into building a system that will recognize an anomaly as such. There are patterns to identify a normal baseline and detect deviations in complex network traffic – a statisticians dream. And often what you don’t see is as significant as what you do. Some security experts think that today signature-based detection by itself is virtually useless. You just can’t identify and update your signatures often enough. This is a simplistic view; signature-based detection is an efficient way to identify malicious activity, especially with the addition of sophisticated multi-factor correlation to screen out false positives. However, all technologies have inherent limitations, and anomaly detection has the promise of adding another method of detection that doesn’t depend on signature updates. Early on anomaly detection was subject to lots of false positives and even worse, false negatives. However over time, refinement has made anomaly detection more and more efficient at spotting malicious activities. Today’s advanced anomaly detection is a very effective tool in identifying malware and malicious activity. However, anomaly detection isn’t a silver bullet or a “set and forget” solution! It also needs to be managed and updated to continue understanding what normal is, as “normal” changes over time. At Alert Logic we don’t think there’s any single technology to meet all security needs, or that jumping to the latest interesting new approach is the right answer. We’ve taken a multilayered approach: signature-based intrusion detection with sophisticated correlation based on a global view of threat data with Threat Manager, positive security that for web applications that learns to identify proper user behavior with the Web Security Manager WAF, vulnerability scanning services, log management to identify suspicious behavior throughout your network, and now, managed anomaly detection in our ActiveWatch Premier service. And we are always looking at new technologies to add to the mix.