Monday, May 15, 2006

pro-active vs. reactive technologies and techniques

we've all heard the rhetoric... known virus/malware scanning is reactive rather than pro-active - it's essentially a dead technology... we need pro-active technologies to deal with todays threats... pro-active technologies that look for virus/malware-like behaviour...

if you're like most security lemmings you're probably nodding your head in agreement at this point so i'm going to have to debunk some myths...

is known virus/malware scanning (more generally, blacklisting) reactive? developing known virus/malware scanners is certainly reactive since you have to wait for the virus or malware to actually exist before you can write a routine to identify it - so it's reactive in the scope of developing a technology for global consumption... at the local scope, the end user's machine, the application of a blacklist is a preventative measure - it stops the malware it's able to stop before the malware can activate, before the virus can infect anything, before sensitive data is compromized... that is the very definition of pro-active...

is behavioural virus/malware detection pro-active? developing the technology is certainly pro-active since you can write a routine to detect anything that performs behaviour X before most of the things that actually do perform behaviour X are even written - so it's pro-active in the global scope... at the local scope, however, the application of behavioural monitoring software is reactive by definition - think about it; the malware has to run, it has to become active, it has to try something naughty before the behavioural monitor can do anything... it reacts to bad behaviour from software... it's not prevention if it kicks in after...

let's look at some other technologies... take the application whitelist, the other preventative technology... it's development is pro-active since it can address malware before the malware is ever written... it's use is also pro-active as it stops the execution of any software that isn't known to be good... maybe this is the real champion of pro-active technologies - but wait: cataloging all good things is even more unmanagable than cataloging all bad things (blacklist) so a vendor supplied whitelist isn't such a great option... that means the real work, deciding what goes on the list and what doesn't, is left to the end user - that's a recipe for failure... oh, don't get me wrong, it's still a valuable tool, and software firewalls (implementing network connection whitelists) have shown us that it can work pretty well, but deciding what to trust and what not to trust (and thus what to add to the whitelist and what not to add) is a problem we already know end users aren't good at so some failures are going to happen...

how about change detection? it's development is pro-active too, all malware changes something, so long as your change detector can monitor that particular something for changes you can detect those changes even if they're made by malware that wasn't even thought of when the change detector was developed... unfortunately, in use change detection is reactive - it detects the changes after they have been made... then too, the work of deciding what changes are ok and what changes represent malware activity is largely left up to the end user...

now, i don't think anyone would argue that prevention isn't the preferred outcome... with prevention there is no clean-up, with prevention there is no lost data, with prevention there are no bank account passwords or credit card numbers to change - the alternatives to prevention are much messier... does prevention happen at the global scope of things? does simply making the technology stop the malware? no of course not... prevention happens at the end points, at the local scope, where the techniques actually get put to use... it is in that scope where 'pro-active or reactive' should be determined - the conventional wisdom on this matter is entirely backwards...

further, it needs to be realized that the more you can push the difficult task of figuring out what is trustworthy and what isn't back on the developers the better... security works best when decisions are made by informed users so the more relevant information the security software can give them the better, and the vendors are in a much better position to come up with and disseminate that information...

so is known virus/malware scanning really dead? no... in fact it is the cleanest and most cost effective technique that exists for dealing with malware... it does fail, but all preventative measures fail, that's the nature of things... that's why reactive techniques like behaviour monitoring and change detection exist, to help detect when preventative measures fail... the idea that scanning should be scrapped in favour of behaviour based detection systems is entirely wrong-headed; they should be used in conjunction with each other, they complement each other, they constitute defense in-depth... all of the above mentioned techniques have their place in a multi-layered anti-virus/anti-malware strategy...

0 comments: