Signatures Are Dead, Now What?

Written by

When you consider the current state of cybersecurity, it can be thought about in three lines of defense: the network, the endpoint and the application. The network looks at criminal-based defenses like firewalls while the endpoint is thinking about solutions that can protect remote devices such as laptops or other wireless and mobile devices, and finally, the application, which is the heart of businesses today.

Analysts like Gartner claim that 80% of attacks now target applications, demonstrating how attackers have shifted their focus away from the network. According to one of Prevoty’s retail customers, they see more than five million security incidents land into the application per month despite their code reviews, and the web application firewall and network firewall they have in place. Why is that?

Networks and endpoints are commoditized. In other words, more and more applications get developed every day and are developed devoid of a network; developers are not thinking about an end point, so applications are getting containerized and virtualized. The application is running on the endpoint and the network is delivering information to the end point which is running the application. Enterprises wrap their applications in protection with firewalls but they don’t necessarily have visibility as to what is going on inside.

Secondly, a lot of today’s defenses rely on pattern matching – regular expressions, signatures, black lists, virtual patching – and as there is a high cognitive load to maintaining these things it means a lot of updating, yet lists are out of date the minute they are implemented. Security professionals will be tasked with figuring out how to keep track of different firewalls, different configurations and different rules for different properties. Unfortunately, despite this effort it is trivial for fuzzers to go right through solutions like regular expressions.

From a vulnerability management perspective security professionals are scanning a lot, so we know where we have deficiencies in code base and we know where there are problems but it is really difficult to practice vulnerability management and build a secure software development lifecycle. It can cost a lot of money. For example, Prevoty’s retail customer shared that it cost $40,000 to fix one SQL injection in production because of the amount of professionals and time it takes to fix.

To summarize, signatures are ineffectual, dead if you will, yet enterprises have not adopted new measures to protect their applications. This is a problem. The highest level of security risk and vulnerability is in the application layer, according to Ponemon Institute’s Research Report, The Increasing Risk to Enterprise Applications, and firewalls are not getting to the root of the problem.

The majority of today’s firewalls have to run thousands of patterns to match for known attacks, and false positives and false negatives run high, so it is difficult to determine what is normal. These sorts of traditional methods rely on code that is constantly changing. When you are trying to detect something that’s always changing, due to the fact that the application is constantly changing, it causes solutions to be out of date as soon as they are created. What does this mean?

It is time to learn a new security language.

Language Theoretic Security (LANGSEC) treats code patterns and data formats as languages and checks their grammars for the purpose of preventing the introduction of malicious code into software. It is able to recognize an attack even if it has never been seen before and will deal with it appropriately without the risk of any false positives.

With LANGSEC technology able to instantly and accurately identify any malicious behavior within an application, why risk securing your application solely with perimeter protections? 

What’s hot on Infosecurity Magazine?