I got asked “what is the big trend in security software at the moment”. It seems to me there are several significant threads to the answer, in terms of anti-malware. Dynamic and/or behaviour analysis. Dynamic analysis as implemented in mainstream antimalware is basically an automated version of dynamic analysis is used in computer forensics. In
I got asked “what is the big trend in security software at the moment”.
It seems to me there are several significant threads to the answer, in terms of anti-malware.
- Dynamic and/or behaviour analysis. Dynamic analysis as implemented in mainstream antimalware is basically an automated version of dynamic analysis is used in computer forensics. In general, it’s implemented by running suspect code in a safe environment, to see how it behaves, so it’s sometimes referred to as behaviour analysis. However, strictly speaking, you don’t have to execute code to predict its behaviour, so dynamic analysis and behaviour analysis aren’t quite synonymous. I’ve just drafted a couple of papers related to this topic, so it’s much on my mind: it’s central to a number of initiatives that are about to come out of the Anti-Malware Testing Standards Organization (AMTSO).
- Whitelisting could be said to be a newish spin on an old idea – a sort of cross between reputation services and integrity checking. From time to time, the term Integrity Management has been used to describe something very similar. In very simple terms, it’s the idea that you focus on letting through the things you know you want, and block things that you can’t vouch for, whereas blacklisting means you block what you know is bad (or at least suspicious). In the wider security field, it’s sometimes known as “deny all” – you start by blocking everything and then allow exceptions – or “allow all”: you allow everything initially and then build a list of exceptions that won’t be allowed. It’s good practice, but it’s not always convenient, as Randy Abrams has discussed here before..
- “In-the-cloud” isn’t exactly a definable security trend, though people talk about it as if it is: I see it as the application of distributed processing to more specific technologies. We use a form of it for processing threat data. At least one company is using it primarily to speed up its signature processing, which is a reasonable strategy for a product still focused on that. approach.
Actually, the real story (if there is one) is that mainstream vendors are consolidating a diversity of approaches into single products, which is pretty much what they’ve been doing for decades).
What gives the story interest is that different permutations and implementations work (and may be hyped!) differently.
Director of Malware Intelligence