Exploring the Influence of Finjan's Proactive Content Security
Finjan president explains the inner workings of proactive content security with behavior-based content analysis technology.
Mon, December 09, 2013
CSO — These days, a signature-based approach to anti-virus and anti-malware measures simply isn't good enough. Most companies that develop anti-virus solutions realize that. But this hasn't always been the case, and at some point, somebody had to develop the foundation upon which so many security approaches are based today.
Enter Finjan, the grandfather of proactive content security with behavior-based content analysis technology.
"We realized there had to be a better solution for anti-virus software," said Phil Hartstein, president of Finjan. "The notion at the time was to spend so much time on matching signatures." Aside from the fact that the signature-based approach only defends from what is already known, Hartstein also pointed out how expensive and resource-consuming the process was.
"So we thought, 'Maybe there's a better way,'" he said. "Instead of matching signatures, let's identify the behavior."
There are a couple of factors that play into the proactive content security process itself. First, the software has to be able to identify the threat vector. Suspicious behavior on a non-connected endpoint device limits the types of behaviors one can expect to see. If you're dealing with a web gateway however, you can fully expect a consistent barrage of attacks over that vector.
Hartstein used the example of requesting a file from a specific website. If the user was to encounter a redirect to download the file from another site -- or received a different file type than was initially requested -- they should be suspicious. When the information that is received doesn't match the request, there is cause for a flag.
The other factor that Hartstein brought up is that there are software vulnerabilities that are either known or unknown. If a user knows that there are specific behaviors that are scripted with Java, for example, they can go in, open the file, and scan for the software calls that would identify those behaviors in a process that Hartstein referred to as mobile code replacement.
"If the file came through a gateway, we can flag it, open, and scan it so we can actually know what that function was meant to do before we strip it out, clean it, and send it on its way," said Hartstein.
There will be cases, however, where users may flag a file but don't know exactly what the suspicious scripts are that they are dealing with. "If I can't identify the behaviors, we have a process of running it in the gateway in a sandbox," said Hartstein. "I know it's an executable, but I'm just not sure. So I let it run and see where it tries to deposit."