Security companies like RSA, Netwitness and several others argue that rather than looking to block specific threats, the better approach is to look for the telltale signs of malicious activity that malware is designed to launch. Almost all malware tools cause subtle changes in network traffic and behavior that are fairly easy to distinguish from the regular "good" traffic on a network.
The trick is to be able to effectively determine a baseline of good behavior in a way that makes it possible to filter out suspicious or malicious behavior. So, instead of looking for a Stuxnet or a Zeus or some other specific malware program, the focus should be on understanding what normal behavior is, in order to identify the abnormal or potentially malicious behavior generated by such malware.
Security incident and event management tools and network anomaly detection tools have delivered bits and pieces of this sort of capability for some time. Going forward, the goal is to integrate even more log data and other security event information from multiple sources and to correlate it using risk-based scoring methods, said Jerry Skurla, vice president of marketing at NitroSecurity, a Portsmouth, N.H.-based vendor of security incident and event management tools. "What people underestimated is the amount of data that needs to be looked at," in order to detect and effectively deal with security threats, he said.
Sign up for Computerworld eNewsletters.