Behavior-Based Security Apps Add Extra Layer Of Protection

While KaVaDo, Sanctum,and Stratum8 Networks focus on stopping Web-application breaches and data manipulation, there's another growing security segment that focuses on stopping potentially damaging behavior closer to the operating system.

The software is designed to stop attacks that have never been seen before, such as unknown buffer overflows, on components of the operating system such as File Transfer Protocol and Telnet, a terminal-emulation protocol that lets a user log on to a remote device and run a program. The software works by looking at application behavior. Behavior-based systems know what behavior is allowed by an application; when behavior deviates from that, the system stops it. That differs from more conventional approaches, which rely on signatures that match known attack methods and viruses.

There are two such tools that watch applications to keep hackers from wreaking havoc: StormWatch from Okena Inc., and Entercept 2.0 from Entercept Security Technologies. StormWatch is behavior-based, while Entercept uses a hybrid of signatures and behavior blocking.

Behavior-based security software adds an extra layer of protection to application firewalls. It can stop worms that propagate via E-mail and file sharing, something application firewalls can't do, says Pete Lindstrom, director of security strategies for analyst firm Hurwitz Group.

Bill Stevenson, IT manager for New Century Mortgage in Irvine, Calif., has a two-pronged strategy for limiting the mortgage company's exposure to unknown threats. The company never installs beta software on production systems, and it relies on Entercept 2.0 to watch for attackers.

Entercept provides added security by distinguishing between normal network behavior and behavior that needs to be stopped, Stevenson says. If a hacker tries to execute an unknown buffer-overflow attack, "Entercept won't allow it to happen and will page me,'' he says.

As viruses become more sophisticated, security managers need more than signature-based protection. Despite estimates that companies spent more than

$5 billion in 2000 on Internet-security applications, malicious code still cost businesses $13.2 billion worldwide in 2001, according to research firm Computer Economics. Such numbers prove new ways are needed to protect digital assets, and protection might be found in behavior-based security.