DAVE WATERSON, CTO & Founder, SentryBay
Traditional anti-malware defence relies on signature-based malware detection. This approach has been around for decades and although it originally served the industry well, its effectiveness in providing meaningful security has been steadily declining for two decades now. The approach is severely limiting in today’s threat landscape.
Limitations of Signature Based Anti-Malware
Signature-based malware relies on creating signatures for known malware that has been previously analyzed. New malware is undetected until the signature database is updated. In an environment where cybercriminals are constantly creating new variants that easily bypass signature scanning, severe limitations of the approach are apparent. It is estimated that over 300,000 new malware samples are discovered each day. Security companies that rely on signature scanning struggle to keep their signature database updated this rapidly.
Polymorphic malware uses encryption to change its signature and evade signature-based detection. Polymorphic malware has several options to change the post-encryption signature, such as changing the encryption key or re-ordering the code without altering functionality. Metamorphic malware on the other hand, changes its signature by altering the body of the code. Techniques used include code expansion/contraction, inserting meaningless code, and register changes.
A system which searches for matches of signatures also does not work against fileless malware which uses native tools in the system to execute the attack. Fileless malware is undetectable by signature-based approaches.
Limitations of behavioral-based or heuristic methods of detection
As traditional signature-based malware scanning struggles to keep up with the volume and sophistication of new threats, many antivirus programs have adopted heuristic or behavioral analysis techniques. These approaches work by detecting suspicious behaviors or attributes that suggest malware, rather than matching specific signatures. However, behavioral anti-malware also has significant weaknesses.
One major downside is the potential for false positives. While the goal is accurately identifying malware based on how it acts, there will always be some level of false alarms. Legitimate applications can exhibit suspicious behavior that could get mistaken for malware. This may lead to essential system files, programs, or productivity software being wrongly flagged and quarantined.
Excessive false positives quickly become frustrating and inconvenient for end users. It also places more load on IT support teams having to examine and restore the mistakenly quarantined files. Companies end up wasting resources chasing down false threats. Users who encounter repeated false malware warnings may also be tempted to disable protections, rendering their devices vulnerable.
Attackers are also getting better at masking malware with legitimate behaviors to avoid triggering heuristic scanning. Malware authors study antivirus detection techniques and carefully ensure their code behaves in seemingly normal ways. Advanced adversaries can even weaponize false positives to sabotage operations. By triggering alarms for critical business applications, they cause disruption for their targets.
Overall, while behavioral and heuristic malware scanning delivers some advantages, the trade-offs with false positives and manipulation mean signature-based scans are still necessary, along with all the limitations elaborated above.
Going beyond detection to data-centric security
An increasingly sophisticated threat environment combined with the significant limitations of signature-based and heuristic detection, demands a new approach. SentryBay focus on securing sensitive data rather than detecting malware with solutions designed to protect sensitive corporate and personal data even in environments which are malware infected.
In a remote work environment, the integrity of the endpoint device can no longer be guaranteed. Using techniques such as data masking, endpoint segmentation and isolation, data encryption, data replacement, and prevention of unauthorized encryption, sensitive data can be properly secured in a compromised endpoint environment. These SentryBay techniques are light weight in terms of resource usage and minimize user disruption. Unlike traditional anti-virus scanning, protections focusing on securing sensitive data rather than securing the device do not rely on constant scanning which consumes endpoint resources. This minimizes overhead and avoids operational hindrances for remote workers.
Data-centric security approaches such as the methods listed above are also not attack-specific and do not need to be constantly updated with new attacks to be effective. New, unknown threats are mitigated against just as efficiently as existing, known threats. The protections operate in the background without the need for regular updates.
The threat landscape is shifting – and while malware may slip past perimeter defences, securing sensitive information directly allows organizations to mitigate breaches. As detection rates fall, data-focused endpoint security delivers efficient, failsafe protection where organizations need it most – at the point of attack.
