Key Learning Points
- Understanding the limitations of signature based security approaches
- Walking through live malware samples to understand how malicious behaviors can be identified and observed
- Debating the strengths and limitations of behavioral analysis (aka sandboxing)
- Learning to how to effectively implement behavioral analysis in a defense in depth enterprise security model
- Defining behavioral analysis as it is applied to identifying malware
It’s no secret that signature based approaches to security are struggling to keep up with dynamic threats, especially those exploiting 0day vulnerabilities or crafted for targeted attacks. Behavioral Analysis (aka Sandboxing) can be a powerful weapon, as it doesn’t rely on static signatures. Instead, Behavioral Analysis executes binary files in a controlled environment, monitors behavior and based on anomalous behaviors observed, is able to identify malware despite having no previous knowledge of the threat. Anti-virus for example, fails to identify 0day threats as no rules exist to identify previously unknown attack vectors. Behavioral Analysis does not suffer form this shortcoming as it focuses on the outcome of the attack as opposed to the exploit itself. That is not to say that Behavioral Analysis is a silver bullet as it cannot play a role in every attack scenario, especially those that do not employ technical exploitation, such as social engineering attacks. It is also an inherently inefficient approach to security given the need to permit file execution, so if not employed within a layered security model and appropriately scaled, Behavioral Analysis can quickly become overwhelmed. In this talk, we will detail what Behavioral Analysis is, walk through real-world malware case studies, debate strengths and weaknesses and provide recommendations on how to effectively deploy Behavioral Analysis in an enterprise setting.
About Michael Sutton
Michael Sutton is an experienced security executive with a history of delivering pragmatic insight into security issues and developing solutions to address them with leading organizations, including Hewlett-Packard, SPI Dynamics, VeriSign and iDefense.
As Zscaler’s Vice President of Security Research, Sutton leads Zscaler ThreatLabZ, the security research team responsible for researching emerging topics in web security and developing innovative security controls. Sutton earned his MS in Information Systems Technology from George Washington University and his Bachelor of Commerce from the University of Alberta. Sutton is the co-author “Fuzzing: Brute Force Vulnerability Discovery,” an Addison-Wesley publication.