Demystifying Security: Behavior-Based Security

Behavior based security
© PR Image Factory –

Traditional antivirus software is no longer enough to protect against today’s cyber-attacks. In our hyperconnected world, it only takes one wrong click to propagate to thousands of machines, evidenced by the WannaCry attack that infected roughly 230k machines in 150 countries after day one.


Traditional security solutions require a sacrificial lamb, in that someone must experience a cyber-attack for everyone else to be protected from it. The cybersecurity risks we face now require zero-day support, meaning the solution thankfully does not need an attack to occur to someone else to protect your systems, which is great news for businesses wanting to steer clear of any security breaches. The shadowy groups operating some of the recent ransomware attacks have even called out solutions that would have thwarted their attack had those solutions been deployed.


Limitations of signature-based security

Someone must get infected, so others can be saved later.

Signature-based antivirus software constantly check files on a computer filesystem and compare their “hash” or signature to a list of known malicious files (e.g., trojan, virus, etc.), called definition. That list is updated all the time by the software vendors as soon as a new threat is detected, then updates are pushed to every computer using that solution so it is aware and able to fight against it should the computer become affected. Usual actions include blocking the file (from executing), quarantining, or deleting it, hoping that no damage has been caused already on the system.


But this is mainly reactive security, only allowing protection against already known threats. Any solution is basically as good as its definitions are exhaustive and kept up to date. It also requires customers to ensure their own computers are also up to date all the time, which in most cases means online and connected to the Internet, which does not come without a risk.


Another limitation is the fact that they rely on a file hash, so any single change to a file would create a new one, different from the known ones and so unrecognizable for the AV software, while the threat would still very much be there. Also, more and more malwares are now using polymorphic code, trying to camouflage or disguise to remain undetected for as long as possible, time enough to make some real damage.


What is behavior-based security?

Behavior-based threat defense software is a whole new approach to answer today’s security challenges.


Instead of relying on a list of knowns malicious files, software watches what happens on the system all the time to detect any change of behavioral pattern that could indicate a potential threat.


Of course, this does require a lot of computational power, and no one computer can do all of this on its own, and this is where recent technologies like Artificial Intelligence (AI), Machine Learning (ML), and Big Data come to play.


What are Artificial Intelligence and Machine Learning?

At the heart of the IoT ecosystem is the connectivity of devices – those devices being able to connect to the internet and have a path to deliver its payload. There are three general network architectures used to connect IoT devices: point-to-point, mesh network, or star network, depending on the technology used to connect them. There are dozens of protocols available to connect IoT devices. However, only a handful of them have reached critical mass that allows them more widespread acceptance (e.g., Bluetooth, NFC/RFID, etc.).


In our forthcoming “Demystifying Technology” blog posts, we will discuss different IoT use cases and scenarios to help us better understand how we can deploy a robust and secure IoT ecosystem ensuring access to data when needed.


What are Artificial Intelligence and Machine Learning?

Although we have all heard about AI for quite some years now, especially through movies, there is still some confusion about what it is. To make a long story short, it is a science that aims to build intelligent software than can solve problems, which had always been considered a strength limited to humans only.


Machine Learning (ML) is part of Artificial Intelligence (AI) and an important step further. It allows a software or system not only to solve problem for which it has been previously programmed, but to learn itself – through constant learning and acquiring experience – how to solve new ones.


What is Big Data and why the Data Lake size matters?

The more data, the better. Big Data could be simplified as the act of storing and using an extremely large amount of data that could not be stored using traditional methods, to be later used for analytics. Predictive threat detection does require a lot of data for behavioral-based software to learn and recognize patterns.


Some software vendors, through their other existing products, for example device management (UEM), have already been collecting (consensually and anonymously) analytic data for several years already, which clearly gives them one strong advantage in the cybersecurity marketplace in terms of software maturity.


How does this all come into play?

The software learns how the system “behaves” under normal conditions, for example, what processes are running, how they interact between themselves, what type of files they access, how they access them, etc. to determine what is normal and what is not. As a result, the whole threat, sometimes a complete chain of attack involving multiple processes and files, can be stopped in real-time.


By doing this it allows protection not only from known threats, like signature-based software does, but most importantly the unknown threats, called zero-day exploits (see our previous article about it), that have not yet been detected and/or categorized.


This behavior-based security detects and acts before the threat has even occurred. No magic here, just pattern recognition through constant learning and analyzing.


Most software comes with a curated list of known suspicious behaviors, but also allows customers to configure their own policies to adapt to the needs of their own environment, in terms of what is/is not allowed.


Another great advantage is that since they do not rely so much on definitions but rather capacity to watch and detect anomalies, AV software does not need to update as often as traditional software, plus can even work offline.



Cyber-security attacks to major public and private infrastructures in the US and the rest of the world are costing millions of dollars in damages and ransoms, not to mention the soiled reputation and the loss of data potentially affecting the business in the long run. Although these attacks have become more complex and rely on unseen new zero-day exploits, most of them can be mitigated if not completely prevented when using a proper threat defense software relying on predictive security. A security software vendor has even claimed and demonstrated that their solution could have prevented a recent complex attack, even using the 2015 version of their solution, and even running offline (e.g., on an isolated segmented network). The “magic” behind this next generation security is that you can take control by detecting and preventing any new threats, rather than waiting for them to happen and doing extensive damage control afterwards.


If you have any questions or concerns about how to improve your security posture or would like assistance in reviewing your available options, please feel free to contact us.



Note: Please fill out the fields marked with an asterisk.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group