Signature-based threat detection has been a central figure in cybersecurity from the start. However, its history in endpoint and network security reveals that the inherent limitations of signature-based approaches have often driven practitioners and vendors to shift toward behavioral methods.
Signatures have been called many things, including ‘heuristics’ and ‘rules’. The bottom line is that signature-based detection relies on matching. This could mean matching a bit of a known attack, like an IP address or a file. Or it could mean matching a piece of code to known viruses or malware. Signature-based detection tries to match current traffic, behavior or activity to a list of ‘known malicious components.’
Have the criteria to shift to behavioral methods been met in cloud security? The history of signature-based detection is a good starting point for the analysis.
Perhaps unfairly, signatures are best known (and also most underappreciated) for their role in endpoint security technology, starting with the anti-virus in the 1980s. In 1987, GDATA launched the first commercial anti-virus software for Atari ST computers, the same year McAfee introduced VirusScan. Other anti-virus solutions released that year included FluShot Plus and Anti4us. While signature-based methods were predominant, these solutions explored heuristics to detect new threats by comparing fragments of known viruses. Though prone to false positives, heuristics offered a way to identify novel viruses, overcoming some limitations of signature-based detection.
By the late 1990s, malware had become polymorphic and increasingly sophisticated, overwhelming signature-based systems and causing a surge in false positives with heuristic methods. As endpoints like phones, laptops and printers grew in importance, the EPP category emerged, offering comprehensive solutions that included encryption, intrusion detection, data loss prevention and anti-virus. To overcome signature-based limitations, new EPP providers adopted heuristic models and developed malware ‘families’ to detect new threats based on fragments of existing malware.
The evolution from EPP to EDR was driven by the need to move beyond signature-based detection to address new threats that didn’t rely on software installations. Phishing, for example, could bypass signature-based systems through malicious instructions in seemingly benign files. In 2013, Gartner introduced the term ‘EDR’ to define the new endpoint solutions, coinciding with Crowdstrike’s launch of its signatureless, cloud-based threat intelligence in 2012. By 2016, Crowdstrike criticized signature-based methods, highlighting their machine learning engine’s ability to detect unknown threats without relying on signatures and denouncing traditional anti-virus products as outdated.
With the release of the EDR Magic Quadrant from Gartner in 2017, signature-based detection was officially ‘out,’ and behavioral detection was ‘in’. But was signature-based detection still ‘in’ for another category?
Signatures were widely used in network security, though the advancements in firewalls, IDS and IPS were less publicized. In 1994, Checkpoint launched Firewall-1, a major commercial firewall, though not the first. Early firewalls could block traffic by port, protocol and IP address. IDS systems, popularized in the 2000s, detected exploits like SQL injections and cross-site scripting (XSS) in traditional networks. An IDS identifies attacks, while an IPS, positioned in line with firewall traffic, aims to block malicious traffic.
Early IDS and IPS solutions, like Snort (1998), relied solely on signatures. IDS systems used numerous signatures to detect vulnerabilities, with vendors boasting about their extensive databases. This worked for IDS since it inspected traffic next to the firewall without affecting throughput. However, for IPS, which checked each packet inline, this approach was impractical. To address this, IPS vendors created signatures to cover the most common vulnerabilities. Over time, both IDS and IPS evolved to include both signature-based and behavioral methods by around 2005.
Behavioral tools overtook signature-based methods with the rise of Next Generation Firewalls (NGFWs), designed to handle the growing complexity of connected networks by incorporating stateful, application, and identity awareness. NGFWs began evolving in the early 2000s, with Gartner coining the term in 2003, predicting IDS/IPS integration in 2006, and Palo Alto Networks launching its NGFW in 2008. Cisco acquired Sourcefire’s IDS/IPS in 2013 and integrated it into its NGFW.
Initially, NGFWs lacked solutions for advanced malware, such as the one used in the 2011 RSA breach. FireEye’s network sandboxing, introduced in 2010, became a key addition to NGFWs to address such threats. Over time, NGFWs shifted focus from signatures to advanced IDS/IPS capabilities and behavioral sandboxing to better address new threats.
Sounds familiar at this point, doesn’t it? The NGFW moved to behavior-based detection along with endpoint security. So, is there maybe another category where signatures are still ‘in’? Yes – in cloud security.
Since Amazon Web Services launched in 2006, the IT landscape has dramatically shifted. Today, 60% of data is in the cloud, and 45% of breaches are cloud-based. EDR tools and NGFWs have adapted to this change, as cloud-native technologies like containers and Kubernetes now drive 95% of new applications, thanks to their speed and efficiency in feature development.
In this new paradigm, signature-based detection and response is not just an option – it’s the rule. It’s thriving! But what are the criteria for pivoting to behavioral detection? And have those criteria been met?
In the XZ Backdoor, a malicious actor covertly inserted a remote execution backdoor into a popular open-source update over two years. Signatures might identify the threat after the fact but wouldn’t have prevented the initial exploitation or verified the software behavior. This issue is common with recent Kubernetes attacks. Given that 85% of CISOs view cloud security as their top challenge, awareness of these threats is indeed acute.
Signature-based methods face several key challenges in runtime security that echo issues in other industries:
As environments grow, the effort required for signature-based methods may outweigh their benefits compared to less manual behavioral alternatives.
In short, the answer is yes. Rapid7 recently completed its acquisition of Lacework in June 2024, possibly the first cloud security company to venture into the territory of behavioral anomaly detection. In its own words, “What if you could observe a cloud environment, its resources, and applications that are running, learning what’s normal and healthy? For example, App A (which was built with OSS dependencies) runs particular processes every day and connects to the same endpoints every day. . .When new anomalous behavior is observed, a behavioral-based threat detection solution will raise an alert and provide full context around why the alert has been generated so a team can investigate.”
But Lacework is no longer alone. In January 2024, RAD Security launched a new standard for cloud-native workload fingerprints, in the form of an open-source catalog. Instead of looking across resources and applications, the behavioral fingerprint focuses on container runtime processes, programs and files, for a baseline of what is normal. Most containers run 80% or more of the same processes across versions and environments, so fingerprints can be versioned and tracked over time, or even shifted left earlier into the SDLC, to the CI/CD process to cryptographically verify and verify behavior early on.
Note that these are two very different approaches, though they are both ‘behavioral’ – but the point is, the technology exists!
Based on this analysis, whether or not teams pivot over to behavioral detection and response methods at large depends on:
Out of all the criteria, the attacks are the most clear and the most public . . . and another Solar Winds might just be what it takes to push teams over the edge.