Static Versus Behavioral Cyber Threat Analysis

At the core of every cyber threat protection or prevention solution is an analysis philosophy that forms not only the basis of the intellectual property of a given security vendor, but the very method by which you are betting your organizations safety.  Moving past signature-based solutions, you have a choice of behavior-based or static analysis. Knowing the differences in these analysis techniques will give you a greater understanding of how safe your chosen solution can be for your environment.

Behavioral Analysis Analyzes Patterns

According to an Infosecurity Magazine article titled “Advanced Malware Detection – Signature vs. Behavior analysis”: “Behavior-based malware detection evaluates an object based on its intended actions before it can actually execute that behavior. An object’s behavior, or in some cases its potential behavior, is analyzed for suspicious activities. Attempts to perform actions that are clearly abnormal or unauthorized would indicate the object is malicious, or at least suspicious.” TechTarget also adds that,

“Most behavior-based security programs come with a standard set of policies for which behaviors should be allowed and which should be considered suspicious, but also allow administrators to customize policies and create new policies.

Some products are sophisticated enough to apply machine learning algorithms to data streams so that security analysts don't need to program in rules about what comprises normal behavior.”

We have discussed the pros and cons of this solution in a previous blog here.

Static Analysis Looks At The Code Not The Exploit

Static analysis-based security was established because it’s time for a new approach. What is needed is a deterministic method – one that doesn’t try to guess at the motives, methods or suspicious activities of the attackers. It based on the assumption that any machine code buried within a data object is by nature malicious and shouldn’t be there.

This “non-behavioral” approach helps organizations prevent intrusions before they enter the network. By looking at the code instead of the exploit, this approach can detect both known and unknown malware. It can accurately find any machine instruction buried within a data object no matter how deeply those commands might be obfuscated or hidden. It can see through packing, shellcode encryption and obfuscated content, without prior knowledge of methods.

Static Analysis In Action

Solebit’s SoleGATE uses a static analysis which is faster, more accurate, not OS version dependent and covers 100% of your code, with complete visibility. With SoleGATE, every line of code is evaluated, making Sandbox evasion techniques ineffective. The platform is agnostic to file type, client-side application type, or the client operating system used within the organization. Unlike a Sandbox which has to simulate specific customer environments, SoleGATE provides protection regardless of operating system, CPU architecture, and function (client, server) of the targeted machine.

The addition of Solebit into the Mimecast family gives you a leg up on preventing that one entry into your cyber environment. Further enhancing Mimecast’s cyber resilience platform architecture, Solebit provides powerful threat protection to help customers face today’s broad threat landscape with evasion-aware, signature-less technology. The Solebit solution uses Multi-Tier protection to defend against attacks at different levels of the stack. This comprehensive approach is powerful, as evasion techniques may spread across different layers. The solution protects against advanced malware by using Solebit’s deep inspection that analyzes commands at the CPU level, all the way up to the application level, analyzing macros and embedded JavaScripts in Microsoft office or any other data file types whether on premise or in your public or private clouds.

See for yourself what SoleGATE can do to deliver evasion proof security for your organization today. Register for a free trial today.

 

Recent Posts