Sana's behavioral approach is put in its place

The long road of Sana Security as a privately held HIPS vendor ended with last week's acquisition. Behavioral approaches give consumers the best chance of thwarting day-zero attacks while waiting for signatures from their endpoint security vendors. AVG, a leading endpoint security vendor specializing in Web threats, will embrace Sana's behavioral logic to help protect consumer data. AVG's positioning of the technology as a layer of endpoint security is appropriate, and may provide much need help against new attacks.

I must confess that I was a huge fan of Sana Security, even though Sana had been struggling for some time. In its heyday, the kernel level Sana agent would monitor the execution path of the code looking for sudden runtime deviations that would indicate the program has branched into malware code. There would be some automated learning involved, but the user would not be burdened with having to write and maintain rules. It was a clever approach.

There are two large problems of behavior approaches that Sana could never adequately solve:

• False positives. Endpoints, especially laptops that are shared between personal and professional use, are notoriously challenging because each is different and apt to change. Behavioral software that detects a deviation must decide whether the user has changed the machine configuration (say with a download) or if it is an attack. Since we are talking security software, any anomaly is treated as an attack and the user has to sort out how to authorize a false positive.
• Effective restoration. This is subtle as some of the attack code likely executes before the behavior can be detected and the security software never has a chance to identify the attack. This makes behavioral approaches good at stopping an attack before it completes, but less good about restoring the machine to its prior state.

For now rule-based behavior technology should be focused on specific problems where the impact of false positives or having to recover from a partially executed attack can be minimized. The promise of behavior approaches was security without signatures. That is still a great goal. While descriptive rules-based behavior approaches form the foundation for whitelisting techniques, AVG is on a nice trajectory if they can deliver on a behavioral anti-theft capability that does not require rigorous administration.