Signature-based threat detection has been a central component of cybersecurity since its inception. However, its history in endpoint and network security reveals that the inherent limitations of signature-based approaches have often led practitioners and vendors to shift toward behavioral approaches.
Signatures have been called by many names, including “heuristics” and “rules.” The bottom line is that signature-based detection relies on matching. This could mean matching part of a known attack, such as an IP address or file. Or it could mean matching a piece of code to a known virus or malware. Signature-based detection attempts to match current traffic, behavior, or activity to a list of “known malicious components.”
Are the criteria for transitioning to behavioral approaches in cloud security met? The history of signature-based detection is a good starting point for analysis.
History of signatures in endpoint detection methods
Perhaps unfairly, signatures are best known (and underappreciated) for their role in endpoint security technology, starting with antivirus in the 1980s. In 1987, GDATA released the first commercial antivirus software for the Atari ST computer, the same year that McAfee introduced VirusScan. Other antivirus solutions released that year included FluShot Plus and Anti4us. While signature-based approaches were the norm, these solutions explored heuristics to detect new threats by comparing fragments of known viruses. Although prone to false positives, heuristics provided a way to identify new viruses, overcoming some of the limitations of signature-based detection.
By the late 1990s, malware had become increasingly polymorphic and sophisticated, overwhelming signature-based systems and causing an increase in false positives using heuristics. As endpoints such as phones, laptops, and printers became more important, the EPP category emerged, offering comprehensive solutions that included encryption, intrusion detection, data loss prevention, and antivirus. To overcome the limitations of signature-based, new EPP providers adopted heuristic models and developed “families” of malware to detect new threats based on fragments of existing malware.
The evolution from EPP to EDR was driven by the need to go beyond signature-based detection to address new threats that do not rely on software installations. For example, phishing can bypass signature-based systems by injecting malicious instructions into seemingly innocuous files. In 2013, Gartner introduced the term “EDR” to define new endpoint solutions, coinciding with Crowdstrike’s launch of signature-free cloud-based threat intelligence in 2012. By 2016, Crowdstrike was criticizing signature-based approaches, highlighting the ability of its machine learning engine to detect unknown threats without relying on signatures and denouncing traditional antivirus products as outdated.
With the release of Gartner’s EDR Magic Quadrant in 2017, signature-based detection was officially “out,” and behavioral detection was “in.” But was signature-based detection still “in” for another category?
History of Signatures in Network Security
Signatures were widely used in network security, although advances in firewalls and intrusion detection and prevention systems were not widely known. In 1994, Checkpoint released Firewall-1, a major commercial firewall, although it was not the first. Early firewalls were able to block traffic by port, protocol, and IP address. Intrusion detection systems, which became popular in the 2000s, detected vulnerabilities such as SQL injection and cross-site scripting (XSS) in traditional networks. Intrusion detection systems identify attacks, while intrusion prevention systems, located in the traffic pipeline through the firewall, aim to block malicious traffic.
Early IDS and IPS solutions, such as Snort (1998), relied solely on signatures. IDS systems used multiple signatures to detect vulnerabilities, with vendors boasting of their extensive databases. This worked for IDS because it scanned traffic past the firewall without impacting throughput. However, for IPS, which scanned every packet directly, this approach was impractical. To address this, IPS vendors created signatures to cover the most common vulnerabilities. Over time, both IDS and IPS evolved to include both signature-based and behavioral approaches by around 2005.
Behavioral tools have overtaken signature-based approaches with the advent of next-generation firewalls (NGFWs), designed to handle the increasing complexity of connected networks by integrating situational, application, and identity awareness. NGFWs began to evolve in the early 2000s, with Gartner coining the term in 2003, predicting the convergence of IDS/IPS in 2006, and Palo Alto Networks launching NGFWs in 2008. Cisco acquired IDS/IPS from Sourcefire in 2013 and integrated it into NGFWs.
Initially, next-generation firewalls lacked solutions for advanced malware, such as that used in the 2011 RSA breach. FireEye’s Network Protection feature, introduced in 2010, became an essential addition to next-generation firewalls to address such threats. Over time, next-generation firewalls have shifted their focus from signatures to advanced IDS/IPS capabilities and behavioral protection to better address new threats.
Sounds familiar at this point, doesn’t it? NGFW firewalls have moved to behavior-based detection alongside endpoint security. So is there another category where signatures still “exist”? Yes – in cloud security.
History of Signatures in Cloud Security
Since the launch of Amazon Web Services in 2006, the IT landscape has changed dramatically. Today, 60% of data resides in the cloud, and 45% of breaches are cloud-based. EDR and NGFW tools have adapted to this change, with cloud-native technologies like containers and Kubernetes now powering 95% of new applications, thanks to their speed and efficiency in feature development.
In this new paradigm, signature-based detection and response is no longer an option—it’s the norm. And it’s booming! But what criteria should we use to move to behavioral detection? And have those criteria been met?
1: Can signatures protect against attacks targeting today's cloud environments?
In XZ Backdoor, a malicious actor inserted a remote execution backdoor into a popular open source update over the past two years. Signatures may identify the threat after it occurs but will not prevent the initial exploit or verify the behavior of the program. This is a common problem with recent Kubernetes attacks. With 85% of CISOs citing cloud security as their top challenge, awareness of these threats is already high.
2: Is it practical to use signatures in the cloud?
Signature-based approaches face several key challenges in runtime security that mirror issues in other industries:
Library performance: Tools like Falco require large libraries to run, which can slow down productive workloads. Signature library size: The effectiveness of signature-based models depends on having a comprehensive library, but no library can catch all new threats. Customization overhead: Generic signatures require extensive maintenance and customization due to the diverse and rapidly evolving cloud environments. False positives: Generic rules do not match every custom environment, so they generate many false positives and require constant tuning. Context and efficiency: Extracting metadata from the kernel in some eBPF programs can be inefficient and impact performance.
As environments grow, the effort required for signature-based methods may outweigh their benefits over less manual behavioral alternatives.
3: Is behavioral detection available for cloud and cloud native environments?
In short, the answer is yes. Rapid7 recently completed its acquisition of Lacework in June 2024, and may be the first cloud security company to venture into behavioral anomaly detection. As they put it, “What if you could monitor a cloud environment, its resources, and the applications that are running, and see what is normal and healthy? For example, Application A (built with OSS dependencies) runs certain processes every day and connects to the same endpoints every day. . . . When new anomalous behavior is observed, a behavior-based threat detection solution will raise an alert and provide full context on why the alert was generated so the team can investigate.”
But Lacework is no longer alone. In January 2024, RAD Security released a new standard for fingerprinting cloud-native workloads, in the form of an open-source catalog. Rather than searching across resources and applications, behavioral fingerprinting focuses on container runtime processes, programs, and files, to get a baseline of what’s normal. Most containers run 80% or more of the same processes across versions and environments, so fingerprints can be released and tracked over time, or even moved earlier in the SDLC, into the CI/CD process to validate and cryptographically verify behavior early.
Note that these are two very different methods, even though they are both “behavioral” – but the point is that the technology is there!
Is a behavioral shift in cloud security imminent?
Based on this analysis, teams' move to behavior detection and response methods at scale depends on:
Other behavioral approaches are coming into play – it may take a few approaches before customers can validate the “right” way to detect behavior in the cloud. Teams’ ability and willingness to understand the true cost of signatures in cloud detection and response will likely continue to use signatures in other areas of their environment; however, as cloud adoption increases, it will quickly become clear that the cloud is not a great place to rely on signatures, due to the scale and velocity of workloads.
Of all the criteria, the attacks are the most obvious and the most public… and another Solar Winds might be just what it takes to push teams over the edge.
