Signatures should become cloud security history

It’s becoming evident that the legacy practice of signature-based threat detection needs to be improved for cloud security challenges.

In this Help Net Security video, Jimmy Mesta, CTO at RAD Security, discusses a new proposed standard for creating behavioral fingerprints of open-source image behavior at runtime.

The reasons signature-based threat detection is no longer viable are myriad:

Too many false positives! How many times has your signature-based detection solution flagged your DataDog agent? And when a pod with a potential vulnerability is deployed at scale, you see that vulnerability duplicated across your environment just as often, right?

Stateless alerts: Signatures create stateless alerts. For example, you could be alerted for each successful spawn of a shell in a container. But what if you want to connect that to the namespace in which the event occurred and the identity that was involved? Signature-based technologies generally gather this metadata straight from the kernel, which causes performance issues.

Detect novel attacks: By definition, a signature is written for a known attack, so in the case of a novel attack, the delay for a signature can be days at best or weeks in some cases. But even with the signature, you might be covering only some of the exploit paths or pinpointing the context in which a zero-day can be exploited, so its usefulness is limited until the attack and all its exploits are fully understood and signatures are created to match.