Behavioral analysis and information security
In this interview, Kevin Watkins, Chief Architect at Appthority, talks about the benefits of using behavioral analysis in information security, how behavioral analysis can influence the evolution of security technologies and offers several behavioral analysis strategies.
What are the benefits of using behavioral analysis in information security?
Behavioral analysis brings a much needed revamp to the information security space, following the rather limited capabilities of static and dynamic analysis in the past. Static analysis is notorious for having issues detecting security vulnerabilities when code obfuscation is used, or when code is retrieved at runtime from external sources, such as the network.
That said, static analysis does have the advantage of being fast and inexpensive. When used alone, dynamic analysis has problems with code path coverage, takes much longer than static analysis and can be expensive from a processing perspective. In the past, static and dynamic analysis techniques have been combined to overcome some of the issues that each of the processes have individually.
By leveraging a combination of static and dynamic analysis, researchers can use what they learn from static analysis (method calls, information about the code path, etc.) and feed the information into the dynamic analysis model. This makes dynamic analysis more effective and intelligent, counteracting some of the problems around code-path coverage, sluggish analysis and processing costs. Although the combination of static and dynamic analysis is an upgrade over employing one method or the other, there is still much room for improvement.
Static and dynamic analysis methods can be combined to look for specific risks, like malware, vulnerabilities, or other security concerns. However, once these tests are set up, it is very difficult to make changes to the tests, or alter the direction of them, depending on what the researchers are looking for. In the case of enterprise mobile security for example, companies often want to look for different characteristics of mobile apps to determine if the apps are safe enough to be used in the workplace.
An app that might be defined as safe for an engineering department, may be un-safe for the finance team, but static and dynamic analysis alone cannot make this determination quickly enough. It is in cases like this where complementing traditional static and dynamic analysis techniques with innovative behavioral analysis makes a dramatic of difference.
Behavioral analysis means using a series of pre-determined tests (as opposed to traditional dynamic analysis, which relies on random-testing by exercising software) to trigger the desired outcome and identify the app or software behaviors behind it. For example, in the app security space, customers might be okay with apps accessing a device’s address book, but at the same time, they might want to ensure that the address book does not leave the device.
Traditional static and dynamic analysis might be enough to determine if an app can access the address book, however, it would require the system to run for an indeterminate amount of time to see if the app ever sends the address book out. This is neither efficient nor very effective. However, using behavioral analysis, researchers can test for the specific behavior in a short amount of time. Another example is a malicious app that triggers a behavior based on the geo-location of the mobile device (for instance, in a foreign country, or at a targeted enterprise/company).
Static and dynamic analysis may find that the app tracks the user’s location, and looks for a specific geo-location, but it’s only when behavioral analysis is applied, and the environment is modified using data from static and dynamic analysis, that we are can trigger the outcome and identify the malicious behavior outright.
How can behavioral analysis influence the evolution of security technologies?
Combining static and dynamic analysis did a lot to streamline the analysis of applications. Adding behavioral analysis has had similar effects through subtraction of time by addition of process and it helps catch issues that would otherwise slip through the cracks. Behavioral analysis also presents the future of software security, as it is focuses on the real problem: identifying unwanted behaviors.
Overall, it doesn’t matter if an unwanted behavior is there because the app developer made a mistake, intentionally added the behavior, used a malicious or corrupted 3rd party SDK or library, or had their software affected by a virus… What matters is identifying whether any unwanted behaviors are present. Period. Adding behavioral analysis to traditional static and dynamic analysis lets researchers focus their efforts on the end goal: determining if an application meets their security needs as quickly as possible.
What behavioral analysis strategies would you recommend to a large organizations fighting off numerous security threats?
Behavioral analysis is an absolute necessity in the mobile app security space. There are simply too many apps entering the enterprise to do manual analysis, so automation is key. Large organizations have thousands of employees, and thus, thousands of mobile devices, each with an average of about 100 apps. That means that there are hundreds of thousands of apps to review for security and privacy risks inside large organizations. Even with automation, traditional static and dynamic analysis can take hours, even days to review each application. This still is not scalable, or suitable for a security solution. Newer generations of software analysis that incorporate static, dynamic, and behavioral analysis have been able to cut down the time of analysis, while simultaneously increasing the accuracy and coverage of the tests in a way that is optimal to tackle the mobile app security analysis space.