• United States



Senior Editor

Exploring the influence of Finjan’s proactive content security

Dec 09, 20138 mins
Cloud SecurityIT LeadershipMobile Security

Finjan president Phil Hartstein explains the inner workings of proactive content security with behavior-based content analysis technology and how it has shaped – and is continuing to shape – the industry

These days, a signature-based approach to anti-virus and anti-malware measures simply isn’t good enough. Most companies that develop anti-virus solutions realize that. But this hasn’t always been the case, and at some point, somebody had to develop the foundation upon which so many security approaches are based today.

[Study: Companies are not as secure as they think]

Enter Finjan, the grandfather of proactive content security with behavior-based content analysis technology.

“We realized there had to be a better solution for anti-virus software,” said Phil Hartstein, president of Finjan. “The notion at the time was to spend so much time on matching signatures.” Aside from the fact that the signature-based approach only defends from what is already known, Hartstein also pointed out how expensive and resource-consuming the process was.

“So we thought, ‘Maybe there’s a better way,'” he said. “Instead of matching signatures, let’s identify the behavior.”

There are a couple of factors that play into the proactive content security process itself. First, the software has to be able to identify the threat vector. Suspicious behavior on a non-connected endpoint device limits the types of behaviors one can expect to see. If you’re dealing with a web gateway however, you can fully expect a consistent barrage of attacks over that vector.

Hartstein used the example of requesting a file from a specific website. If the user was to encounter a redirect to download the file from another site – or received a different file type than was initially requested – they should be suspicious. When the information that is received doesn’t match the request, there is cause for a flag.

The other factor that Hartstein brought up is that there are software vulnerabilities that are either known or unknown. If a user knows that there are specific behaviors that are scripted with Java, for example, they can go in, open the file, and scan for the software calls that would identify those behaviors in a process that Hartstein referred to as mobile code replacement.

“If the file came through a gateway, we can flag it, open, and scan it so we can actually know what that function was meant to do before we strip it out, clean it, and send it on its way,” said Hartstein.

[Trustwave buys M86 Security for undisclosed sum]

There will be cases, however, where users may flag a file but don’t know exactly what the suspicious scripts are that they are dealing with. “If I can’t identify the behaviors, we have a process of running it in the gateway in a sandbox,” said Hartstein. “I know it’s an executable, but I’m just not sure. So I let it run and see where it tries to deposit.”

From there, he said, security teams can make the determination whether or not to allow the file through. Additionally, some sandboxing can be done in the cloud as opposed to locally on hardware, which also keeps hardware expenses down.

“So in all, you want to strip the file, open it in a sandbox to determine if its a safe file, and determine your threat vectors,” said Hartstein. “You want to narrow them down through limited expected vectors depending on where you are in the security stack.”

Building on success

Though he pointed out that Finjan pioneered the behavior-based content analysis technologies that provide the foundation for so many modern-day antivirus/antimalware solutions, Hartstein also recognized that other companies have built upon that framework as new technology becomes available and threats continue to evolve.

“We do believe that we pioneered behavior-based technologies,” he said. “We did integrate those inventions into our own products and yes, I think the foundational components of security companies that are deploying behavior-based technologies do rely upon our inventions. That’s the reasoning behind us selling our IPs for use.”

Cloud-based initiatives, for example, are one space where he feels that Finjan didn’t quite take the lead and have since been more fully fleshed out. The company was moving into cloud deployments and was moving into the SaaS space when it divested into M86 in 2009 – through which Finjan now sells secure web gateway appliances – but Hartstein said that Finjan didn’t have the full opportunity to modify and make more proactive software.

[Finjan sues McAfee, Symantec over patents]

“In terms of where the market is today, we were early in the cloud space,” he said. “But it was not something that was fully developed on our own.”

He went on to explain that there were a lot of things that Finjan simply didn’t know earlier on thereby preventing them from making the progress that has since been made. Five years ago, Finjan simply didn’t have access to faster, more powerful hardware, nor did it have the ability to share information out of the cloud on a fast basis.

“There will always be improvements based on the behavior-based technologies,” he concluded. “We generally consider them features, but not core to the security architecture. That’s how I would create the differentiation. People will continue to add features to that core solution.”

Not content with just being responsible for building the foundation, however, Finjan is continuing to branch out and evolve with the market. The advent of smartphones and tablets – as well as BYOD – has prompted the company to begin making moves in the mobile space, as well.

The trajectory of cybersecurity began with coverage at the endpoint and web, explained Hartstein. But as users have begun to move away from the endpoint, it’s become inoculated; if someone buys a PC, for example, all of the anti-virus software they need is already installed. Over time, the endpoint became a little less sexy.

“But now, with lots of mobile devices and BYOD, what you have is a circular return to the endpoint being the focus,” said Hartstein. “It’s about protecting the weakest link, and that’s smartphones and tablets. They’re attack vectors without any protections.”

He explained that it’s important to divide mobile market up based on how the devices’ operating systems work. If a user is dealing with an open-sourced OS, for example, they’re going to have a more impacted experience. With those devices, you have a resurgence of focus on the endpoint security segment. And the technology to protect those new classes of endpoints, said Hartstein, is the same technology as what was used to protect endpoints in the first place, which Finjan developed years ago.

“Our view is that our initial investment [in the technology developed to protect endpoints] is still relevant,” said Hartstein. “The development of mobile security solutions is the same as what we went through on the endpoint side.”

[Is mobile anti-virus even necessary?]

That said, he pointed out that regardless of how great anybody’s software security is, it can’t be considered a standalone, 100 percent effective solution. And that’s not just the case with mobile; it applies to the cybersecurity market in general, too.

“I hear lots of stories about not overlooking the little things,” said Hartstein. “For example, a physical security breach can trash your very well-protected security structure. You can’t look at this in a pure vacuum.”

Finjan has a certain philosophy, according to Hartstein, that it continues to enable innovation through licensing, and that’s how the company chooses to solve the problems that exist today. So while the company is not actively developing software for the mobile side, licenses in the mobile market are in Finjan’s future given that what it does very much applies to that particular sector.

“Yes, we are actively pursuing licenses in the mobile space – and historically we have done deals like that – but I cannot say what specifically,” said Hartstein.

Looking ahead

Given Finjan’s desire to help develop solutions and encourage innovation, it’s no surprise that the company is always looking to the future. Much like the threat landscape, different companies’ needs are ever-changing, security firms need to take a specified approach to their solutions.

“It all comes down to a broad exercise in what the landscape looks like,” said Hartstein. “My thought here is what we’re seeing in the market today is that a standalone, one-size-fits-all security software or endpoint or webgate security solution does not fit all.”

For instance, an e-commerce website will require different protections than a financial services site. The needs of each enterprise are so specific that it’s important that for Finjan to understand the nuances of users, networks, and certain companies’ needs. The most effective approach, Hartstein explained, is to tailor-build solutions that can be offered to companies individually.

“So in market theory terms, in the beginning, there were lots of companies making individual applications,” said Hartstein. “Then, they were beaten by the bigger companies offering [large-scale, overarching implementations].” Now though, the landscape has reverted and one-off implementations are the king in the market once more. What’s next, Hartstein theorized, is that the “50 or 60 companies out there in the security space” are going to go through a major consolidation event over the course of 2014 and 2015.

“The shift will allow companies to become more specialized,” he said. “Those unique, one-off security solutions or approaches will now be available through the larger players. The irony is that now, the big guys have the ability to say that they’re more specialized.”