The Rise of Behavior Profiling: Relying on Signatures and Rules Isn’t Enough Anymore

If you’re relying solely on signatures and rules to protect your cloud infrastructure, you’re doing it wrong. Yes, these were previously the default methods to protect you from attackers, either internal or external. Today, however, malicious hackers are moving faster than these methods can even pretend to keep up with and are evading traditional signature and rule-based network security methods. This brings forth the importance of behavior profiling to detect and stop attacks as quickly as possible to avoid a full-blown breach.

But first (and to be clear) a little more on why signatures and rules are insufficient:


To their credit, signature-based systems provide good detection for well-known, specified attacks. If a viral signature is detected, this will protect your system from damage by quarantining or encrypting files to render them useless.

While they do remain a core part of cloud security monitoring systems for several reasons, they cannot detect new, unfamiliar intrusions — even if they use variations of known attacks. Signatures will continue to be needed to protect users, but new technologies will help strengthen the effectiveness of signatures.


Rules provide a good way to represent and store usage patterns of system activities. They (typically) fire immediately when they indicate suspicious or illegal user activity, but they fail with direct dependence on audit record fields. Rules can only operate through expected audit trails of penetration, leaving little flexibility to detect slight variations of the same penetration.

Faulty Logic

Signatures and rules have no reasoning capabilities — they also create the inability to foresee impending compromises to limit damage before it’s done.

Rule-based systems are cumbersome to configure and (as you probably have experienced) are prone to false negatives and positives. Signature-based systems are also easily evaded when malware attempts to disguise itself— malicious hackers typically pre-scan their attack against all popular antivirus systems to ensure they will bypass signature-based systems.

Let’s focus on this for a moment: What if someone takes your credentials (either knowingly or unknowingly) through social engineering, weak passwords, etc.? How would you know that malicious activity is happening in your systems? Rules and signatures will fail you here  and this is most certainly an area where hackers are spending a lot of energy.

Endpoint Behavior Profiling

Smart security analysts and devops experts know that it’s time to build a new type of defense against attacks for cloud servers  one that can focus on the real issue to inherently learn new attacks on the fly.

Behavior profiling, and Endpoint Behavioral Profiling (EBP)™ in particular, reveals unusual behavior as it’s happening. EBP automatically builds a profile for a host which describes its normal behavior and then uses it to detect potentially malicious activity. By zeroing in on hidden infections based on different network communications, you can quickly pinpoint the attack location (and stop it) even if you never see the infection vector. No more complex rule or signature configurations on your end.

Behavior profiling, in short, reduces the time between an attack and its detection, allowing you to significantly reduce the odds of a massive breach.

Where EBP Does Not Work

Traditionally, behavioral detection methods work well for production systems with defined goals — web servers, databases, etc. In the past, this technology has been attempted on user endpoints like laptops and desktops with poor results due to the amount of verity and noise generated.  

What’s Next

Endpoint Behavioral Profiling™ is a new approach developed by Threat Stack to extend traditional behavior detection methods with the concept of profiles (each process has a profile, and its parent and children have profiles as well). The intelligence we gather over time helps us determine what is normal, while at the same time keeping that data portable and reusable.

We know that the state of cloud security monitoring is still far from where it needs to be, which is why we’re honing in on the next generation of security monitoring solutions. We can’t wait to see this method of detection evolve industry-wide to further protect cloud infrastructures.

Join Threat Stack today at or contact us at [email protected]