This was a timely discussion for me.

I had a chat with a friend who is demoing a popular threat detection network appliance the other day.

He’s a network admin and was thrown off by the sales pitch the vendor gave where they insisted they don’t use signatures. (cntd...)

So I had to launch into a 40 minute long diatribe on the semantics and politics of the term “signature” as it relates to security. To do what the product did, it absolutely did have to use signatures as part of some detections. But the term “signature” is considered unmarketable.

We in infosec have this unfortunate habit of losing ownership of our terminology to sales, marketing, and media. Buzzwords are key, to the peril of technical accuracy.

“Signatures” are not necessarily the static code strings of 1999 and are quite useful in exploit detection.

And just because a product combines behavioral or statistical data with some combinations of static strings or regular expressions, that doesn’t mean their product is “signature free” or purely AI-based. That’s ridiculous.

In security, the concept of “defense in depth” crops up across verticals and layers and this is no exception. Use the detection tools that are useful in combination with one another to build the best layered detection possible.

Just because *static signatures* aren’t great at picking up polymorphic code or other modern malware evasion techniques doesn’t mean signatures as a general security concept should be removed or that vendors should overtly lie about their use.

Yes, there are additional ways (discussed in the aforementioned paper) to detect threats. And those should be included, combined, and pursued. Just don’t let buzzword hype limit your detection toolkit.

Oh, and I won’t name the vendor, but be very wary and ask pointed questions when any sales team tells you their detection product uses no signatures.