Dear all, 2008 has just begon and I would like to make some predictions on security. In terms of risk control there are some basic strategies: 1. Stay out of risky situations, you won't need a defense when you are not attacked (e.g. site advisor) 2. Reduce the vulnarable spot/attack surface (e.g. UAC and Policy sandbox) This is why a lot of old fortresses are build in the loop of a river/hill top with only one or two access roads. 3. Control the attack vectors (traditional HIPS monitoring hooks/SDT), so you won't get hit. Normally a talkative and more user intervention required solution. Prevention is better than to cure will all software FireWall fans and classic HIPS fans argue. 4. Limit the damage/damage containment. In this category are Antivirus (although AV's providing Network and HTTP scanning are really ahead of things), Policy Sandboxes (because they remember the untrusted status of a downloaded file), virtualisation and yes Behavior Blockers. Based on these four principles I think security will develop into three main streams: 1 (the easy prediction) Firewalls and HIPS will integrate: Main reason is because they both focus on the attack vectors, they need each other for synergy and want to know whether an application is trustworthy or not. examples are the leaders in there class as Comodo, Online Armor. Agnitum Outpost Pro and look and stop (early innovator, now losing ground). 2 Threat gate mitigation I think browser specific policy management/virtualisation (reducing the attack surface) will be combined with staying out of trouble (site advisor), Vista's already offfers Phising and Protected mode, other early innovators are Linkscanner Pro and Haute Secure. Google has bought Greenborder, may be this search engine will provide all (search engine, site advisor like site security rating and visualisation). Who will tell? There are enough good solutions available. I do not think the Haute Secure guys would have stepped out of MicorSoft when MS had plans to develop it for itself. AVG has bought Linkscanner, so things are moving. Zone Alarm the friendly FW is also experimenting with this direction ZA Forrcefield. 3 Anti virus will extend non intrusive heuristics to behavior blocking Blacklisting is a low user knowledge security option. Heuristics and behavior Blocking are different techniques to trap a malware. Behavior blocking and Antivirus both have the deal with the same challenge "deal with false positives". It is therefore logical these two simular security models (heuristics and behavior) will align and join forces. A way of improving heuristics and behavior blocking is by applying virtualisation. Example: A programs violates a heuristics/behavior trigger, next the AV would go into virtual mode for that single process. When this suspect is breaking some more laws it starts to get more and more suspisciuous. The virtualisation would make it easy to extend the STOP decision. A later (based on more facts STOP decision) will reduce the amount of False Positives. While virtualisation will still make it possible to roll back (clear) the virtual data pocket. When the potential malware did not do anything wrong the virtual data could be committed to the real world data.