Enterprise systems grow increasingly complex and have become very difficult to secure. It is becoming impossible to remove—or even know about—every security hole. However, it is important to close as many such holes as possible to prevent potential attacks.
There are generally two extreme approaches to the elimination or reduction of an attack surface. A first approach uses strict security rules to eliminate certain attack surfaces. The advantage of this approach is that it is easy to deploy and enforce. A downside, however, is that the rules may be too strict, such that the user of the system may be inconvenienced. For example, some rules may completely lock down a host to prevent users from installing software, when there are legitimate cases where a user may need to do so.
A second approach applies machine learning to find the normal behavior of programs and then detects deviations from the baseline. This approach has the advantage of being general—it can be used to protect programs from unknown attacks. A downside is that it typically results in many false alarms that may cause the system to be unusable.