Given the recent hack of Ashley Madison, it’s cause for wonder: why aren’t we more secure?
Over the past two decades, an entire industry has evolved to manage the problem of cyber security, and yet security breaches have increased, both in frequency and in scale. Sony, EBay, JP Morgan Chase – the number of mass attacks in the last year grew to 42.8 million globally, up 48 per cent from 2013 – and those are only the incidents that were detected.
Have hackers become more sophisticated, or are our systems too complex to secure? The obvious answer – both – is pushing the cyber security industry in a new direction.
Last year, Nadav Zafrir, former Head of the Cyber Intelligence Unit 8200 (akin to the US Government’s NSA) called for the cyber security community ‘to engage the puppet master.’ We shouldn’t merely defend against known threats, which firewalls and anti-viruses recognise, he said at the Annual International Cyber security Conference at Tel Aviv University. Instead, we should monitor and engage hackers in order to understand their decisions, their patterns and their mistakes. In this way, we can ‘proactively disrupt the attack while it’s happening.’
A number of Israeli security start-ups have come to share this point of view. Illusive Networks, backed by Zafrir’s accelerator fund Team 8, is working to deploy ‘phony data’ in order to mislead hackers during their attack. Meanwhile, Cybereason has developed a sophisticated dashboard from which Chief Information Security Officers (CISOs) can monitor all incoming and outgoing traffic, and stop attacks while they are in action. Further afield, Sensecy is surfing the dark web in the guise of hackers in order to gather intelligence about their tools and targets.
Usually backed by crime organisations or hostile governments, hackers look for software vulnerabilities, in which they can insert malware (malicious software) that will allow them to access so-called secured data (like all those credit card numbers). Available for purchase on the dark web, malware can be modified to leech off networks for weeks if not months before CISOs are aware of the security breach. Called zero-day attacks because once they are discovered, the original software developers have zero days to patch it, such exploits have become increasingly commonplace. Even the US government was the repeated victim of exploits via a vulnerability in Adobe Flash.
Additionally, there are still a number of successful hacks orchestrated through phishing – all those unknown email attachments you shouldn’t have downloaded. According to one study, 37.3 million internet users faced phishing attacks in 2013, an increase of 87 per cent from the previous year. Not surprisingly, Facebook, Yahoo, Google and Amazon were among the main targets.
On the surface, it sounds like old news: viruses and emails. However, traditional security defenses have not been able to cope with the speed and complexity of network communications. According to Nir Zuk, CTO and Co-Founder of Palo Alto Networks, the largest anti-virus vendors, including McAfee, Symantec, and Kaspersky, miss 70% of the attacks that Palo Alto Networks Firewalls detect. Anti-virus software only monitors the health of a computer or other endpoint, while a firewall filters the traffic between a local secure network, such as that inside an organisation, and the internet.
Yet cyber security regulatory bodies, a muddle of committees and task-forces, require companies to run anti-virus software, costing IT departments an untold sum. The research firm Gartner estimates that last year organisations around the globe spent $67 billion on information security, more than $8 billion of which was spent on anti-virus software. But regulation lags far behind innovation – with grave consequences. Target, for example, was PCI-DSS compliant, meaning the company adhered to the Payment Card Industry Data Security Standard well before it was hacked. CISOs are now wondering whether anti-virus software should be scrapped altogether. Video-streaming giant Netflix has already dumped its anti-virus. Perhaps other companies will follow suit.
The difficulty with anti-virus software is that it relies on signatures, file hashes, or ID tags to detect threats; if a virus hasn’t yet been identified and/or a signature hasn’t yet been created, anti-virus software won’t detect it, sometimes for weeks or more.
‘Static and signature based solutions are unable to detect, let alone remediate advanced threats, which are sometimes simply variations of known malware code,’ says Eran Ashkenazi, VP of Services & Field Operations at SentinelOne, a start-up that is replacing outdated anti-virus software. ‘Even sandboxes [software to protect against phishing attacks] can be bypassed today with advanced evasion techniques. Since the malware has to run to achieve its goals, the endpoint is the “scene of the crime” and most of the time also used as the entry point for the attackers.’
SentinelOne, as well as other companies such as CyActive (recently acquired by PayPal) are providing what the industry calls ‘Next Generation Endpoint Protection.’ With the aide of cloud computing, colossal amounts of data can be sent to cloud servers, where machine learning algorithms detect patterns and anomalies in user behaviour and network traffic, ultimately revealing threats for which signatures have not yet been created. SentinelOne has even developed an autonomous agent, which sits on the endpoint and can detect and act upon these behavioural patterns without a cloud or internet connection.
The recent advances in cyber security technology has without fail attracted the interest of investors, including Bessemer Venture Partners, Jerusalem Venture Partners, and Google’s Executive Chairman Eric Schmidt’s personal fund, Innovation Endeavors.
But more importantly, the disruption in the market could promise a new cyber security playbook, with which we might a little safer in years to come.