My last blog argued that the technical reliance on anti-malware must end if we are to meet the challenges of contemporary cyber threats to both consumers and enterprises. So what can the industry do to move on and develop new ways of thinking and technologies that can adapt to these broad based threats.
The simple answer is “intelligence”. The industry needs to rapidly innovate to embrace intelligent security systems (with anti-malware as standard – it still has a part to play) that incorporates what I describe as full-risk situational awareness. This applies to technology and the culture of risk in the business.
In other words, stop believing that you can stop attacks and breaches, and move to a position of breach acceptance and learn from that – after all it is widely believed that many organisations are already infiltrated without their knowledge and that number is increasing.
This new awareness should apply to policy and strategic thinking by information security practitioners. Theory in applying full-risk situational awareness should also be developed in higher education establishments, especially those currently teaching information security so that new professionals are ready for the world they seek to protect.
Just as so-called Advanced Persistent Threats (APT) can sit undetected in the background of an organisation gathering data by stealth so defensive systems should be developed that adopt the same technique and shadow such cyber weapons and learn from them once detected. Don’t kill the tools of your enemies, instead watch and learn – much as a government intelligence agencies watch enemy agents rather than arrest them.
Both Amazon and Google have developed and continue to develop extraordinarily sophisticated algorithms to help them predict what you want to buy and what you are searching for. It is surely not impossible to adapt such technology to analyse and predict the behaviour of malicious cyber actors and the software that they develop to attack organisations. In fact why do we continue to assume that information security technology should come from information security companies? Why not adapt Google and Amazon’s tools or indeed those from any cutting edge tech firm working in the big data space. Making sense of the extraordinary mass of malware today means learning from those research clusters investigating how we can manage big data and build intelligent computing devices. But such clusters are not found in many security firms.
All together now, big data and artificial intelligence:
A report in the world renowned MIT Technology Review reveals that the latest advances in AI are now finally coming close to the dream of creating sentient devices – but it isn’t just about building chess playing supercomputers. It describes the advances as “deep learning” which could herald a new age of predictive technologies. And Google is at the forefront of such research.
“Last June, a Google deep-learning system that had been shown 10 million images from YouTube videos proved almost twice as good as any previous image recognition effort at identifying objects such as cats.” it reports.
The theory behind deep learning is that machines develop memories from experience which then influences their behaviour when faced with similar circumstances or can apply learned behaviour when faced with a new situation.
Why not apply deep learning to the behaviour of malware and malicious cyber actors to comply with our full-risk situational awareness? In other words – develop systems that learn and fight back to meet offensive malware programs head on. Perhaps even by learning from previous malware behaviours and attack routes, such deep learning anti-cyber systems could conceivably block attacks before they happen, or allow them to get to the point of attack and then kill them. Of course it sounds fanciful – but not completely. And do you know of better, current security techniques being developed among the vendor community?
You can change your mind:
For the technology to work we also need a fundamental change in information security thinking to accompany such radical technology. A conversation I had with William Beer, Director Information & Cyber Security at PwC UK, demonstrates the kind of leadership we need from those at the top of information security today.
“We need more thinking, more research – not just more technology. The industry needs more research. The vendors trot out the same cliches and so called insights.” he told me.
“There is a lack of innovation, a lack of creative thinking. I don’t want to hear about ISO 27001 or defence-in-depth. Clients are not getting the solutions they want. How can we do things differently? That’s the big question.”
“We have so much to learn from the past but we don’t look at history. We don’t look at medicine, or cancer research or how viruses spread. We don’t do enough information sharing. We’re thinking with blinkers on. Why not employ criminal psychologists, religious experts – why not “know your enemy”? It’s not a skills shortage – it’s the thinking that’s wrong and the people recruited into information security.”
And he is, of course, right. How many security conferences and exhibitions have you been to where you heard anything new? When were you last challenged to think differently about what you do? You will hear about “reporting to the board” and “cutting edge” reports on the “future of threats”. Plus, of course, everyone’s favourites BYOD and Cloud etc…it’s all bread and butter stuff.
It’s still important and still worth discussing but they are missing the point of what “information security” is and how it should be applied. The level of malicious cyber activity is such that we need to radicalise our technology and thinking rapidly. And that means shifting away from even thinking about information security at all. Instead move to an awareness that the best way to be secure is to assume you are not and act accordingly. That way we may yet stand a chance of protecting our businesses and the economies that depend on them. The alternative is just information security noise.
About the Author:
Paul Fisher | @Pfanda | Pfanda.co.uk
Paul Fisher has worked in the technology media and communications business for the last 22 years. In that time he has worked for some of the world’s best technology media companies, including Dennis Publishing, IDG and VNU.
He edited two of the biggest-selling PC magazines during the PC boom of the 1990s; Personal Computer World and PC Advisor. He has also acted as a communications adviser to IBM in Paris and was the Editor-in-chief of DirectGov.co.uk (now Gov.uk) and technology editor at AOL UK.
In 2006 he became the editor of SC Magazine in the UK and successfully repositioned its focus on information security as a business enabler. In June 2012 he founded pfanda as a dedicated marketing agency for the information security industry – with a focus on content creation, customer relationship management and social media.
His heroes include David Ogilvy, Ludwig Mies van der Rohe, Ken Garland, William Bernbach, Andy Warhol, Richard Branson, Charles & Ray Eames, Steve Jobs and Paul Rand. And George Best. He comes from Watford but he thinks he comes from Manchester. If you came from Watford, you would too.
As an impulsive adopter of new technologies and an inability to stick to one ecosystem, he can be spotted around London’s finest WiFi hotspots variously sporting a Chromebook Pixel, an old Blackberry, Nexus 7 and a Nokia 920. He also has a Mac and an Xbox at home.