Changing Our Approach to Security

The Threat Landscape

In recent years and months, we see the global threat landscape dramatically evolving for critical infrastructures and businesses. Cybercriminals operate with no barriers or limitations, both in their creative approaches and attack methodologies. Helping their efforts is a list of nation states, bringing some of the world’s best hackers and tools into the mix, greatly increasing the threats against which businesses are vulnerable and must find ways to defend themselves.

Sophistication of Targeted Attacks

What is happening now is that the sophistication of malware and other types of cyberattacks is much more targeted than they used to be. Mainstream attacks that we’ve seen for years continue unabated, including code injection and SQL attacks. But what we see now are fileless attacks memory exploit attacks, both of which weaponize at runtime. They are difficult to prevent and to predict when they might arrive because of the methodologies criminals exploit and misuse increasingly. This leaves businesses with a weak defense because businesses are used to defending themselves against what they know. Similar to a police or customs officer who identifies the profile of a smuggler and takes him out. But if somebody doesn’t look like any of the profiles they know, they will just pass through^.This has changed the way that we look at and defend against attacks. This is what is happening with heuristics but we need to do it faster because the development In sophisticated and targeted attacks is unfortunately increasing in the mean time.

Limitations of Legacy Security

What seems to be the case right now for majority for Chief Information and Security Officers is that they are looking at a state or market where you will see loads of companies mushrooming up with security products that will help them against whatever threat is out there. For the last 25 years, we have been relying on antivirus, endpoint protection, proxies and other layers that simply don’t work. We tend to overprotect in the conventional areas and in the areas that we know that we will be attacked, where we know there is a threat and how they react and how we can intercept them. There seems to be a lack of tools which touches upon what I call the ‘Last Line of Defense.’ When the malware has hashed through all the normal protection layers, it continues going because it is an unknown variety of malware or fileless, it keeps exploiting, whether runtime or memory. We have an overprotection of the known and underprotection of the unknown^.We need a tool that can focus more on being more agile in protecting us against the unknown dangers out there.

Risks to Critical Infrastructure

In my new position at the World Economic Forum, I have been looking into the area of industrial control systems. We have a huge problem here that we’re working closely on with Oil and Gas and the healthcare companies because they’re in the crosshairs of a number of crime areas. They’re attacked by nation states, organized criminals and hacktivists, and we also see movements from terrorist angles. They are very exposed in this area so they need to be even more agile and more forward looking for their protection. That is why we need systems and tools that can help these specific areas from being infected.

Again we need to look away from the more conventional ways that we control and we protect ourselves against the more unconventional attacks. That is why we need to look at fileless malware that weaponizes in runtime and the new m way attackers try to sneak by the normal processes by using unknown tools that they optimize. This is more sophisticated than our existing tools, which only look for things they know. That’s all they’re good at. They can’t help but let things they don’t know and don’t think are dangerous through the systems. That is why, especially in this area, it’s very important that we shift the way we protect ICS institutions and these industry systems.

Why Patching Isn’t Enough

Patching is very important and that is part of basic cyber hygiene. The problem is that there are so many patches and CISOs look at patches and see their cost as being either serious or less serious and to some, they see a need to patch immediately. But even patches that are so critical that you need to patch them immediately, they get put in a queue. If you have a situation that is not just a small shop, it may be relatively easy to patch your normal state than it is to patch all the applications. If it’s a big bank or financial institution, you could need at least 6-7 weeks to patch completely, and that is why we can never be caught up to where we should be with patching. That is why patching is not the way ahead. We need to patch, but it is not the way that protects organizations. We need different means.

Ensuring Good vs Chasing Bad

The default way that we normally protect our systems is by looking at threats, how they can be detected, how they look, how they can be intercepted, and what is going into our applications. Then we know what to block. Let’s imagine that we cannot detect that for one reason or another the malware is so clever that it does not leave any trace that we can profile. But what it does do is make our applications work in different ways than we think it will. The trick then is to look at the application stack and see how it should be behaving if it’s not, what is the reason for it. If it is stem malware, then it has to either be locked down or blocked immediately. That is a new way of looking at application protection and that is what works.