The cybersecurity industry seems flooded these days with solutions touting their use of “deep learning,” “ML” (machine learning), or “AI,” all in the name of building a better mousetrap. And it’s true; these next-generation tools work more effectively than legacy products, which typically rely on static signature or simple heuristic detection. The problem is that next generation solutions are, by definition, close relatives of their predecessors, based on the same underlying premises. As such, they face the same limitations as the tools they claim to replace, even if those limits are somewhat expanded.
Old and new gen are always one step behind the attacker, relying on prior knowledge to stop yesterday’s attacks. They compete on who is more incrementally effective against malware, which is the wrong question to ask when unknown unknowns–zero-days and millions of malware variants–can always outsmart the defenses. The questions we really need answered are how to change the asymmetry in cybersecurity in favor of the defender, how to prevent attacks from ever starting, and how to reduce today’s ever-mounting security costs.
The data Catch-22
Threat actors constantly develop new techniques and avenues of attack that easily evade older prevention solutions. To compensate, manufacturers seeking to protect their businesses add more layers of monitoring, detection and response, which generate masses of reports and false alarms to be investigated by their under-resourced and overwhelmed analysts. Indeed, the latest big data, business intelligence and AI security products sift more effectively through all the information in an attempt to predict the unknown and learn from the past, yet these tools generate even more data, eating up even more time and resources.
Moreover, all these layers still leave industries exposed to fileless and memory-based attack frameworks, shellcode attacks and other advanced threats that are designed to go undetected. Next-gen solutions, no matter what exciting technology they use to do it better, still rely on detection of executables. They have to find the mouse, or traces of the mouse, before they use probabilistic inference to decide whether or not to stop it. And even the most sophisticated detection logic will always be a step behind hackers.
Prevention beats a cure
There is a steeply increasing relationship between the time to detect, contain and remediate an attack and the organizational costs. While detection tools have improved (with shorter times between infection and detection) it is much more cost effective for businesses to prevent a breach from ever occurring in the first place.
So how can manufacturers and other industrial companies get ahead of the attack-cost curve? They need to reduce their risk by increasing the resilience of their security stack to both known and unknown threats, along with unpredictable
attacks. At the same time, they should focus on reducing the operating expenses and complexity of their security approach. Some truly innovative technologies have emerged that make this feasible. Moving Target Defense, for example, breaks completely away from the post-breach malware-detection model and the reliance on previous knowledge. By denying hackers the ability to access, or even find, exploitable memory resources, it makes it prohibitively expensive for hackers to attack an organization.
The right stack is more critical than individual security products. Security departments should take a step back to understand exactly what they're getting out of their security stack: is it affordable, is it effective, is it flexible, can it handle the unknown?
This was the approach taken by Yaskawa Motoman Robotics when they revamped their security stack. (Disclosure—Motoman is a Morphisec customer.) Motoman sought to be one step ahead of cyber criminals while operating in a highly technical work environment where users have local admin rights, and which has many types of CAD systems and freeware downloaded by engineers. Advanced persistent threats (APTs) aimed at theft of intellectual property, performance-degradation from resource-heavy security products, and disruptions that could affect company margins were all serious concerns. They built a lean prevention stack based on Anti-Virus and Morphisec’s Moving Target Defense memory exploit prevention layer, which gave them effective endpoint protection that demands very little in terms of personnel and system resources.
Bigger and smarter mousetraps may protect better, but better is not good enough when ransomware locks up critical factory resources or when attacks exfiltrate sensitive business data. Rather than amassing agents and bigger solutions that include more work, more implementation, more training, more monitoring, more forensic and more people, manufacturers should combine traditional and innovative prevention technologies with good cyber hygiene to keep running safely and efficiently.
Omri Dotan is chief business officer at Morphisec