Dan Turner, CEO of British cybersecurity firm Deep Secure, surveys the ever-growing list of successful attacks and asks why the cybersecurity industry has been getting it so wrong for so long.
Some years ago, in a previous life, I had an experience that changed my view of cybersecurity forever. At the time, I was running the cybersecurity business unit of one of the largest System Integrators in the world, and one of our key customers was a global FMCG client. The carefully designed, multi-tiered cybersecurity defence we had put in for the customer hadn’t stopped them being hacked, and I was called into their head office to explain how and why the breach had occurred.
It wasn’t an easy meeting. I explained that we had installed the best detection technologies that money could buy – firewalls, secure web gateways, anti-virus, intrusion detection systems. All of which were working as advertised and that the breach was largely down to a so-called zero-day exploit (one that their defences couldn’t detect) combined with the perennial weak link in any cybersecurity defence – the human factor – in the shape of a user who had clicked on something they shouldn’t have clicked on.
As the session ended, one of the senior board members took me to one side and observed that despite all the investments that they had made, what I was telling him was that – in cybersecurity terms – the fact that their detection technologies were so easily evaded, left them with unquantifiable business risk. Did I have any idea Dan, he asked me, how uncomfortable the board of the company was with unquantifiable risks? As he walked away, his parting shot was “you cybersecurity guys need to move beyond detection.”
30 Years of Hurt
He was right of course. In the 30 years since British computer security firm Dr Solomon’s Software developed their Anti-Virus Toolkit, the cybersecurity industry has been promising to detect more than it can deliver and, in the process, leaving their customers with an unquantifiable level of risk.
The numbers say it all. Risk-Based Security’s 2017 Data Breach Report highlighted that there were 5,207 breaches recorded, the highest ever. The number of records compromised also set a new record with over 7.5 billion records exposed. According to the Gemalto Breach Level Index, 82 records were compromised per second in 2017. In the US alone, Statista reported that in the last period for which there are reliable numbers, 668 breaches resulted in over 22 million records being exposed.
In the first half of 2018, high profile victims of cybersecurity exploits have included Dixons Carphone Warehouse, Ticketmaster, the US Department of Homeland, Facebook, Equifax and the University of Greenwich. Targeted attacks on banks in India, Canada, Mexico, the US and Chile netted organised cyber criminals millions of dollars. No doubt there were countless other compromises during that time that have either not been disclosed or were not even detected.
Against this backdrop, any board member, of any organisation, has a right to be asking some pretty probing questions about the levels of risk they are exposed to. This is a mature (at least in computing terms) industry. After three decades, why is it not able to offer its customers – defences from cyber threats which are not easily evaded by attackers – a level of protection they might reasonably expect?
A Failed Paradigm
There are a number of factors at play. Cybercrime is lucrative, and the chances of getting caught are slim. Some of the cybercriminals are highly skilled. Some members of staff are not as vigilant as they might be. But the overriding reason that the bad guys are winning – and winning they are is that defences based around the concept of detection can no longer offer the required levels of protection.
Detection, as typified by anti-virus and anti-malware products, involves examining a file to try and determine whether it contains something previously seen and categorised as “bad”. All fine in theory but the problem is that it is child’s play to make small changes to the file that will outwit detection-based defences or even invent wholly new files that the defence has no prior knowledge of. Add to this the complexity of the business information we browse, email, share and transact every day and it’s easy to see why cybercriminals are enjoying such success.
Most of the cybersecurity attacks initiated against organisations start with an exploit or threat concealed in seemingly innocent business content arriving into the corporate network via the email or Web gateway. Virtually any piece of content, whether an Office document, PDF or image can be used or “weaponised” in this way. Whatever the vector and whatever the precise nature of the threat, time and again it is business content – documents, spreadsheets, presentations and images – that are used to conceal the attacker’s intent. These files are the essential lifeblood of any business, but they are easily modified by the criminal to contain threats that a detection-based defence has not previously “seen” before – so-called zero-day exploits.
In short, detection-based defences are now wholly inadequate in the face of increasingly sophisticated cybercriminals employing against commercial targets the kind of sophisticated zero-day exploits that were hitherto the province of nation-state intelligence entities.
Beyond Detection – Content Transformation
Fortunately, new ways of combatting this type of threat are emerging, and one of the most effective is called Content Threat Removal. Content Threat Removal doesn’t attempt to detect the presence of a threat in business content arriving at the gateway. Instead, it assumes that all content is potentially bad. Using a process called content transformation, it intercepts every document and image, extracts only the valid business information from it, discards the original data and creates a brand new, threat-free copy to deliver to the intended recipient. The content transformation process can’t be circumvented or evaded because it is not interested in trying to detect anything untoward that the bad guy has hidden in the content. It simply eliminates the risk, even when new forms of attack are devised.
Transform your Defence
The detection paradigm has been a cornerstone of the cybersecurity industry for the last 30 years. It was effective to a point. It was reassuring. It enabled the organisation to show the list of “bad stuff” that was blocked last week or month, although tellingly it couldn’t tell you what had got through your defence. Whether it ever really offered true protection is a moot point, but one thing is certain. It is now proving wholly ineffective in the face of ever more sophisticated zero-day threats concealed in business content.
Transformation is the only viable way to ensure that threats are entirely removed from content because it assumes all data is unsafe. It doesn’t try to distinguish good from bad, so it cannot be evaded. We’re on the brink of a technological revolution. In the face of relentless and concerted cyber-attacks, organisations are being forced to re-evaluate every aspect of how they acquire, share and transact digitally. Defences based on the detection of known threats are insufficient. What’s needed is real protection and with an information extraction approach to Content Transformation that now becomes possible.