Corporate Security
Prevention is still better than cure There is still a defeatist attitude resonating through the industry when it comes to security however Greg Singh, Lead Technical Engineer for APAC region, Cylance argues that security tools should put the focus back on Prevention, rather than Response. After all, isn’t that what the customer expects?
D By Greg Singh
16 | Chief IT Magazine
r Jackie Craig, Chief of Cyber and Electronic Warfare at the Australian Department of Defence, spoke at the recent Australian Cyber Security Centre (ACSC) conference in Canberra. Classifying cyber security as a science, Dr Craig went on to say “If we had a big science approach to cyber security we could ... begin to educate people more deeply about the types of risks that they're taking if they don't have proper virus checkers." It all sounded so promising until she mentioned virus checkers. We were hoping that the speakers from the FBI’s Cyber division might come up with something more radical when they said: "Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]". The point being made that “all the best tools” are still no match for good old human intelligence. I might have agreed to some extent, were it not for the fact that the example given of “all the best tools” was IDS (intrusion detection systems). That, for me, summed up everything that is wrong with cyber-defence today: the emphasis on detection and response, instead of on prevention. Surely, when a company is forking out thousands for cyber security, they are assuming that they are paying to prevent cyber-attacks? And yet there was very little mention of prevention at this year’s ACSC conference. For example we heard from Latha Maripuri, News Corp, the global information and publishing enterprise in charge of leading brands such as The Wall Street Journal whose
presentation focussed on the attacker only, it was all about how to structure a security program to address modern day threats. So much for Big Science and Threat Intelligence – it sounded more like a reactive response to try and Protect Company Assets after the burglar has escaped! The fact that antivirus has failed is no secret. In May 2014, Symantec itself declared antivirus “dead”. Traditional signature-based AV simply cannot keep pace with hackers who can rejig their malware with a few cosmetic touches to make it unrecognisable. As a consequence, anti-virus industry giants have been desperately buying up new technologies to patch up their reputations. So what solutions are being proposed at the ACSC conference? The key words seemed to be “detect” and “respond”. In other words: having given up hope of being able to recognise malware in advance, the focus is now on detecting that something is suspicious and then using detonation or sandbox techniques to see how it behaves before letting it loose in the network. So a first line of defence is the traditional antivirus search for recognised malware signatures, then a virtual machine is started up with the target operating system (so typically a virtual PC) and the suspicious code is copied into that “sandbox” to see what it does given enough time (typically about 5 minutes). A report is prepared and the VM is shut down and cleaned up. So we should now know if the incoming code is dangerous.