Corporate Security
Sandboxing is a powerful way to detect malware, but costly in terms of time and resources. How far do you go in virtualising the potential target? Should you not replicate the entire corporate network to test for a highly sophisticated attack? And five minutes is an eternity by today’s operating standards. What’s more, recent members of the Upatre malware tribe are using the Windows API GetTicketCount and will not activate unless the host has been running for more than 12 minutes. In other words, it recognises a sandbox VM and refuses to play in it. Artificial Intelligence is Golden The ACSC Conference was a disappointment, as no company seemed to offer a truly radical alternative to “detect and respond”. In the past, Antivirus has positioned itself as the solution but clearly this is not enough, what is needed is a Next Generation Anti-Virus that can identify specific attacks and speed the response to them once they are detected. For example instead of scanning vast databases of hashes, signatures and approved applications, CylancePROTECT makes real-time decisions by comparing against optimally trained statistical models that only need to be updated every few months. Looking for recognized malware signatures fails because cyber criminals simply alter the outer signatures – it is quick and cheap to simply recycle existing, proven malware by giving it a facelift. Instead NGAV recognition looks deep into the coding structure using sophisticated Big Data learning algorithms – and so a successful attacker would have to spend considerable time and money developing whole new coding structures – only to have the new attack promptly analyzed and registered in the NGAV system. This is not how cybercrime chooses to operate, because it relies on quick results with minimal investment before the authorities have a chance to catch up. But if the latest sandboxing solutions are already time and resource intensive, surely adding Big Data mining and artificial intelligence to the mix will bring the average corporate system grinding to a halt? Not so, because all of this heavy lifting takes place in the cloud, not in the client’s own system. The local software only has to analyze code in real time against a far smaller set of characteristics rather than an ever-expanding database of dubious signatures. The software for this approach occupies only 30 megabytes and typically uses less than 1% CPU making it practically invisible to the user, as well as being very easy to deploy and administer. Analogies should always be treated with caution, but try this. In 2003, a group of the world’s most dedicated scientists announced the completion of a 20-year project to map the entire human genome with 99.9% accuracy. Their work has led to many of the scientific breakthroughs we benefit from today. Effectively NGAV is unlocking the DNA of malware and applying artificial intelligence techniques, machine learning and algorithmic science to dissect the malware to almost a molecular level, before it is allowed to enter the network.
"Threat intelligence is a big buzzword now, but I think there's a difference between tactical threat intelligence, the right indicators, and then really strategic [intelligence]" confirming inbound attacks and intrusions nor the measures used to mitigate or neutralise them, a new “the gloves are off ” approach has been announced by Prime Minister Malcolm Turnbull. At the launch of the government’s new $230 million Cyber Security Strategy in Sydney he publicly announced that “offensive capability” is now a real live option. There is a lot of good and timely material in the strategy as published, but there is still too much evidence of that detect and respond mind set – witness the report’s heading “Detect, Deter and Respond”. The first four essential mitigation strategies are strongly focused on responses to recognised dangers, while the discredited signature based anti-virus approach has actually been moved up from position 25 (in 2012) to position 22 in 2014 in “effectiveness ranking”. This was perhaps the best takeaway from the ACSC conference this year, but it fell short in one respect. Let’s make Prevention once more our top priority – because ultimately that is what the IT user really expects from the industry.
Government gets serious The Australian Government’s recent announcement reconfirmed the level of commitment to cyber security. Instead of the old “keep it under the carpet” policy of not
Chief IT Magazine | 17