eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
LAS VEGAS—Black Hat 2015 showed that security technology is better, smarter and faster than ever before, but still one step or more behind the bad guys.
If one step doesn’t seem like a lot, it is. There are up to 500,000 “malware events” happening every day. Security companies like Trend Micro are collecting hundreds of terabytes of exploit and attack data per day. What they are doing with that data is promising, but scaling threat detection systems is difficult and the threat landscape is constantly shifting.
Hacks are so commonplace that last Thursday’s news of a breach of the Pentagon’s email system barely registered among the vendors and attendees at the annual gathering here.
Admittedly, what’s one more government hack after the massive OPM breach? But the method, allegedly an email phishing scheme, shows once again that every link in the security chain has to be accountable, and that enterprises need to be better prepared from a policy and training perspective.
Here are some more numbers that highlight the scale of the security challenge. More than 50 billion will be connected to the Internet by 2020. Each house will have hundreds of devices connected to the Internet by 2020, according to Cognosec researchers.
IoT device proliferation is the result of a wave of innovation across many industries, and spurred by demand for ways to automate everything in daily life. What those numbers really mean is there will be billions more access points for attackers to infiltrate systems.
Cognosec’s team of Sebastian Strobl and Tobias Zillner gave a Black Hat presentation on how ZigBee, a wireless communication protocol for connected devices, can be fairly easily compromised through weak network security key mechanisms.
They tested their exploits on home automation systems, including door locks. The problem isn’t only with ZigBee, they said, but with device vendors who don’t implement security very well, or at all, in the name of usability and time to market. Device vendors “are not IT companies, and not experienced in data security,” said Strobl.
Other Black Hat sessions dissected exploits of a variety of devices, including cars and even a high-end, “Linux-powered” precision-guided rifle.
Businesses shouldn’t feel comfortable that IoT threats are confined to the home, said Norse Senior Data Scientist Mary Landesman. They are everybody’s problem. “Where’s the line between home and office when it comes to IoT? That smart fridge is as likely to end up in a break room of a company as it is in somebody’s kitchen,” she said in an interview. “IoT could be anywhere, anytime. That’s the point that people who talk about IoT minimize, because that’s a ‘home user’ issue.”
So, as has been asked many times before, what is to be done? That’s a good question, because as always with cyber-security, there’s a high level of mistrust between vendors, government, researchers and every day citizens along with a lot of disagreement about what needs to be done.
Black Hat Reveals Expanding Threat Landscape, Code Analytics Potential
There’s also a genuine fear that the Internet has lost, or is quickly losing, it’s “dream of freedom” in the name of locking it down, said Jennifer Granick, Director of Civil Liberties at the Stanford Center for Internet and Society in her keynote.
The cyber-industrial complex
What needs to happen is a re-examination of the security industry as a whole and the amount of investment businesses are prepared to make to get in front of security, not chasing it.
There are signs this is starting to happen, with a growing understanding of just what the industry is up against. Researchers are starting to follow the money to nation-states or other well-financed entities, and at Black Hat they discussed new advanced analytics and machine learning methods to trace code back to its sources and predict new iterations of exploits.
Cyber-attackers are no longer script kiddies, said Arun Lakhotia, of the Software Research Lab at the University of Louisiana at Lafayette, during a presentation. “They are following good coding practices,” he said.
Cyber-attackers are professionals, producing complex, production-ready code. Yet the volume of exploits points to the fact that coders are also using standard tools and methods, such as code reuse and automation.
“Signatures are dead,” as a reliable approach to anti-virus, said Matt Wolff, chief data scientist at Cylance. They “reinforce the need for smarter and more adaptive approaches to combating today’s highly variant malware,” he said.
Wolff and co-researcher Andrew Davis discussed how machine learning and pattern recognition can be used to classify code as either benign or malware and can do so at a greater scale than human analysis, which will help vendors and security administrations keep up with the variants.
Who or what is behind the millions of malware events per year is still pretty hazy. Researchers can piece together puzzles to get educated guesses, but stopping and prosecuting attackers is another thing. “Commercially written, offensive software from companies like FinFisher and Hacking Team has been sold to repressive regimes under the guise of ‘governmental intrusion’ software,” wrote a team of researchers who presented a paper on nation-state malware.
The new analytics coupled with innovative threat detection and prevention technology from startups like Endgame, Prevoty and enSilo provide some hope. Enterprises have more and better tools to secure their data, and may yet be able to achieve a perpetual standoff with attackers. Anything more than that would exceed most reasonable expectations.
Scot Petersen is a technology analyst at Ziff Brothers Investments, a private investment firm. Prior to joining Ziff Brothers, Scot was the editorial director, Business Applications & Architecture, at TechTarget. Before that, he was the director, Editorial Operations, at Ziff Davis Enterprise, While at Ziff Davis Media, he was a writer and editor at eWEEK. No investment advice is offered in his blog. All duties are disclaimed. Scot works for a private investment firm, which may at any time invest in companies whose products are discussed in this blog, and no disclosure of securities transactions will be made.