A Shining Beacon of Hope – The Past, Present and Future of Cyber Security
Read our latest guest blog from Jon Hope (Senior Sales Engineer at Sophos) as he talks about the past, present and future of cyber security – as well as making a confession…
“Let us begin with an admission, I’m a self-declared geek. The thought of self-driving cars and technology that can think for itself genuinely excites me. It’s one of the reasons I began my career in cyber security, when the only constant is change and the coding of a single cyber criminal or security programming-whizz can change the landscape in an instant. I might not be smart enough to create this stuff myself, but that power, plus the rate of change, keeps me hooked.
It’s a fair assessment to say that the world of cyber security was a game of cat-and-mouse, the bad guys come up with some new clever attack, the security community respond, the criminals adapt and we begin again ad infinitum. At least that’s how the story used to go, but in more recent years, cyber security vendors have upped the ante and torn up the script by creating and producing next-generation products that have redefined the threat landscape. The old model, whereby a threat was defined by a cyber security vendors’ research lab, condensed into a signature and disseminated to customers’ device via an update simply doesn’t cut it in the modern world where 450,000 new malware strains are seen in an average day. The risk is simply too great that a ‘protected’ user might encounter a malware strain before the vendors’ lab see it, before a signature is created and delivered and thus not experience any real protection at all. This is where next-generation is different, the whole ethos of next-gen defence is that the endpoints and servers are empowered to work out for themselves what is likely to be malicious and respond accordingly without relying on pre-classification by a cyber security lab.
That’s the ‘why’ of next-generation protection, but how is this achieved? The answer isn’t a simple one, because not all next-gen products are born equally and industry buzz words are often thrown around with little qualification. Through my role at Sophos, I am, as you’d hope, familiar with the techniques employed in their products so I’ll attempt to summarise some of the powerful techniques created by our team of programming whizzes.
The first one we will talk about is artificial intelligence, or AI, and when it comes to industry buzz words, this one is probably the loudest. The concept is a simple one, that using the traits, attributes and characteristics of files and code that have previously been observed as malicious, an endpoint might be able to recognise some new attack because it looks, feels and behaves like other samples we know to be bad. The problem here is that we look at this through human eyes, where the rapid classification and grouping of objects by attribute is a skill learnt before a child flies the nest and enjoys their first day at school. Computers have an intrinsic nature of absolutes, ‘it is 0 or it is 1’, there is not normally any room for conjecture, ‘I know this sample is benign’ or ‘I know this sample to be malicious’ without any room for even an educated guess. This is the challenge of AI to force the black and white world of computing to see the grey, to make the guess, and it isn’t easy. I am, however, informed by our cracking team of programming genii that when it comes to AI, ours is the very best, but there is more to making an devices’ protection independent from labs than this.
Depending on who you ask, it is generally accepted that there are (as of Jan 2020) in excess of 1,084 million unique types of malware out there, which however you cut-and-slice it, is a big number. Most types of attack rely on some kind of exploit being available on the victim’s device, typically a missing security patch or some out-of-date software with a loophole just waiting to be abused by the cyber criminals. The interesting and value fact here is that even though there are so many types of malware, and indeed so many loopholes in software, there are only 28 underlying methods of what is technically referred to as ‘executing arbitrary code on a target device’. In other words, if I’m a would-be cyber criminal and I want to use a vulnerability exploit to carry out some nefarious deed, there are only 28 methods I can use. Now, I can’t speak for other products, but I do know that our next-generation endpoint and server protection includes a feature called ‘exploit prevention’ that looks out for and blocks all of these known techniques, meaning however the bad guys choose to package up their attack, even if it is new, the underlying approach should be blocked.
There are many more tricks to combating malware, but I want to round out this section by talking specifically about defence against an attack type that strikes fear into network admins like no other – and that is ransomware. If you aren’t familiar with what ransomware is, let me enlighten you. This is a particularly vicious form of attack where the cyber criminals will attempt to encrypt or scramble a victim’s data with a private key that only they possess. Our target is then unable to access this information and must either restore a backup, accept that it is lost, or pay the cyber criminals a ransom and hope provide the unique key to reverse the cryptography and unlock the data, hence the term ransomware. It’s obvious that this type of attack can devastate an organisation and that’s why we have taken the time to create an extra layer of defence against it, which we call ‘Cryptoguard’. This is a last line of defence designed to protect our customers’ data if every other line has failed. The exact mechanism is complex but essentially every time a process running on a protected machine tries to write to a file, Cryptoguard will first take a snapshot of the file. The process will then be allowed to write to the file and the result is compared to the original. What we are looking for is a big shift in the randomness of the file, otherwise referred to as its entropy. A big shift is a good indicator that the file may have been encrypted, and if this pattern repeats, the protection software will block the offending process and restore the files to their original state. Pretty neat stuff, huh? The best bit, however, is that Cryptoguard doesn’t care if the attack is a well known ransomware variant or if it’s a never-before-seen example, it works solely on the principal that unauthorised encryption is bad and restores accordingly.
The move to next-generation defence certainly marks a revolution in the way cyber security works, but what is the next giant leap forward? Over recent years we have witnessed significant vendor consolidation in the IT security arena and this presents some exciting possibilities. Vendors that were once pure-play firewall manufacturers have acquired endpoint technologies and less frequently endpoint security players have found themselves thrust into the firewall space. Even outside of these mergers and acquisitions, strategic alliances are not uncommon. Once in some form of union, products that once operated in total isolation can, with the right development, begin to share data and even respond together to incidents as they occur. Integrations like these were unheard of a few years ago, and the progress in terms of interoperability varies dramatically between suppliers, so I will, once again, focus on the capabilities you’ll find under the Sophos umbrella. It all began with the notion of Synchronised Security, the idea that endpoint and firewall could work cohesively as a cyber security system, rather than individual components in isolation. Makes sense and one sometimes wonders why that hasn’t always been the case, because coordinated cyber security is simply more efficient and better at protecting.
What can a cyber security system do for me?
The first, and arguably the most compelling example of the practical applications of a cyber security as a system is the concept of auto-isolation. To fully understand the benefits of this, it is important to understand the modus operandi of modern malware. Often a small payload is the precursor to a full-blown attack, this advance party, if you will, is there in a reconnaissance capacity to gather useful information about a potential victim. This data might include things like what type of device it is, what software is installed on the target and most usefully what vulnerabilities might be present that the attacker can exploit. This information is relayed back to a command and control server owned by the cyber criminals which then delivers an appropriately crafted attack to the victim, maximising the chances of success. The command and control server might also have a place in the attack chain of a ransomware attack too, by creating and delivering an encryption key that is unique to each target, to allow the cryptography process to occur and allow the reversal process, should the unfortunate recipient elect to pay the ransom. In some attacks the command and control server has a longer-term duty in providing instructions to the prey if they are subjected to a persistent attack, such as being corralled into a ‘zombie net’ of devices that are effectively owned by the perpetrator and can be bent to their will. The point I’m trying to make here is that many attacks rely on this external influence, and if that can be blocked, there is a good chance that the attack will fail, or at least will be less severe.
A key part of the concept of Synchronised Security from Sophos is the concept of the ‘security heartbeat’. This indicates the health status of a protected device and can be seen in real-time by the administrator and also communicated to other devices within the Sophos eco-sphere. This is incredibly useful in the context of blocking command and control information that the cyber criminals have come to rely on. Should a reconnaissance attack take place, the security heartbeat status of the affected endpoint will shift to red, indicating to the rest of the system that this device in particular has a potential issue and might be in a state of compromise. Should our hypothetical network be protected by a Sophos firewall, this has an immediate benefit beyond alerting the admin to a problem. In this scenario, the firewall will see that the endpoint now has a red status and might be at risk and can be configured to respond automatically to the security risk by revoking internet access to the device in question. This means that any external influence is immediately muted, including the cyber criminal’s command and control server, which cannot subsequently deliver any follow up attack. The obvious exception to the blocking of external sites is Sophos Central, which is used to automatically initiate a clean-up process and receives telemetry data that is invaluable in the post-breech analysis. This ability in itself is game-changing, but there is more to the power of a cyber security system that we haven’t yet discussed.
Many modern attacks have an in-built instruction to investigate the network a host is connected to and specifically seek out other potential targets. The one machine that is the initial patient zero can quickly become a beachhead to a wider invasion that can rapidly bring a network to its knees. You only have to look at examples like WannaCry and NotPetya as examples of how devastating this lateral movement can be, but it can also take a more subversive route whereby the attackers might hop from a vulnerable endpoint to seek out a more juicy target such as the server that holds all of the client data for example. In either case, having a cyber criminal roam at will across your IT estate is clearly not a desirable thing and that’s where the feature of lateral movement protection comes into its own. This leverages the heartbeat status of the endpoint and the power of Sophos Central to automatically harden the estate. Once a red heartbeat is detected, the machine in question is told to block all communication to other devices on the network, but given the fact that device might be compromised, this instruction may not be received or followed, so as an additional safeguard, Sophos Central will also tell all other devices in its care that belong to the same customer not to accept any communication from the potentially infected machine. The net result is that the ability for malware to spread around the network is revoked automatically and practically immediately. If you contrast these two abilities with the old world of disjointed products lacking coordination, where you are looking at potentially hours of finding a compromised device before even beginning to reconfigure the firewall to block access and locating the device to physically remove it from the network, the benefits of a cyber security system become immediately apparent.
We live in a world with innumerable applications, which themselves are constantly evolving thanks to the development of their respective developers. While this rich tapestry of apps allows for greatly enhanced productivity, it also presents a significant challenge when it comes to knowing exactly what is going across a network at any given moment. Indeed, visibility into network traffic is such a challenge that its estimated that as much as 43% of bandwidth consumption is unaccounted for, even in environments where a modern, next-generation firewall is employed. There’s no denying this is a serious concern, because how much of that unaccounted bandwidth is associated with employee’s time wasting activity, and perhaps more significantly, how much is linked to the nefarious activity of malware? Once again, cyber security as system is a shining beacon of hope, because when endpoint and firewall work together they can solve the visibility challenge. The feature I’m alluding to here has been christened ‘Synchronised Application Control’, and if you indulge me, I will share with you how this works.
Each time our Sophos firewall detects outbound traffic, it will attempt to match it to one of the known application signatures it has on record. We’ve already discussed how the world of applications is diverse and fluid, and there is a very real likelihood that no match will be found. At this point, less evolved firewalls are likely to kick up their heels in frustration at this moment and report the application as ‘unknown’ or ‘unclassified’ before moving on and leaving our hapless administrator in the dark. Not so, however, in the uniquely connected world of Sophos, because at this point, our firewall can call upon its relationship with the Sophos-protected source device. This machine will intrinsically know really useful information about the errant application that defies classification by the firewall, and through the mechanism of Synchronised Security, the endpoint can share data like the user, name of the process associated to the traffic and often the nature of the application itself with the firewall so that it can create its own signature for the newly discovered application. From then on, the firewall knows the app, so it can easily report on its usage and the admin can create rules to block or limit unwanted applications. It’s not all about blocking, of course, just image if the newly discovered application is, for example the company’s new CRM system, it would be easy to give this business-critical app a priority on bandwidth to ensure the best possible levels of service.
I declared right at the start that I’m a geek, and as such I’ve delved straight into the technical aspects of Synchronised Security without much consideration for the business benefits and that’s an oversight because there are plenty of them. We’ve looked at the productivity boost associated with enhanced visibility, but the real bonuses here are in the efficiency savings that a unified system can deliver. Through automation, there is a dramatically reduced reliance of human response to an incident, less need to monitor a network in real-time since we know that the cyber security system can react for itself within seconds and contain the threat, which itself means there is less clean-up to deal with. Of course, there are also inherent benefits in a single unified console, like Sophos Central, that manages the whole security estate, regardless of where the actual assets are located. One console is quicker to learn, easier to maintain and can provide incident reporting far more succinctly than a plethora of independent management platforms (especially when you bring EDR into the equation), giving the IT department time to refocus on other tasks.
So, there you have it, cyber security as a system is the future. Technology that works together provides unique technical benefits to keep your organisation safe and provide extra insights into usage, while simultaneously providing real business benefits and efficiency savings. When your firewall or endpoint comes up for renewal, hopefully you’ll recall this article and consider not just the point product you’re looking to replace, but also its place within your wider security defences.”