Irresistible forces must be met with immovable objects

October 17, 2018 | 5 minute read

Today, Cybereason is proud to announce a strategic partnership with Arm that makes our company the first to market with IoT security and services. The partnership has been announced at the Arm TechCon conference. What an exciting time to be in the cybersecurity market!

The problem with securing hundreds of billions of connected devices, is that we must secure hundreds of billions of connected devices. That may seem obvious and slightly nonsensical, but it is the vast attack surface and the potential complexity of the Internet of things (IoT) device security challenge that has us all concerned. Yet, and at odds with that potentially complex challenge, is the reality that we must make IoT security simple.

Nowadays, we see how cybercriminals can build vast armies of attack bots and launch global security offensives that can wreak major damage before alarms are triggered. The Mirai botnet in 2016 was the most infamous as routers and IP cameras were taken hostage and used to launch a DDoS attack, knocking out Internet services for millions of people.

Many more IoT botnets have cropped up since Mirai including the Satori IoT malware that in December 2017 amassed a botnet of more than 100,000 routers. And, in July 2018, an attacker exploited a vulnerability in other mainstream routers to build an 18,000-device botnet in a single day. In other cases, attackers strengthened existing botnets by conscripting IoT devices. The capacity of the LizardStresser botnet increased significantly after its creators hijacked 1,300 Internet-enabled cameras and added them to their network of infected machines.

So, to meet the potentially irresistible attack force coming from cybercriminals we must create security as an immovable object in our device defense. How do we do that?

New questions require new answers

This year the U.K. announced a new elite cyberdefense reserve team it will fill with gamers and coders, alongside experts from permanent national security and armed forces. And the U.S. Attorney General announced in February that a new cybersecurity task force was being created to counter malicious actors. This level of thinking and investment by nation states will help counter threats, but the real trick will be in ensuring that device networks change so they become inherently more resistant to attack.

Organizations have tended to focus on product features and getting a device to market as quickly as possible. Security, if it’s even considered, is usually tacked on at the end of the development process. Making a product more secure can mean either reducing or eliminating features and delaying releases -- outcomes that can adversely affect sales. But this situation doesn’t lead to any winners. Buyers are stuck with IoT devices containing security flaws so glaring that using the product threatens either personal or organizational security. And the companies that created and sold the devices are left with tarnished images. This may lead potential customers to make purchases from manufacturers with a more security-focused mindset.

Creating more secure IoT devices means including security from the start. Security teams should question if a device needs Internet connectivity and design tighter mechanisms for strong authentication and minimal attack surface. The most responsible companies adhere to a philosophy of incorporating security from the earliest stages of the design and manufacturing process; from the processor running the device to the OS it uses and how it connects to the Internet. This is best practice today but for tomorrow we need to go beyond that.

IoT devices are endpoints. Attackers can use them to perform a range of activities such as maintaining persistence and moving laterally across a network. As endpoints, they are constant attack targets so devices must have deeper layers of resilience and utilize more intuitive security technologies.

Analyzing attack behavior to define defense strategy

Using technology such as behavioral analytics offers a more in-depth perspective on how cybercriminals conduct their campaigns. Attacker behavior is much more difficult to change compared to traditional indicators of compromise, like malware signatures and IP addresses. Finding one component of an attack via behavioral signals provides defenders with the opportunity to see the entire operation.

But, given the volume of data IoT devices produce, even the most skilled human security analysts can’t quickly and efficiently query that information and find meaningful results. So, this is where artificial intelligence is critical to automatically correlate and analyze data at a rate of millions of events per second. Instead of manually querying data, analysts can spend more time acting on the insights produced by artificial intelligence (AI).

Using AI to counter cyberthreats

By 2035, we expect there will be 1 trillion connected devices. Those devices will form a hybrid data network, enabled by a vast array of devices – from those sitting in fields and sending tiny packets of information to those in cars, on production lines and nuclear power plants. The variety of devices that will be communicating is such that it is hard to deliver the same level of security in all.

The advent of AI provides us with the ability to take that umbrella view of device networks as each device produces metadata that can be harvested and used as a warning of a failure or attack. These secure state insights are used by my company’s AI-powered threat hunting engine. Our technology uses an in-memory graph to connect seemingly unrelated incidents and reveal things like malicious PowerShell use or DLL hijacking. Relational databases, which is the technology powering many other AI security products, can’t provide this level of insight without having highly experienced security analysts running multiple queries and knowing precisely what to ask. With this talent in short supply and the IoT devices playing greater roles in our lives, AI can supplement security analysts and be used to detect malicious use of IoT devices before they’re used to cause serious harm. Threat hunting powered by AI is key. Defenders need to take a proactive approach to security. Instead of waiting for security tools to generate alerts (which is how security is traditionally practiced), threat hunting looks for attackers who are already in an environment.

Cybereason's strategic partnership with Arm, announced today at the Arm TechCon conference, makes us the first to market with IoT security and services. Now that Cybereason is working with Arm and its Pelion Platform (here's what the Wall Street Journal and Xconomy had to say about the partnership), we will also soon have an ability to take an overview of any device in a connected network that is running the Arm Mbed OS. This will enable remediation action to be taken if a threat is detected anywhere in a network. Detecting threats anywhere in a network is key as hybrid networks made up of IoT devices and non IoT devices became more common. Attackers will use connected devices as avenues of attack to move to computers and servers. Being able to detect this movement across devices is key and nearly impossible without using AI to make sense of the all the data that devices communicate.

What we are now working on is a vision of how future IoT security must work. This is new for our industry as it takes security far beyond firewalls and enterprise level protection down to personalization of security to any and every device. It is a way of moving beyond default password security mistakes that have already exposed millions of devices into a world where hard walls are replaced by immune system-like 24/7 protection.

As I look ahead to 2019 and beyond, I am increasingly confident that the technology sector is positioning itself to meet the irresistible force cybercriminals would like to present. At the same time, I am aware that while cybercriminals can succeed even if they act independently of each other, our industry will only win if we act together.

As technology designers, we must ensure we take ownership of the complexity inherent in building resilient security systems so that it’s easy for product makers to do the right thing. Product makers need to build in security best practices from the beginning of the design process. Only if we are proactive and collaborative can we create an immovable force to protect this ever-expanding attack surface.

Yossi Naar is Cybereason's Chief Visionary Officer and Co-Founder.

Yossi Naar
About the Author

Yossi Naar

Yossi Naar, Chief Visionary Officer and Co-Founder, is an accomplished software developer and architect. During his 20 years of industry experience, Yossi has designed and built many products, from cutting-edge security platforms for the defense industry to big data platforms for the AdTech / digital marketing industry as well as the Cybereason in-memory graph engine.

All Posts by Yossi Naar