You Cannot Import Intelligence

I was reading a couple of articles over the weekend – one on customizable malware and one on the modernization of an exploit kit – and I realized a foundational truth.

Traditional security fails because its approach is fundamentally flawed.  In both cases, the articles discuss how hackers are making efforts to hide from external scanning efforts, external rulesets and so forth.

In other words, hackers are getting better at hiding from the person peering in from the outside.  This approach, to me, is akin to doctor attempting to figure out how you feel without ever talking with you.  “Nope, please do not say anything OR do anything to feel better on your own…I got you”.

And we wonder why security is so ineffective.

Fortunately, people are starting to realize that the next generation of protection needs to actually include the patient.  I met some fascinating anti-ransomware folks a couple of weeks ago that focused on the device figuring out its hard drive is being encrypted and shutting down that attack in its track.  Unlike prior efforts, there is no different way to encrypt, malicious code to scan for or bad email to filter out – the concept is brilliantly simple.  Your, Mr. Smart Device, are not supposed to have an encrypted hard drive.  If ANYTHING starts to encrypt your hard drive in ANY manner then stop that process in its track and report it.

Good luck overcoming that type of defense.  Smart devices = simple defense and simple solutions are almost always the most effective ones.

Unfortunately, most of security is going in the other direction – cloud computing; increasingly complex efforts to find and quarantine malware; trying to import intelligence on top of devices while ignoring the devices themselves.

Did you ever think why this incredibly sophisticated security approach fails?

The answer is simple – hackers have figured out that devices are smart and have been using simple attacks for a LONG time.  If nobody is going to tell a device to NOT do something bad then simply instructing the device to, say, jump off a cliff is simple, is effective and unstoppable from the outside.  Device intelligence is a double-edged sword and only solutions rooted in manipulating the internal device functionality will be able to compete.

Instead of a know-it-all doctor not letting a word in edgewise, security needs to start talking with devices – “Hey what are you up to these days?  How are things going?” and then build defenses around those responses.

Simple, right?