Rapid detection and response to replace emphasis on perimeter

News by Tony Morbin

You won't become a great defender without attack capability. As a goalkeeper you need to play against the best to improve." Red teaming simulations part of AI tool learning process to identify truly malicious events.

To sound of a ‘hacker rapper' declaring his “zeros and ones - my digital guns” are being used to attack “your ports and your thoughts” F-Secure' launched its new Rapid detection and response offering in London this week.

The company sought to demonstrate to journalists how insecure we all really are, and one novel approach was to show how, with a few minutes training and some simple tools, they could be taught to pick a lock (with the incentive of prizes for opening padlocked boxes).

And like a bunch of script kiddies who got their hands on a professional pentest tool, the journalists soon emptied the boxes - much to their own surprise.  To further educate their audience, delegates were given a primer on exactly how machine learning works, so as to better understand F-Secure's use of the technology. ie, with more usage, the system continually refined its understanding of the new normal, adjusted its weighting for different variables, and with simulated attacks, it could create an expert system.


F-Secure says its Rapid Detection & Response model combines lightweight endpoint sensors with advanced data analysis capabilities, powered by artificial intelligence created, operated, and continuously refined by F-Secure, to monitor endpoints for malicious activity. When it detects an advanced threat, it provides IT teams or their managed service partners with guidance on how to respond. It can also be configured to automatically implement measures to contain the attack.

It was also explained by CTO Mika Stahlberg that we are undergoing a paradigm shift in terms of the volume of data to be handled - with one client of some 1300 seats described as handling 70 million events per day, of which a million malware samples were found each day, and AI (used interchageably with machine-learning in this context) was seen as the only feasible solution to extract what mattered. Another 1,000 node client handling two billion events per month saw initial filtering down to 900,000 events of interest, Deployment of F-Secure's machine learning and Broad  Context detection brought the number down to 25 for analysis, of which 15 real threats were discovered.

A point of the demonstrations and examples was to emphasise the move from endpoint protection to rapid detection and response - with F-Secure also establishing its own 24/7 rapid detection and response centre (RDRC) to provide companies the kind of expertise that only the largest organisations could provide in-house.

Part of the offering also included Red Teaming, with CEO Samu Konttinen commenting, “You won't become a great defender without attack capability.  As a goalkeeper you need to play against the best to improve.”

CEO Samu Konttinen

Among the company's ‘attackers' and researchers, SC Media UK spoke with Tomi Tuominen, F-Secure's practice leader, technical security consultancy, who was one of two researchers behind the company's investigation into creating a hack for virtually all Hotel key cards globally . 


Touminen explained the background to the investigation.  The work began following an incident when a colleague had their laptop stolen from a hotel in 2003 while attending the PH Neutral hackers event in Berlin.  The person in question was a world class security researcher who had been working on highly confidential research of a kind that nation-state actors would be interested in.  There was no forced entry and no logs of access by staff. It was protected by the market leading systems (Vision) used by most major hotel chains, which was mag-stripe at that time, which later switched to RFID.  Following the hack of the system, F-Secure did not go public until the vendor had come up with a fix, and the full details of the methods used have not been released to avoid such hacking tools falling into the wrong hands, but in brief, it was achieved by exploiting a combination of a logical vulnerability with a cryptographic attack.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews