By focusing on detection-based security to defend against attacks, the cyber-security industry is constantly one step behind hackers, and the gap is only getting bigger. Verizon's 2016 DBIR found that 99 percent of malware hashes are seen for only 58 seconds or less, and most malware is only seen once – even with AI and automation, detection software simply can't keep up. In fact, with so many malware variants available at the fingertips of cyber-criminals, detecting every malicious program is not just impractical – it's mathematically impossible.
While the security industry is struggling to find a way to detect every possible threat, over 80 years ago Alan Turing's famous proof of the halting problem demonstrated this can't be done . In 1936, Turing showed that no standard algorithm can predict an outcome for every possibility without sinking into a logical paradox. In other words, there is no program that can predict a yes/no outcome (or even won't halt/will halt or safe/malicious) for every possibility, because the algorithm can easily be contradicted. Like casting out a net that tries to cover absolutely everything, it will get tangled in itself. On the other hand, if the net isn't cast widely enough, there will always be something that is missed.
Against all odds – detecting mutated malware
This problem, all too familiar to security pros, has been compounded by the rise of polymorphic malware. Polymorphic malware is designed to avoid signature-based detection software, as the code is automatically transformed each time it is delivered, so attacks can't be traced back to a single piece of malicious software. To put the problem this creates into perspective, researchers at Columbia have shown there are many more possible strains of polymorphic malware than there are atoms in the universe. No amount of computing power can search the possibilities.
This is not a fight that the industry can win. We have to accept that computers are more like us than we think, and cannot reliably distinguish the good from the bad. The industry needs to dig itself out of this reactive rut and look at how to build proactive defences, without relying on detection-based algorithms. To protect an organisation, security technology should be focused on what it can defend: the user's environment. From application sandboxes to whitelisting and behaviour analysis, the industry has the groundwork in place. But these solutions often come at a price – sacrifices to performance and user flexibility that affect productivity.
Virtualisation has been around for some time, but in an attempt to protect the user without compromising on performance, companies are starting to look at using virtualisation technology to secure their organisations. Microsoft, for example, recently announced that it plans to protect Edge browser users using its Hyper-V virtualisation technology.
A new approach – just let it run
Advances in modern CPU architectures have made it possible to create micro-VMs (virtual machines) that sit on the endpoint, and granularly isolate each user task in an individual, disposable virtual environment. These micro-VMs operate at the hardware level, meaning they can be created and destroyed in milliseconds for every task the user performs, while remaining completely transparent and leaving user experience unaffected. Because every new task is isolated in its own micro-VM with access to just the resources required for that task, when malware executes it cannot impact the underlying physical machine, or any of the other tasks in their own micro-VMs. The malware is unable to access other data, nor persist on the machine or access other systems on the enterprise network - it has nothing to steal and nowhere to go. This kind of micro-virtualisation could be the answer the industry is looking for, as users are protected by the CPU before malware is even detected. Such a system will protect users by design when they mistakenly open malicious attachments or URLs.
Running tasks in micro-VMs allows their behaviour to be monitored from outside the micro-VM, capturing a black-box flight recorder trace of their execution that can't be erased by any malware running inside. The trace can be monitored for deviations from expected execution behaviour, thus indicating the presence of malware, even polymorphic malware. Full forensic data can be collected before the micro-VM is destroyed. This keeps organisations one step ahead of the attackers, allowing a safe environment to collect intelligence on the latest hacking techniques and demonstrate that the business is being protected.
A different mindset
By proving that the halting problem was “undecidable” in computing terms, Turing demonstrated that an all-seeing algorithm that can predict anything cannot logically exist. The current approach to security is unworkable, and if organisations continue to rely on detection-based software, the hackers will continue to win. We don't need “next gen” detection software, we need to start again, and look at new technologies that won't just turn the tide against cyber-criminals, but will force hackers to meet on a battleground of our choosing.
Contributed by Ian Pratt, co-founder and president, Bromium
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.