While every year in recent memory is labelled, “Year of the hack,” 2016 is arguably becoming the “Year of Ransomware” – all anyone has to do is skim headlines, glance at the alarming infection rates and review the collective financial losses that are now in the hundreds of millions quarterly. Microsoft, the BBC, and hundreds, if not thousands more individuals and organisations have all been victims in the past 12 months. The situation is serious and almost every expert in the field expects things to get far worse.
No doubt using previously paid ransoms as research and development dollars, each new malware variant is more powerful than its predecessor, using increasingly clever techniques to fool traditional antivirus solutions or network-based sandboxes. Ransomware is a full-blown cyber-crime epidemic, with organisations desperate to deploy better protection and anxious to find something that works in the fight to reduce business disruption, data loss, and financial risk. This isn't just some alarmist rhetoric, this is happening every day now as we read the flood of reports coming in.
The unfortunate reality is that security vendors will undeservedly sing the praises of their products, which may have worked decently against the static threats of the past. Yet, if – and when – the product fails, you – the customer – are on your own. No guarantees. No warranties. No return policies. Sold like a ‘going out of business' sale. Customers have had enough of these hollow marketing claims and, as a result, the security industry is suffering from a credibility crisis. We all feel it. We have for a while now. We just didn't know what to do about it.
What can we do about it?
Security guarantees – or guaranteeing security – is almost a taboo subject in the security industry. It's our dark secret that even the vendors themselves don't know if their own products really work or not in the field – or how well. Go ahead, ask a vendor for their product's field performance data and see how they react. They won't want to talk about that. Mostly because they either don't have supporting data, or the data they do have is embarrassing. So instead they'll be quick to offer a ‘staged' product demo specifically designed to show well and gloss over any security gaps.
Security sceptics, apologists really, are quick to point out that nothing is 100 percent secure. To be fair, they're technically correct – everything can be hacked or bypassed – but they are also completely missing the point. When you buy a new flat screen TV, a new car, a new computer, or anything similar, none of the manufacturers will claim they won't break or break down. Yet, somehow they are able to guarantee or provide warrantees as standard industry practice. In fact, customers expect it. If they, and every other major industry in the modern world can do it, the security industry can, too. We just haven't tried yet and it's way past time that we did.
According to Wired, the global cyber-security market was valued at $3.5 billion in 2004; by 2015 it was $78 billion, with projections estimating it to be worth $120 billion by 2017. Yet, despite this, I recently conducted a Twitter survey asking whether respondents had discussed security guarantees with their vendors and found 21 percent had, and that another 21 percent were planning to. However, 33 percent of respondents were confused or found the idea completely novel, suggesting that more education of the benefits of security guarantees is needed. Altogether, the concept is catching on. Vendors are beginning to listen to customers who want financial assurance, customer who want their vendors to have skin in the game.
In other news, nearly a dozen security vendors have privately shared with me that they are actively working to create security guarantees of their own, and are partnering with cyber-insurers to safely cover the liability. This is a fantastic match. Differentiation for security vendors is key, and customer peace of mind is the name of the game. Whilst still in their infancy, security guarantees are gaining industry acceptance, and this industry is now on the edge of a major shift where security vendors could one day be culturally expected to back up their claims. Imagine that!
What about cyber-insurance?
Back to ransomware: Most IT professionals are already well aware that the traditional anti-malware products don't protect at all well against targeted modern threats. As a point of market reference, because the threats are this big, this real, the 328-year-old Lloyd's insurance market has found itself moving away from more traditional threats such as fires and terror attacks to focus on underwriting cyber-risks.
Ransomware is now a major factor in insurance policies and claims, with Graeme Newman at CFC Underwriting noting that it is a major factor in 90 percent of his clients' claims. Having worked through many ‘terms-of-use' tomes used by vendors to relinquish responsibility, Newman can understand why organisations would consider paying ransom demands. And when victims do pay, often because they've no choice if they want to get their business back up and running, it only strengthens and emboldens the bad guys.
How can we be protected?
Cyber-attacks are smarter and stealthier than ever before when it comes to evading detection – one recent example found malware which knew whether it was being opened on a test or virtual machine instead of a real machine and subsequently failed to execute, making it look like the machine was clean. Put simply, this is malware that includes anti-forensics capability. We've seen this before. We'll see it again.
Today's malware strains typically target the endpoint, with evidence showing that these continue to be one of the ‘weakest links' in security. Far too many companies are relying on out-dated technology to keep them safe – and they're not.
Cyber-security requires valuable resources and capital to purchase and deploy – shouldn't they alone be enough to protect against the threat of ransomware attacks without having to spend extra on insurance? I obviously think so. There is too much at stake and security vendors have gotten a pass for too long. It's time for security vendors to put their money where their mouth is. Do yourself and the entire industry a huge favour, start asking them to do so. Get them thinking.
Contributed by Jeremiah Grossman, chief of security strategy, SentinelOne