Antivirus and firewalls are so last decade.
The most common systems protecting the networks and data in today's firms are most likely based on technology that is more than a decade old. Attackers are getting around companies' data security measures, whether by exploiting trusted third-party systems—as with the breaches of the U.S. Office of Personnel Management and Target—or by fooling employees into executing code—a technique seen in many cyber-espionage attacks.
The fundamental problem is that much of the security technology aims to keep the attacker out, and when that fails, the defenses have failed, says Adam Ghetti, founder and chief technology officer of Ionic Security, a provider of encryption. "The last 20 years, vendors and enterprises have focused on infrastructure security models, but attackers are getting past all these infrastructure barriers or they are starting from the inside," he says. "Protecting infrastructure alone is not good for data security."
Over the past three decades, as companies have created new security technologies to help defend businesses and consumers, attackers have quickly adapted. While most technologies raise the bar that attackers have to vault to compromise a business network or a consumer system, security technology has largely failed to blunt their attacks.
In the face of a workforce largely uneducated about security and a shortfall in skilled security professionals, better technology isn't just a boon but a requirement. "We are definitely getting better, there is no doubt about it," says Kevin Bocek, vice president of threat intelligence and security strategy at security firm Venafi. "But there may be 100 bad guys to every security professional, and that means that it is a constant battle."
Luckily, new technologies are in the pipeline. Here are three possibilities that could prove important in securing the future.
1. Turning computer chips to DUST
For the last two years, researchers at PARC have worked on creating a computer chip that will self-destruct. While it sounds like something out of Mission: Impossible, the computer chip could become the basis for ensuring privacy and the security of sensitive data on any number of devices.
The chip is the result of an effort by the Pentagon's Defense Advanced Research Projects Agency (DARPA) to create a disappearing electronics platform that can be used on the battlefield and then destroyed remotely to prevent capture. The chip is part of PARC's Disintegration Upon Stress-Release Trigger (DUST) technology that fabricates electronics on a thin layer of silicon bonded to a specially tempered piece of glass. Because of a quick cooling process, the glass material contains a great deal of stress.
The chip functions normally until a small part is heated by triggering an electronic component remotely. The heat causes a chain reaction that results in the glass substrate cracking with dramatic force, says Greg Whiting, a senior scientist with the electronic materials and devices laboratory at PARC.
"You get a lot of balancing stresses in the [glass] substrate, which makes it strong," he says. "But as soon as you release it, it shatters."
DARPA is pursuing its Vanishing Programmable Resources (VAPR) initiative as a way to protect sensitive electronics and computer systems on the battlefield. However, PARC researchers see additional uses of the technology in consumer privacy applications and, potentially, as environmentally friendly sensor solutions.
"Imagine being able to cover a large area, like the ocean floor, with billions of tiny sensors to 'hear' what is happening within the earth's crust, and have them quickly disintegrate into, essentially, sand, leaving no trace and not harming the planet or sea life," Sean Garner, PARC researcher and principal investigator on the DUST project, said in a 2014 statement.
While it has built a simple prototype, PARC continues to investigate different materials. Currently, the researchers bond a thin layer of silicon on top of the tempered glass, but if the stresses required for destruction could be created inside the actual substrate—using materials such as gallium arsenide—then they could simplify the project.
"There is still a considerable amount of work to be done," Whiting says. "The examples we have done up to now are very simple."
2. Creating imaginary zoos to trap the bad guys
When attackers gain a beachhead on a victim's networks, they may have different goals, but their first step is almost always the same: Collect data on the network to find other computers that can be infiltrated.
Deceptive network technology aims to confuse their search for valuable data, while at the same time alerting the business to the fact that they have unwanted guests. Typically, the technology either seeds existing systems with booby-trapped files or creates extra network devices—faux systems and servers—that an attacker might try to hack. Not only does the deception waste the attackers' time, but any access to a fake system or file alerts the business that an attack is likely underway.
"So within two or three moves, the attackers will find this false information, and when they attempt to use it, we generate an alert," says David Hunt, vice president of marketing at one Israeli startup, illusive networks, which focuses on the technology.
illusive networks focuses on sprinkling a customer's network with a wide variety of virtual data, devices, and systems. A real user should never run into the misinformation seeded in the network, but an attacker using typical reconnaissance tools will find many systems that aren't real.
Another startup, Shadow Networks, uses software-defined networks and virtual systems to create their own computer ghost towns designed to trap attackers.
The concept isn't new, but it has been refined and made much easier to use. In many ways, the technology resembles a honeypot—a virtual machine camouflaged as a valuable system to entice attackers to attempt to compromise the machine, or a honeynet, a network of such virtual machines. Instead of spoofing single systems, deceptive networks interweave their sensors throughout a company's network to leave attackers guessing.
"Unlike a honeypot...we coat the entire network in a thin layer of honey," says illusive's Hunt. "The attackers, not realizing that they are being observed, are not cleaning up after themselves yet, and so the customer can gain intelligence that they would not otherwise have."
Computer scientist Fred Cohen, who described the foundational underpinnings of computer viruses in 1983, described deceptive networks in a paper published in 1999. The same year, the Honeynet Project formed to further the development of networks of fake systems designed to trap attackers and discover new attacks.
3. Encrypt everything, everywhere
The common wisdom in the security industry also seems part mea culpa: security systems fail, and so every company should assume that the attacker is already inside.
That thinking has shifted many companies from focusing on keeping the attacker out of their networks to focusing on protecting not the systems or the network, but the data. Yet, encryption—the most common way to protect data—is a hard infrastructure to manage. Businesses need to identify their most valuable data, encrypt it, and then manage the keys to protect access to the information.
Data-security firm Ionic, however, takes a different approach to the problem. The first step: encrypt all the data, everywhere. Once the data is encrypted, then the problem becomes an access-control issue, says CTO Ghetti.
"Encryption is easy to manage; what is hard to manage is decryption," he says. "But when you can use certain attributes to control decryption, then you can create a platform that is all about data-access control."
Ionic started four years ago, attempting to create a platform to retroactively add privacy to social media sites. Ghetti created a system that would encrypt all of a user's posts on, say, Facebook, and then let the user control who could access groups of posts.
Soon after, Ionic shifted its focus to helping businesses encrypt their data. By encrypting information at the lowest levels—reading and writing to files or the disk—and then distributing the keys and access controls, the company aims to make a reliable system for decrypting the information. Companies retain control of who can decrypt data, under what circumstances, and what they can do with it.
A thief could steal an iPad but not be able to access the data without the proper credentials, or the device could be limited to only accessing sensitive data when connected to the company's wireless network. An attacker could steal a database from a corporate network, but the company could set the data to only decrypt within the database environment and nowhere else.
"Our favorite demo is we literally hack a system, copy the data, and give it to the client to look at," Ghetti says. "But outside the environment, it is all encrypted. Even though it was stolen, from an authorized system, while the user has rights, they still cannot get access."
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.