It's Too Late—Malware Has Already Won
Our society has never before had so much valuable data online, nor been so poorly protected. The barbarians are at the gate.
To change the odds, chief information security officers (CISOs) will need to do things differently, take a few risks and adopt new approaches to secure the enterprise. The current approach has failed, and "more of the same" will not suffice.
The CISO of a Fortune 50 company recently shared with me that their approach to solve the problem of advanced persistent threats was to "mandate two of every security product from different vendors," from firewalls to intrusion detection and prevention systems—and in doing so gain "defense in depth." Certainly the organization doubled its costs, but is it now measurably more secure? No.
"Defense in depth" is a term used too often in hope, when in fact we are facing a "phase shift" in the technology and approaches used by attackers. Imagine that you have a pot of water on the stove. It gets hotter and hotter, but it's still water. But there's a fascinating point where the addition of a single joule of energy transforms water to steam: a phase shift. If your approach involves finding ways to contain water (bigger/better pots, for example) a phase shift to steam is a very big deal. In fact, you're probably out of luck.
The water in our pot has turned to steam and is escaping:
(Read More: Back to the 12th Century Energy Future)
It is impossible to build a malware detector that can keep up with advanced polymorphic malware—either at the network perimeter, or at the endpoint. This is a simple restatement of the Halting Problem, proven in 1936 by Alan Turing (who is considered to be the father of the field of computer science)—there can be no general procedure to decide if a self-contained computer program will eventually halt.
Moreover, detection is vastly different from protection. Putting a lid on the pot will not contain the steam, and might well lead to an explosion. Many enterprise compromises that are discovered are found weeks or months after the attack—giving attackers plenty of time to further penetrate the infrastructure and steal data.
(Read More: End of Cable Bundle Inevitable)
We need a phase shift in our approach to the problem of endpoint security. Every device must be able to protect itself "in the wild"—away from the traditional enterprise network perimeter. Users are increasingly mobile, accessing applications from untrusted networks and over the Web, and will make mistakes and click on the wrong things. And a broader trend, toward consumerization of the endpoint, means that user-owned devices will increasingly be used for work.
The phase shift that is needed will deliver endpoints that are secure by design.This will result from hardware enforced isolation, rather than from software-based detection. Hardware-protected devices can use attestation to ensure that an endpoint initializes to a known-good state.
In addition, new approaches, such as Bromium micro-virtualization, allow hardware to protect applications, the operating system and data at runtime, to extract and analyze malware for incident response, and to make endpoints self-remediating.
(Read More: What Netflix and IBM Can Teach Us About Disruption)
The enterprise security landscape is changing profoundly. CISOs must take bold steps forward to adopt new practices to dramatically reduce enterprise insecurity: new OS versions, automated OS and application patching, encryption, and hardware-based protection are vital in a consumer oriented world where devices access cloud-based applications directly, and where the attacker has access to massive computing power.
—By Gaurav Banga, co-founder and CEO of Bromium.
Bromium, a CNBC Disruptor 50 company, has created an approach to enterprise security called micro-virtualization, a replacement for detection-based systems commonly used to protect against malware.