Researching the Security Researchers

The innovative pushes in infosec typically come from the attackers, not the defenders
The innovative pushes in infosec typically come from the attackers, not the defenders
Research labs are the engine room of the industry, says Kaspersky’s Emm
Research labs are the engine room of the industry, says Kaspersky’s Emm

The difference between tennis and ice skating is the opponent. In ice skating, the only limitation on your freedom to skim the ice is your ability. In tennis, there’s always an opponent trying to interfere with your efforts. Similarly, it’s the opponent who makes information security research different from most other types of research.

As Martin Lee, a senior software engineer for Symantec’s cloud services, who began his career as a biologist studying human viruses, says, “In the world of technology and viruses, you are up against random forces – forces of evolution making random changes. In the world of malware, you are also up against malicious opposition deliberately trying to get past your defenses. This is not something you have in immunology. It’s an interesting problem because the harder you work at stopping these malicious entities, the harder they work to work around your solutions.”

In other words, the innovative push within the infosecurity industry is coming, first and foremost, from the bad guys.

Engine Room

“Research labs are the engine room of the industry”, says David Emm, a security researcher at the UK office of the Russian anti-virus software vendor Kaspersky Lab. “Each generation of malware writers, whatever their motives, stands on the shoulders of previous ones. There are always people trying to push the envelope.”

Adding to the challenge, says Matt Blaze, a professor of computer and information science at the University of Pennsylvania, is a mismatch of size and resources.

“You have to recognize how small the defending industry is relative to both the bad guy industry and to the computer industry as a whole”, he says. Even at the largest computer companies, the number of people dedicated to security research is a tiny fraction; a big university effort is a few professors and their graduate students. Those small academic groups can have broader horizons, since they don’t have to focus on customers’ immediate problems, but their size limits them to smaller projects or collaborative work.

"The harder you work at stopping these malicious entities, the harder they work to work around your solutions"
Martin Lee, Symantec

The challenge, when focusing on the anti-virus area alone, is staggering. James Lyne, a senior technologist at Sophos, estimates that the company sees 95,000 individual samples of malware daily, a number that has grown exponentially over the last year or two – and, he says, “Not just the quantity, but also the quality.”

That increase is the first of the three angles that he believes are pushing the security industry to innovate. The second is the increasing number of operating systems and devices in common use; the third is the expansion of the role of security within business, imposed by today’s compliance and regulatory requirements.

The biggest challenge, however, is this increasing sophistication over the last 12 to 18 months of what Lyne calls the “third wave” of malware. “The bad guys are selling each other services. They are organized, well-resourced, well-funded criminals involved with the production of malware”, Lyne explains.

Now, he says, a virus writer can upload the new virus they have written to a criminal gang’s cloud-based service, which will perform quality-assurance checks against anti-virus products. For an extra fee, the service will test the virus in the specific operating environment of the target company, and issue a report including the new malware’s ranking against its peers and tips on how to improve it. All of this, plus crime hacks, toolkits, and pre-packaged exploits, forms an organized malware underground – complete with updates and product support that in some cases is better than the legitimate software industry.

“There [are] a small number of very smart people producing excellent tools”, Lyne notes. “And as any economist would say, when you have that type of market you get research, innovation, and development – and they have more resources than most legitimate vendors or governments because they can steal it and they don’t have to pay. It’s a very different and very worthy adversary.”

Working Alone

The need to respond to this pressure to keep products evolving explains why all anti-virus vendors have in-house research labs of their own. Sophos’ team is set up to be online at all times, and rewards its engineers by granting them joint ownership when they file for patents.

Anti-virus companies don’t collaborate on research, but many of them share malware samples and data through an agreement set up many years ago to make it possible for all these companies to keep pace with new malware developments. Although university researchers don’t have the same direct access to customers and data, they, too, sometimes benefit from sharing information.

"I won’t employ anybody who’s been involved in developing malware in the past"
David Emm, Kaspersky Lab

This isn’t always possible, says Martin Lee from Symantec, whose cloud-based email and web protection service processes up to 10 billion email and 15 billion web connections daily. His operation can’t share the data because it belongs to the company’s customers.

“This leads to some lack of optimization in the market”, he admits. “Many labs, like our own, are really working in isolation from the rest of the industry and from public sector research.”

Simon Shiu, a research manager in the systems security lab at HP, believes that industrial labs like his manage to straddle this particular line; his remit is to look three to 15 years into the future. “Being part of HP we see the customer base and get to work with a lot of large enterprises, so we see first-hand the kinds of challenges they have”, he says. At the same time, the diversity of the company’s interests gives it more domains of expertise than many vendor-specific labs and allows it to examine security in a different context.

“One difference in HP is that we’re such a broad company compared with Microsoft, for example”, Shiu says. “One way innovation starts to happen is that we have some insight into a kind of problem.” For example, the company has an interest in areas such as security governance and how people perform risk assessments. “It’s worth understanding the kinds of environments in which security problems emerge. To attack that you need a lot of theoretical people.”

HP does, of course, follow the academic research in the field – Shiu cites, for example, the pioneering work done by Cambridge University’s Ross Anderson on security economics – and also works with university researchers who have special areas of expertise not covered by his own staff.

Academic Input

One such example of this collaboration is Angela Sasse, head of the information PLsecurity research group at University College London, who began her career as a human factors specialist and branched out into security, which is often undermined by a lack of attention to usability.

“Definitely some innovation comes from academia”, Sasse acknowledges. Within her group, she points for example to Nicolas Courtois’ work on cryptography and security mechanics; outside it, she notes that Cambridge has produced a number of research efforts that have turned into products. In addition, in her particular area – security and usability – a lot of innovation comes from companies such as Amazon and eBay, whose need to serve their large numbers of customers requires them to come up with solutions that are workable for the mass market.

"Definitely some innovation comes from academia"
Angela Sasse, University College London

Even so, the biggest problems have remained remarkably constant over the last decade or two. In 1995, Matt Blaze wrote an epilogue for the second edition of Bruce Schneier’s classic book, Applied Cryptography, outlining the ten biggest problems in securing computers, none of which could be solved by applying cryptography. His list included problems such as the poor quality of software, difficult interfaces, and ineffective protection against denial-of-service attacks. Fifteen years later, the list has hardly dated. Blaze seems unsurprised.

“To a large extent the big problems are the hard ones”, he says. “Fifteen years is an optimistic time scale to be able to solve the fundamental problems.”



Researchers in information security are no more ‘typical’ than researchers in any other area of computer science. Symantec’s Martin Lee, for example, has a background in the biological sciences; he came from studying human viruses to researching malware.

“If you see finding a needle in a haystack as an interesting challenge, in designing a magnetic system to identify ferrous contaminants within large samples of dried organic matter”, he says, “then you are probably the type of person who would enjoy working in an anti-virus lab.”

Sophos deliberately aims at a diversity of backgrounds. If, says Lyne, the company hired solely those with academic qualifications, “We’d be out of business right now.”

Instead, “We have virus analysts who have done all kinds of things before – we have a former chef, physicists, biologists….What’s proven to be most important is the aptitude to think of creative ways to deal with the bad guys and passion, more the training or knowledge. We can always teach people those.”

HP Labs’ in-house researchers are, says Shiu, a mix of electrical engineers, mathematicians, and computer scientists, most of them with PhDs. He relies on university researchers to fill gaps – economics, for example, or human factors.

“There’s a range of people who are capable of doing research”, he says, “and where the skill comes in is seeing opportunities for innovation because we’re so close to the customers.”

There is one thing Kaspersky’s David Emm insists on: “I won’t employ anybody who’s been involved in developing malware in the past.”

He adds that the skill-sets are completely different and that ethics are vital. “We all know that people do change their ways. The problem is, though, can you have certainty that somebody won’t fall back? In many walks of life it’s not that crucial, but with something like this it would be pretty catastrophic.”


What’s hot on Infosecurity Magazine?