The Okjökull glacier in Iceland was recently laid to rest in a funeral ceremony mourning its loss to climate change. As the last puddle from the ancient glacier disappeared this summer, it provided a dramatic demonstration that the earth’s climate really is changing as rapidly as the doomsayers report.
Mankind may yet avoid being starved/burned/drowned by the symptoms of climate change, but this isn’t the only threat to humanity: Superbugs – antibiotic-resistant microbes – pose an alternative global threat which might yet become our most deadly adversary. The number of deaths attributed directly to superbugs is not always accurately recorded, but respected estimates predict annual death tolls will rise from around 700,000 today, to more than ten million in 30 years’ time.
So, while antibiotics have proven to be a miracle cure for bacteria-based infections, their effectiveness is - just like an Icelandic glacier defrosting in the greenhouse of the earth’s CO2-enriched atmosphere - slowly, but surely, disappearing.
The race is on to develop new antibiotics but in the meantime, the strategy is to minimize usage and therefore prolong the useful life of current resources. Even so, despite their undisputed power, anyone who ever suffered from common cold symptoms will know that antibiotics never did anything for viruses. Ironic then that anti-virus software, once the cybersecurity market’s hottest commodity, is also on the slide in its potency.
The parallels between AV and antibiotics are relevant all the same. AV is still effective against millions of cyber-virus variants but in the same way that mutated microbes become resistant to medication, malware that has been modified will successfully evade detection as if it were a new Zero-Day threat.
AV may have developed over time, and heuristic detection techniques have been engineered to detect and quarantine anything that looks, smells and behaves like malware, but the core function of detecting malware based on a blacklist remains.
However, the instant, global-reach afforded to hackers by the internet means there exists a production line of polymorphic-malware, all capable of evading AV detection. So-called ‘zero day’ malware operates within the window between malware being released into the wild by the hacker, and an updated detection signature from the AV vendor is available. During this time, the AV is blind to the malware, allowing it to hide in plain sight.
Aside from behavioral-detection techniques now being common, other aligned technologies have been developed, for example, whitelisting, where a ‘shoot first, ask questions later’ policy is used. This takes a paranoid attitude to block anything not already authorized as OK, which results in malware being shut out, but also leaves innocent victims caught in the crossfire, such as patches that are just too new for the whitelist to keep up.
A mix of AV blacklist overlaid with a whitelist starts to look like an effective strategy, getting the best from both worlds, but well-organized change control then becomes imperative: If you roll out updates before updating your whitelisting technology, get ready for a very busy helpdesk.
Wherein lies the best answer for how we beat the hackers, and it isn’t just ‘build better AV software’. Those with the widest vista across the cyber security landscape, such as the SANS Institute and Center for Internet Security have long advocated the need for a joined-up strategy for security, not simply a longer shopping list each year for new firewalls/sandboxes/SIEM systems, or any other gadgets.
While cybersecurity investment has increased year on year for as long as records have existed, this has still always been outstripped by the increases in breach incidents in an arms race that can’t ever be won.
Those operating the most secure IT environments do so by harnessing a meshed matrix of technologies, including old-fashioned AV, but operated under a discipline of closed-loop intelligent change control. If AV has been outthought by hackers moving faster than any blacklist can be updated, then we need to exert greater control over change. No change? No place for indicators of compromise to hide.
Equally, the more time taken to properly plan changes within the IT estate provides greater scope for integrity monitoring ‘checks and balances’, ensuring only good changes intended have been implemented, while exposing unexpected, unplanned change as potential security incidents.
We may yet be able to put the brakes on climate change and not just stop, but reverse the decline of Iceland’s glaciers. Similarly, by being more selective and sparing in our use of antibiotics, we can slow the evolution of superbugs.
By properly operating change control within a comprehensive cybersecurity control framework, we may still have a useful, albeit supporting, role for AV for years to come.