May 25, 2016
Darwinism in IT Security – Pt. 2: Inoculation from BS.
As promised, herewith, more on the connection between evolution theory and how protection against cyberthreats develops.
To date, what precisely brings about mutations of living organisms is unknown. Some of the more unconventional experts reckon it’s the work of viruses, which intentionally rearrange genes (yep, there’s who really rules the world!). But whatever the case may be, similar mutation processes also occur in IT Security – sometimes with the help of viruses too.
In line with the best traditions of the principle of the struggle for existence, security technologies evolve over time: new categories of products appear, others become extinct, while some products merge with others. Regarding the latter for example, integrity checkers were a major breakthrough in the mid-90s, but nowadays they’re a minor part of endpoint solutions. New market segments and niches appear (for example, Anti-APT) to complement the existing arsenals of protective technologies – this being a normal process of positive symbiosis for good. But all the while nasty parasites crawl out of the woodwork to warm themselves in the sun. C’est la vie – as it’s always been, and there’s nothing you can do about it.
In the struggle for market share in IT Security there regularly appear prophets prophesizing a sudden end to ‘traditional’ technologies and – by happy chance – simultaneous (‘just in time!’) invention of a bullshit product revolutionary panacea (with generous discounts for the first five customers).
But this isn’t something new: any of you remember anti-spyware? In the early 2000s a huge bubble of products to get rid of spyware grew up from nothing. Much BS was fired the consumer’s way about the inability of ‘traditional antivirus’ to cope with this particular problem, but right from the beginning it was all just made up.
But the market has grown used to and tired of such prophets, and these days monetizing ‘panaceas’ requires a lot more investment and snake oil marketing efforts.
David – and Goebbels & Don Draper – Against Goliath.
In keeping with the best traditions of state or private-sector (Madison Avenue) propaganda, what BS products do is take aim at certain fundamental vulnerabilities of human psychology that originally hail from childhood; in particular, belief in miracles and conspiracy theories.
The next-gen-product script goes something like this: a set of greedy degenerate old-timers – the bad guys – has a monopoly stranglehold on a fairytale community. The bad guys keep feeding the community nonsense ideas and suppressing progressive thought. Along come some ‘innovators’ – the good guys – to save the day. Naturally the sympathy of the viewers is firmly on the side of the ‘innovators’, while the bad guys instill nothing but ever-increasing antipathy. The film finishes with a victory for the good guys and a bright future.
Ok, let’s lower the emotion and take a closer look at the stage set…
Under the Hood.
Manufacturers of BS security products have for the last decade or so had a real bee in their bonnet about a thing they call artificial intelligence (‘AI’).
AI is hailed as some kind of miracle-technology, which all by itself – without user input – saves whoever is using it immediately, from everything, forever! Hmmm. Sounds fantastic. And after watching an ad for this wonder-tech you ‘realize’ this is the new way, this is the future: magic ridding us of malware, spam, targeted attacks and other cyber-unpleasantnesses!
Oh, how we like to have the wool pulled over our eyes. Oh, how we like to believe we’ll be saved by some higher good – just because that fantasy is a reassuring one, not because it’s credible. So we want to find out more. So we dig deeper. We dig deeper than the advertising material… but we find there’s nothing there to dig deeper into. Any question going deeper than general fluff is readdressed to /dev/null a technical guru, and after that – it’s Depeche Mode time. Forever.
Under the Microscope.
All righty. Let’s have a closer look…
So, all BS products pooh-pooh ‘traditional approaches’, while singing the praises of non-traditional ones – like artificial intelligence. A bit like Skynet, right?
Lies, damn lies, and automated statistics?
— El-Amayo Jong-Il (@suburbsec) May 19, 2016
No, not Skynet; even better. What BS products do is “use unique methods of machine learning”, “have no need for updates”, “use up little memory”, “work unnoticeably in the background”, “work more effectively than traditional products”, “report less false positives“, and “intercept highly sophisticated espionage attacks while others don’t”. One minor omission: they never say how. Nor do they ever prove any of their claims with third-party independent tests.
When asked how, they claim that the precise methods can’t be indulged; if they were they’d just be used by the bad guys to be gotten round – or by competitors to copy. In the place of even just a hint as to their wizardry, any customer or investor or journalist simply gets spun a meaningless boilerplate yarn.
Sexing up such a yarn with glossy promo booklets, a good-looking site and even a fancy press conference won’t help much. In order to sell product or attract investors you need something more convincing – preferably from a third party, preferably a very reputable one.
For BS-product manufacturers, that’s a real blow. Their response? They simply don’t take part in independent tests, or if they do – in keeping with the best traditions of test marketing – only in carefully selected ones and later misinterpreting the results. In independent testing’s place they provide their own ‘evidence’ of effectiveness – either based on obscure or even blatantly false methodologies.
9 ways to pull wool over your eyes and manipulate antivirus comparative tests results http://t.co/CGh2pwy3
— Eugene Kaspersky (@e_kaspersky) January 24, 2013
AI Novelty Tradition.
At the heart of marketing rhetoric of BS products is a rejection of all ‘traditional’ approaches in favor of new, progressive ones. “Yesterday’s heroes are selling yesterday’s tech and are incapable of inventing anything new, hi-tech and useful”.
Ok. Let’s test that. Let’s take the example of machine learning. Is it just the new wave of BS product manufacturers that (claim to) use it?
Actually, machine learning has been used copiously in IT security systems since… the early 2000s.
For example, 99.9% of new malware we detect is actually detected by machine-learning robots – the precursors of AI; only a tiny percentage – the most complex maliciousness – requires an expert’s input. In fact, every proactive protection technology needs machine learning, without exception. Machine learning, for example, allows us to: (i) monitor activity with System Watcher, which tracks system changes and rolls back any malicious actions it finds; (ii) provide automatic protection from exploits that use as-yet unknown vulnerabilities; (iii) apply heuristics in different modules to catch malware based on indirect clues; (iv) perform emulation, which runs suspicious files in an isolated ‘sandbox’ environment; and (v) apply our Targeted Attack Analyzer on sophisticated targeted attacks. And we’ve dozens of examples of all that in action to back up our words.
The DNA of Security.
Continual development of protective technologies is the most important part of the DNA of the IT Security industry. Growing defensive potential, changing generations of security technologies, introducing new features… it’s the only way to survive in the fight with cybercrime. It’s also the main motivation to successfully compete. New technologies increase the effectiveness of protection, lower resource consumption, and make products simpler and more convenient to use. Who catches the worm market share? Always the early bird traditionally innovative.
And when we’re talking continual development of protective technologies, what that overwhelmingly means is continual development of smart technologies, aka machine learning. And it can’t be any other way: to manually process several hundred thousand new samples of malicious code a day is simply impossible. And also, like, why would you want to try? Use the brain to come up with an intelligent system and then let that system do the work reliably and automatically. Simple. It’s called technological progress. Hardly anything new.
"The depth-limited tree search with arbitrary scoring heuristics will replace your job." Sounds like it was a crappy job?
— Jim Gray (@grayj_) May 19, 2016
It’s important to understand that machine learning is a necessary component of IT Security, but all the same an insufficient one on its own. IT Security demands multilayer protection – of all types of devices, against all types of threats, at all infrastructural levels – which is able to rapidly react to new challenges and adapt to real-world business IT security needs. Of course, that isn’t the final and exhaustive answer to the question ‘how to protect everything now and forever?’, as sooner or later the cyber-swine will find a way to overcome even the adaptive model; but don’t worry, we’ll have thought of something else to cause them grief, distress and expense by then.
I think the passion for artificial intelligence will continue for a long time. And that’s good: the more companies willing to fight for survival trying to find a breakthrough, the stronger smarter will be the winner.
On the one hand, vendors will continue to strengthen technological capacity for automatic processing of malware and proactive protection based on machine learning. On the other, the market will have to continue to tolerate new prophets promising cure-alls, as there’s just something about the words ‘artificial intelligence’ that lends to gullibility and fantasy. Must be magic ).
Amusingly I called AI “self-modifying shellscripts” in college, and backed it up with awk, sed, and $0.
— ' or 1=1; drop table tweets;– K. Reid Wightman (@ReverseICS) May 19, 2016
Alas, there’s no universal vaccination against BS products. At the same time, I don’t rule out the emergence of a genuine super-technology capable of turning the IT security market upside down, which I of course would applaud. Thus, there’s always the possibility of throwing the baby out with the water when it comes to AI: tarring it all with the same brush. So I’ll use yet another metaphor: I hope you, dear readers, will be able to separate the wheat from the chaff when it comes to AI (ok, just one more…) and continue to take most AI-talk with the large pinch of salt it rightly requires.
Eternal Horizons of Natural Selection.
Human curiosity and craving for knowledge make us forever want to peak over the horizon – just to see what’s there, and understand it. We give so much time and resources to exploring and comprehending and conquering over-the-horizon-ness – more and more, further and further, horizon after horizon.
It seems that this equation has no solution: from the rational standpoint trying to perceive infinity with finite resources looks not only futile but also silly. All the same, we Homo Sapiens continue to dig away, believing the universe is a matryoshka doll, which simply needs dismantling to be seen in full.
One’s attitude to the future is a philosophical question and purely personal. My personal view is that we should dig and dig and dig, no matter what. Rationalization of chaos and increasing awareness are among the highest goals of mankind. And experience has shown me that it’s also fun and useful for the soul, body and society. But it’s also important for IT Security: new generations of cyberattacks appear every week, so we’ve got to think up new ways of making the lives of the folks behind them more difficult.
Like in the computer underground, in the IT Security industry natural selection is mean and tough. The ubiquity and unpredictability of cyberattacks (both of which will only keep increasing) require new ways of thinking, and like any way out of the comfort zone it is unpleasant and costly, though inevitably and invariably the only way to avoid extinction.
.@e_kaspersky administers a shot in the arm against #ai_oil – the latest strain of snake oil in IT securityTweet