Security Startups Focusing On Threats, Not MalwareStopping malware is so yesterday. Eclectic groups of security people have banded together to make life difficult for attackers
Security consultant Dino Dai Zovi hacked Macs and co-authored a book on how to secure them. Tillmann Werner researched ways to detect the Conficker worm on infected networks and advocated an offensive approach to dealing with the threat. Shawn Henry chased cybercriminals during his 23-year career at the FBI. And Dan Guido teaches at NYU Poly and espouses a "Know Your Attacker" philosophy.
All four have left previous positions and joined startups that are creating services and products that focus on ways to make attacks more painful for the attackers. Rather than continue finding vulnerabilities or pointing out ways attackers can infiltrate networks, groups of well-known researchers are increasingly coming together to find better ways to identify and hinder attackers.
"I think that smart security folks intuitively understand what most large businesses have been learning the hard way -- that most of what the security industry works on has little impact on the ability for attackers to achieve their goals," Guido says.
As attackers become more skilled at quiet, targeted attacks, traditional defenses are failing to catch them. While some security companies, for example, can search their logs of blocked programs for evidence that their products stopped Flame, it took the antivirus industry at least four years to detect the attack.
The lack of success has frustrated a number of researchers, such as Guido. With Dai Zovi and former VMWare researcher Alexander Sotirov, the one-time security consultant and occasional professor created Trail of Bits, a company focused on analyzing attacks and finding the best ways to help its clients defend their networks and data.
[ The White House's first cybersecurity coordinator says it's time for the federal government to begin implementing its blueprints for secure identities and its international strategy for cybersecurity. See Former White House Cybersecurity Czar Calls For Security Action. ]
Similar reasons drove George Kurtz to start up CrowdStrike with Dmitri Alperovitch, former vice president of threat research at McAfee, and Gregg Marston, formerly of Foundstone, a company Kurtz co-founded in the late '90s. There is still a lot of work to be done, but CrowdStrike is developing the ability to help companies understand who is attacking them and why they are being targeted so that they can martial their defenses around those actual threats, Kurtz says. Companies are tired of trying to keep up with the large number of threats that may be targeting them.
"There is only so many fingers that they can put into the dike, and they want to know who is in their network and how to get them out of the network," Kurtz says. "They want to understand what they are ultimately after. By switching from a focus on ... malware to moving toward figuring out who is attacking and how they are doing it, you can basically put up better defenses."
As part of the company's team of researchers, CrowdStrike hired Werner Tillman, who created a way of identifying Conficker infected computers and then advocated more aggressive tactics in taking down the botnet.
Both companies are investing in creating intelligence on threats to better inform their clients' defenses. And both companies hope that doing so will help companies drop out of the rat race of trying to keep up with attackers' ability to change their code. The fact that the firms exist and have attracted a bevy of smart researchers is likely due to the high level of frustration among defenders aimed at the unending success of attackers. Such frustration led Shawn Henry -- recently the executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI -- to head up CrowdStrike's services branch.
"The problem with existing technologies and threat-mitigation tactics is they are too focused on adversary tools -- malware and exploits -- and not on who the adversary is and how they operate," Henry stated in written testimony (PDF) to the U.S. House Subcommittee on Homeland Security in April. "Ultimately, until we focus on the enemy and take the fight to them to raise their cost of attack, we will fail because they will always get thorough."
Companies have enough information to understand attackers and gain better information on the threats to their business, but lack the tools to turn that data into a strategy for stopping attackers, Guido says.
"In reality, data on attackers is widely available in published security industry reports, but many organizations have trouble interpreting this data and making it actionable," he says. "The difficulty in achieving this vision will be in making the knowledge and tools to perform this analysis widespread."
Trail of Bits intends to focus on measurable data on security and threats, allowing firms not only to to create better defenses, but also measure their success against the attackers.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.