Loki on Disney+ is a fun new show that pulls back the curtain on the new multiverse aspect of the Marvel Cinematic Universe (MCU), with infinite timelines where almost anything that could happen has happened somewhere. It gives fans the "What if?" of many comic book conversations over the years: What if this character got away with the infinity stones? What if that event never happened, or the bad guys won? You get the picture.
All this timeline chaos apparently doesn't sit well with the newly introduced Time Variance Authority (TVA), which is empowered to remove all the characters behaving differently than the desired, sacred timeline. Let's call this timeline the baseline of outcomes that are supposed to happen in the eyes of the TVA. Anyone not falling in line with that is considered a "variant" that shall be removed, or "pruned" from the timeline.
We learn early that the Loki we have seen since the first Thor movie is just one of countless possible versions of him out there. Due to the events in Avengers: Endgame, he finds himself taking a path divergent from what we were originally shown. This deviation leads to him being branded a variant and captured by the TVA.
Given that he is Loki, god of mischief, he is able to talk his way out of being pruned in exchange for joining the team to help find other undesirable variants across infinite timelines. He dons a slick new variant jacket in the process, which I'm ready to predict will be sweeping the nation come Halloween.
What does this have to do with cybersecurity? Well, Loki might just be the perfect example of a zero-day attack or attacks with no signature.
The TVA is tasked with monitoring the sacred timeline and is alerted when branches start to crop up due to variant behavior. They only have a few minutes to break out their TemPad to open a Timedoor and swoop in to save the day before permanent damage is done.
A more perfect analogy of the overworked security operations center team might not exist.
Just like the SOC analyst, the TVA has to find these threats and remove them as quickly as possible. Let's say you are tasked with being this TVA agent and are told you need to search all the timelines (an almost infinite number of them) and find all the Loki variants to have them removed.
Being a good analyst, you decide you are going to write a query or set of rules to find them. You start out with a general description of the Loki we have seen for years. Tall guy, long hair, looks like the actor Tom Hiddleston. You then run that query and get a number of hits.
But wait a minute. There are younger, older, and other Lokis that don't look like Tom Hiddleston at all. No problem, you say, I can just add all those criteria to my search and be done.
Hold on. There is at least one timeline where Loki was born a girl and goes by the name Sylvie. Did your query catch that?
Shoot, you say. I may have to rewrite these rules. Maybe I'll write it as a person that was adopted by Odin and has a certain signature (misbehaves, god complex, fun at parties). That seems better and maybe now I have caught all of them.
Bad news. Did you know that you completely missed Alligator Loki, who didn't match any of your rules or signatures on account that he is … an alligator?
You can now get a sense of why SOC analysts fail with writing rules to find threats. It is called the "infinite regress" problem, or the never-ending "What ifs" that can come up. The bad actors will continue to find variants that will not match any existing rules or come close to matching any signature feeds in order to wreak chaos on your network.
That is why the next generation of cybersecurity platforms cannot rely on rules or signature feeds to detect threats and variants. These platforms must understand what is normal, or sacred, for your environment and only elevate the anomalous events that require threat assessment. That is the only way to make sure you don't miss attacks, including attacks using zero-day exploits and having no signature.
Remember, you will always later see a threat like Alligator Loki.