Sam Curry, CSO at Cybereason, deciphers what marketing hyperbole actually means when it comes to cybersecurity.
Star Trek: The Next Generation (TNG) was a great television show following an 18 year hiatus in the Star Trek franchise. In this case, TNG was literally the next generation in their timeline and in our own chronology; so it has in my book earned the right to call itself that or, for that matter, to call itself “Star Trek 2.0.” Almost every abuse of next generation, however, is exactly that: an abuse.
Can we all just agree that labels like next generation, TNG, NG and 2.0 are not only annoying but are generally meaningless hyperbole spouted by marketing types? Today, websites are clogged with a pablum of overused phrases stirred to the point of meaninglessness like mysterious ingredients in a dubious and flavorless security chowder. Security talking heads spout NG even more than they do terms compliance and correlation, machine learning and artificial intelligence.
This is especially offensive in our industry because people are suffering from attacks. While it’s getting easier and easier to attack, and the asymmetry of cyber conflict favours the attacker so heavily, business and security people seek controls and means to truly close vulnerabilities and gaps. We crave the substance of security and specificity and to be engaged. Instead the industry takes the easy, flashy way of saying ‘Next Generation’ before words like Antivirus, Firewall and SIEM. The most egregious right now is definitely Next Generation Antivirus aka NGAV.
In an attempt to stand out in an overcrowded and overhyped market, Antivirus vendors are claiming they and only they have the secret sauce for how to do NGAV correctly. Let me tell you they don’t.
All that should matter is results. Can you stop the attacks that are so-called ‘Known’ attacks that we’ve seen for decades without draining CPU, disrupting users, missing threats or breaking anything? Good. You’re welcome to the security show.
Now, do you also have a means with reasonably high fidelity to identify the never-before-seen or so-called ‘Unknown’ attacks in a way that is verifiable, low on false positives and likewise not just “turning the dial to 11” (to paraphrase the brilliant Spinal Tap)? Did you happen to build your product, like the car companies with their “Defeat Devices” to pass emissions tests, in ways that game the testing scenarios but are impractical or not as usable in the real world? If you can even make a dent in the Unknowns in a responsible way, you’re also welcome to the security show.
Now here’s a practical set of guidelines for the rest of us, featuring the good and the bad, to help us peer through the NG language, some of which may just be marketing people using the wrong terms for good technology:
- Prevent outright the Known attacks (for those of you looking to score products in a lab, look for high true positive, low false negative and no false positives)
- Prevent whole categories of attacks that should be simple such as ransomware
- Prevent a large number of Unknown attacks (with low false positive rates)
- Provide options for the new non-malware avenues such as Fileless Malware, e.g. PowerShell, WMI and scripting exploits)
- Provide or integrate with everything else that you need to have a real solution:
- A post-execution detection mechanism because the adversaries will go around and over and through all prevention technology eventually
- Incident Response, Orchestration, Automation and Remediation solutions
- Forensics and investigative tools
- Workflow, ticketing and risk management tools and systems
It’s not enough to simply find things and prevent them and enjoy the round of golf claps; it’s about fitting into a discipline for security that is measurable, repeatable, improvable and both operational and scientific in its methodology.
Notice the words next generation and machine learning don’t appear here. There’s a reason for that. The technology that is used for this should achieve these results and should mix and match tools and techniques, algorithms and disciplines, Human and machine in ways that meet the business criteria and not because it’s next generation.
This isn’t about a better mouse trap. Excited as I am about some of the technology that’s emerging and its potential, it’s still really all about improved health and well being of security as a discipline, and this will include older and newer technology to reduce the effectiveness of the adversary and to increase the effectiveness of the defender. That’s the mission, plain and simple.
And eventually security will not call itself the next generation because that label won’t be needed. The distinction, unlike in Star Trek, won’t matter anymore because there will be products that work from companies that are transparent and help the mission, and then there will be the graveyard of old brands who tried to sell us better mouse traps.