How to fight a virus: Lessons from cybersecurity

May 28, 2020

Guest Post by Yotam Gutman

Lt. Commander (Ret.) Israel Navy, Yotam Gutman, currently Marketing Director at SentinelOne, wrote down an interesting piece about how healthcare officials can take the lessons learned in three decades of fighting “cyber viruses” and apply these to fight the Coronavirus. To mitigate today’s plethora of rapidly evolving cyber threats, the cybersecurity industry has developed several methodologies. These (after adaptation) could be used to reduce the spread of malicious software and to mitigate its effects.

How to fight a virus: Lessons from cybersecurity
 

Yotam Gutman

There has been a great deal of conversation around the similarities between the spread of the Covid-19 virus and that of computer viruses. And indeed, as the first global pandemic to occur during the age of connectivity, this comparison is valid. But while most focus on how we can leverage the knowledge gained in the “real world” in identifying and stopping the spread of plagues in the virtual world, I would like to offer another perspective.

Perhaps we in cybersecurity can return the favor. Perhaps the medical world can take the lessons learned in three decades of fighting “cyber viruses” and implement these in their fight to mitigate the Coronavirus?

History

Originally, the type of computer software described as “a program that can infect other programs by modifying them to include a, possibly evolved, version of itself” was named “Virus” by Fred Cohen in his 1986 Ph.D. thesis. Another biological reference made its way into the computer lingo when the first worm was unleashed (although the phrase was used in an earlier sci-fi novel).
In the last couple of years, computer viruses, or more widely the panoply of malware as we think of cybersecurity today, have undergone rapid evolution that has made them much more difficult to identify and mitigate:

 

  • More variants: 439,000 new malware variants were detected in 2019. That’s a 12.3% increase over the previous year.
  • More capable: Modern malware threats are far more capable than the old viruses spreading through illegal copies of software distributed via floppy-disks. Today’s malware can steal passwords, exfiltrate sensitive data, encrypt and delete data, and much more.
  • Harder to detect: Malware authors work hard to make their software difficult to detect. This includes hiding it in legitimate documents (aka “weaponizing” Word, PDF and Excel documents), utilizing detection-evasion mechanisms (like avoiding execution in sandboxed environments), and using legitimate software update mechanisms, all to make the work of the defenders harder.
  • More aggressive: Some malware types are extremely aggressive; they scan for open RDP ports, brute-force their way onto a device, and then move laterally within the organization’s network, abusing password-protected servers and seeking sensitive data, all without the knowledge of the victim.
  • Fast: contemporary malware is extremely fast and works at machine-speed to bypass protection mechanisms and achieve its goals—ransomware like “Wannacry” disabled entire organizations in minutes.
Adopting Cybersecurity Response To Fight Covid-19


To mitigate today’s plethora of rapidly evolving cyber threats, the cybersecurity industry has developed several methodologies. These (after adaptation) could be used to reduce the spread of malicious software and to mitigate its effects. I will refrain from discussing the obvious virus/Anti-virus analogy. Obviously, a vaccine for a computer “virus” would be the answer, but estimates suggest that such a vaccine would not be available in the next 12-18 months, and there’s a lot we can do until then:

  • Zero trust policy- A methodology that defies the traditional security assumption that everything inside the perimeter (protected by the firewall) is trusted. The main principle of Zero Trus is “never trust, always verify”. This means that every user is asked to verify their credentials every time they wish to “enter” the organization and that every file and process are being constantly monitored – even if they have been “authorized” to run on the computer.
    In a similar manner, humans should consider that other humans are carriers, and only “trust” them after they have been tested negative (or at the minimum, have had their temperature taken).
  • Detection beats prevention: following a similar line of thought, most organizations today operate under the “Assume a Breach” paradigm. Instead of striving to identify and mitigate 100% of threats 100% of the time, they assume that some threats would be able to infect them and concentrate their efforts on quickly finding these and stopping them before they could do more harm.Similarly, it is prudent to assume that humanity would not be able to vanquish this virus, and we will be playing “whack-a-mole” with it for the foreseeable time. Given that this is the case, it’s prudent to invest in rapid detection of the infection (quick detection kits, even home detection kits), ensure those that are sick are given quick treatment, and continue to monitor the entire population for outbreaks.
  • Segmentation; an important principle that limits the “movement” within the organization, so that intruders cannot move freely and infect other parts of the organization.The real-life manifestation would be to identify infection “hot-spots”, lock these down and then tend to these infected rather than to lock-down entire countries.
  • Risk modeling: it might be possible, perhaps, to provide 100% security, 100% of the time, but the cost to the organization would be detrimental; either the security costs would be through the roof, or the security restrictions imposed to maintain 100% security would cause the business to stand still. Instead, a CISO conducts risk assessments and prioritizes security spending to mitigate the most acute threats and secure the most valuable assets.Healthcare officials should do the same and ensure that the most sensitive segments of the population (elderly, sick) are being shielded from the disease and if need be, are provided with better care.
  • Intelligence intake: fighting a stealthy enemy is hard because you don’t know what to expect. Security professionals, governments, and those in the security industry have been formally and informally sharing information about malware, cybercrime groups, and data leaks for a long time. This has proved to be immensely helpful in fighting and defeating cybercrime rings.Such collaboration should also be adopted by global scientific, medical communities, governments, and healthcare organizations. As this threat is new to humanity, we should all share information about detection and treatment mechanisms, and notify others when we think we’ve made breakthroughs in finding a cure or a vaccine.
Conclusion

We can debate the similarities between biological and computer “Virus” (which, some believe, more resembles a Bacteria than a virus), but the analogy is, for the most part, correct. Viruses are dangerous to the victims, and they spread quickly through the population until a cure, or a vaccine is found. The spread of the Coronavirus pandemic and its impact on our lives is nothing like the world has seen before. It spread almost at machine speed and overwhelmed countries and healthcare organizations. We believe that utilizing the lessons learned by the cybersecurity industry in the past 3 decades could help to thwart the Coronavirus pandemic.

About Yotam Gutman and SentinelOne

Lt. Commander (Ret.) Israel Navy, Yotam Gutman, has filled several operational, technical, and business positions at defense, HLS, Intelligence, and cybersecurity companies, and provided consulting services for numerous others. Yotam joined SentinelOne 6 months ago to oversee local marketing activities in Israel and contribute to the global content marketing team. Yotam founded and managed the Cybersecurity Marketing Professionals Community, which includes over 300 marketing professionals from more than 170 cyber companies.

SentinelOne stormed into 2020 with reports of a $200 million round led by New York-based venture capital and private equity firm Insight Partners. This investment, coming just seven months after a previous $120 million series, gave SentinelOne a $1.1 billion valuation and a prominent spot on the global map of leading cybersecurity companies.


Easier access to data for building ML/AI solutions can become the turning point of cybersecurity

July 3, 2019

Col. Ret. Zohar Rozenberg, VP Cyber Investments at Elron, spoke in the 3rd International Symposium on Cyber Security Cryptology and Machine learning, about the opportunities and challenges associated with ML/AI based cyber security solutions.

Guest post by Adir Alon adir@davidmalits.com

Easier access to data for building ML/AI solutions can become the turning point of cybersecurity,” says former Head of IDF’s Cyber Department

Zohar Rozenberg

Col Zohar Rozenberg of Elron, an Israeli VC company, spoke at the International Symposium in Israel about how data for ML/AI can be a huge advantage when building a suitable defense against cyber-attacks. He said that even though this route “sounds very promising…, (and) can be the real next phase of cybersecurity; the question becomes how real it can get?”


According to Col Rozenberg, “the world needs ML/AI based solutions that are wider than just scanning files”. This is because the amount of data as well as the attack surface in organizations are “infinite”, and “deterministic and rule-based solutions” are insufficient. Additionally, there simply aren’t enough skilled cybersecurity personnel to go around. Therefore, “we need machines to replace many more tasks and to perform tasks humans are either poor at or can’t even perform”.


Moving on to what the challenges are, he said that the first problem is “getting quality data”. “Many ML applications need users data to train on. With GDPR and other privacy regulations, that is not an easy task”. The problem is that companies developing cybersecurity solutions don’t have access to the data they need; and “those who have the data can’t give it to you”.


In another point, he painted the following scenario: “assume a vendor did everything right and managed to reach a point where he has a good solution, working with good results, and even finds a customer to buy and install it”. According to him, progress like this is also fraught with challenges. “In a world with accelerated technological change and thrive for digitization, how fast does the data change in a way that can put the ML out of calibration?”.


In closing, he admitted that even though data and ML can turn the tables on the attack/defense dynamic, “there might still  be areas where the attackers’ ML will have an advantage” like in situations where “an attacker deploys an ML attack engine to learn the DDOS defense system’s logic and then learn how to bypass it.”. According to Col Rozenberg, “As an industry, together with academia, we need to work much more on how to get the right data, how to make the training process more and more efficient, cheaper, easier”.


Colonel (Ret.) Zohar Rozenberg is the VP of cyber Investments at Elron. He retired as a colonel after 20 years at IDF’s 8200 unit where he led and directed several innovative projects and organizations. He was also involved in the founding of the National Cyber Bureau and the formalization of the Israeli national cyber strategy. In 2008, he received Israel’s highest defense award. Col. Rozenberg holds a B.S in Electrical Engineering and an M.B.A from Tel Aviv University.