Security is one of the hottest topics for any digital businesses right now and nowhere is that more acute than in the financial sector. A high profile attack on HSBC at the beginning of this year was just the latest in a string of headline-grabbing security breaches at large corporates and the threat has never seemed greater.
With the nature of threat constantly morphing into new shapes and flavours, however, can innovation keep pace? That was the question posed to a panel at the Investor Forum at the London Stock Exchange last week. The consensus from industry speakers was: not entirely, but technology can help businesses be a lot cleverer about predicting, or even detecting security threats in the first place.
Shift in nature of threat
There’s growing noise around traditional signature-based approaches to threat no longer being adequate to deal with attacks. Speaking at the event Sophos Group VP of product management, John Shaw said that in the past 30 years the space has gone from one that’s “mainly about vandalism” to a huge criminal business right now. Estimated to be worth as much as USD600bn, cyber crime and only continues to gather momentum, with ransomware currently enjoying a boom.
“There’s a big shift in the nature of the threat,” says Shaw. “There’s still a lot of talk in the space about using signatures to try and stop things but it’s a myth that people use them anymore. We see about 300,000 different bits of bad code a day. If we created a different signature for each one your machine would grind to a halt."
His comments came not long after a report from endpoint security firm Webroot came out saying malware and potentially unwanted applications (PUAs) are now mostly polymorphic, which enables them to change their attributes to avoid detection. The report claims nearly all (97%) of today’s malware adapts to make itself unique to a specific endpoint device, rendering signature-based security "virtually useless”.
“It requires a big shift in terms of way we prevent things getting in. You have to do it based on understanding the characteristics of threat and protect against things that are generically bad. You can’t wait to see a specific piece of code.”
Shaw highlights that another important shift is in spotting something has happened. According to a reported form Verizon just 20% of breaches were found within days – on average it’s months and months. US supermarket chain Target is the obvious example here, with nine months passing before a massive breach was detected.
His comments were echoed by NCC Group technical director Ollie Whitehouse who pointed to the opportunities for behavioural analytics to detect patterns in
“Businesses are crying out for information,” says Whitehouse. “The ideal is that they’ll be told that next Tuesday they’re going to get hacked which we will never get to but what we will be able to do is give them broad themes from active groups so they can adjust their systems in a timely fashion.”
It seems that selfies aren’t the answer for now at last. Answering an audience question about their potential in strengthening authentication, Shaw said selfies are valuable as a complementary form of authentication, but not strong enough as a form of identification in its own right. Whitehouse said, again, while there is value in selfies as an ancillary form of ID, there are issues around biometrics like latent finger prints and easily replicable photos.