The shift to mobile platforms has many security vendors scrambling to retool traditional signature-based security technologies and rethink the way security is deployed to address mobile device security. The industry is being forced to shift from focusing on content inspection to reputation and behavior technologies, said James Lyne, the senior technologist at UK-based Sophos Ltd., who works out of the office of the vendor's chief technology officer. In this interview with SearchSecurity.com, Lyne explains why he thinks cybercriminals will ultimately shift to target data on mobile devices and what the security industry needs to do to avoid the mistakes made on the desktop.
As the boundaries between mobiles and PCs merge, we have an opportunity to address some of the mistakes that were made 20 years ago or we can repeat those mistakes and screw it up entirely.
senior technologistSophos Ltd.
The industry continues to be almost wholly reliant on signatures to defend against malware and many experts say this is unsustainable. What is the future of antivirus technologies?
James Lyne: From a protection standpoint, I agree the industry has been far too focused on binaries or more specifically on content. There's been an obsession with looking at files, processing them faster and faster and trying to publish more signatures and do things more generically to cover more data. That is an unsustainable position without a doubt. We've seen reversals of that strategy, like whitelisting, where the argument becomes, "There's a smaller amount of white stuff now than black to classify so let's to that," but it's still untenably huge. I absolutely agree that vendors need to re-evaluate their protection strategies and move beyond content. The way we phrase it is "content, reputation and behavior." For example, the reputation can be the URL that you are accessing. Is it known to be good? Has it been good for the last six months? Was it compromised recently? Reputation can also be the health of the PC you are talking to. If I know that you are sending me an email and I know your system is appropriately protected, that changes the risk profile of the transaction. Behavior is the ultimate area of focus right now. Behavior has been over hyped in a way that has made the security industry quite ill. Everyone branded their technologies behavioral. Behavior inspection is actually looking at Adobe PDF running on a PC and saying "why on Earth is this thing trying to write onto the run key, load itself into the system directory and copy Word documents from the My Documents folder? I do not care what content loaded to exploit it, something is very wrong. Deal with it." Behavioral technologies are about watching exactly what is happening. What we need to see protection vendors doing across the security industry is merging these things together.
We've heard security experts predict the mobile space to be the next attack wave. What do you think has been keeping cybercriminals from moving their attacks to mobile platforms?
Lyne: I think the major detractor has been the way we've been using the technology. It's been easy to go to a PC and send a user an executable file called "Britney Spears is nude" and they click on it. The data is stolen and it's done. It's a simple model. We even see franchise versions where bad guys pay 22 cents for a PC, 43 cents for a Mac and they go an incentivize a channel network of bad guys to go and infect PCs for them. It's bonkers. As we get these devices, as we get iPads and a range of new tablets that are constantly connected to the Internet. As the things they want to steal shift over there, they'll move there. I don't believe there's a technical reason mobile is inherently more secure. In fact I think it's largely inferior. The interesting thing is the rate of development in the mobile market from a software and hardware perspective is tenfold that of PCs. The trend of mobilization is a huge opportunity for us as an international community of technology users. As the boundaries between mobiles and PCs merge, we have an opportunity to address some of the mistakes that were made 20 years ago or we can repeat those mistakes and screw it up entirely. And unfortunately at the moment, the paths and trajectory at the moment is towards repeating the mistakes, but there's still time to adjust that. We need Apple, the Android team and others to really focus on building parity protection capabilities because the lines are blurring.
The Intel acquisition of McAfee has put the focus somewhat on hardware-based security, especially in the mobile space, where the footprint is much smaller. Do you see opportunities there as well?
Lyne: I don't believe that we're going to move core security services and remanufacture it on the CPU in hardware. If we wanted to do BIOS-based antivirus, we could have done that a long time ago as an industry and there are very good reasons why we didn't. It's really hard to update. It's an embedded set of capabilities and frankly, looking at CPU registers, instructions and binary flying by is crazy. We need to be looking more at reputation and behavior, more into the browser, more into cloud services, more into user behavior. Not the other way. So I don't think we're going to see those services fundamentally brought down into hardware as a replacement. What I do think that we can do is start to provide acceleration and enablement of the software layer in hardware. If Intel can work on providing caching capabilities that reduces performance impact of security or if they can provide capabilities to validate applications and data cryptographically at the very fabric of the hardware I think there are opportunities there.
You said in a previous Q&A that a challenge for many companies is that they are trying to bolt on best-of-breed security software. Why is that a challenge?
Lyne: At first glance the idea of having best-of-breed in every single area is incredibly attractive. You take the most comprehensive set of protection capabilities you can and you practice defense in depth. From a technology perspective it's a great strategy, but the reality is that very quickly it becomes unsustainable from a cost and administration perspective. You talk to IT teams now and their resources and budget is, if they're lucky, remaining flat. If you look at the number of technologies required to fulfill a best of breed in each individual area it's multiplied by 10. Three or four years ago we were all worried about AV, firewall and patching, now we've got encryption, DLP and device control – all these different things to fulfill regulatory requirements and detect bad guys. So while best-of-breed is attractive, you can see how it isn't realistic.