Look, nobody panic or anything, but we might have been getting this “security” thing wrong the whole time. That’s the view of Ian Pratt, co-founder and president of Bromium, who wants to take a different view on how to ensure we stay safe online.
Hang on. Start-up company, you’re thinking – he’ll have a product or service to sell. There will be an angle to this. And you’d be right, but he may have a point. And in terms of background, he has a lot of weight. This is his fourth company, each has been sold for a profit. His most famous effort started in 1999 as a project with Cambridge University, aiming to turn computing into a utility rather than something that had to sit on your desk or somewhere in a data centre on site. “It was a very interesting technology to solve, about how you could do that.”
The Web was starting to take off but the idea of tapping into what we’d now call “cloud” was a fair way off. People had their own data centres or they were co-located, but the support structure wasn’t really in place. “One of the key pieces of technology was called Xen. In 2002 we released it as open source and we started seeing real interest from other countries in using it.” He set up Xen Source to commercialise the product and it rapidly became the core of what is now Amazon Web Services, Google and others.
In 2007 Xen Source was acquired by Citrix for $500m Xen is now an industry standard.
Fast forward to the present and the new brainchild, Bromium, takes some of the virtualisation technology from the Xen days and applies it to security. Pratt has noticed, over the years, that security products need constant updating for a number of reasons. The criminals get more sophisticated. The perimeter of the network that needs guarding moves because of mobile technology. “Someone is infected and then there is a delay while it’s discovered and there’s an investigation – then hopefully you find what’s happening on the machine, tell an AV vendor, they create a signature for it and then deliver it to everyone else.”
Meanwhile the criminals have moved on. Also the logistics are against success: “The attackers have huge advantages. They only have to be successful once while the vendors have to succeed against them multiple times. It’s very asymetric.”
The answer from Bromium is to go back to virtual machines. “So for every task I start, I create a new virtual machine.” This means that if there is malware or ransomware, only the one virtual machine is affected – say a single document. Everything else is on its own virtual machine so if someone has clicked and opened a browser window that shouldn’t have been clicked, only the virtual machine working that browser is infected – switch it off and it’s gone.
Obviously a number of people have different views and even vested interests in whether security technology needs an immediate overhaul, but Pratt was among those who pioneered the cloud – who knows whether he’ll do the same for security? He also discovered a side issue while he was at it, which could throw figures on IT attacks into question.
Are your employees covering for attackers?
One thing that has emerged during his work for Bromium is that people need the company to prove linkage between the decrease in threats and his company’s input. On tracking this, he realised that a lot of organisations were suffering security threats – say from ransomware – that were not being tracked. Most ransomware notices demand to be paid in bitcoin, he said, but the criminals were helpful: “The ransom demand has helpful instructions explaining how to set up a bitcoin wallet with money from a credit card or bank account and then make a payment,” he said. “Typical ransom demands for an untargeted attack are of the order of $200, varying based on the current bitcoin exchange rate.”
So someone was landing on a page carrying ransomware, being embarrassed then covering their tracks leaving the crime unreported. Pratt explained. “If the user knows that what they were doing prior to receiving the ransom demand was against IT policy, they may be fearful of contacting the help desk and getting in trouble. They guess that the IT team doesn’t know the machine is infected, and decide to pay the ransom themselves,” he explained. “However, many organisations perform extensive logging of network flows, and can retrospectively look back to see if machines have contacted known C&C servers or malware sites. I’m afraid when IT find out it’s likely a firing offence.”
The implication could be bigger than any new approach to fighting security issues. If people are genuinely covering for attackers because they feel embarrassed or fear for their jobs, just how big a threat are we facing?