In seven years, the number of internet users will double to nearly five billion, according to Internet World Stats.1 More people online would seem to be good news for the digital universe. But these new users also come at a price.
“Even if you’re talking only one percent, that’s millions of new hackers,” says Richard Brown, senior research manager of HP’s Cloud and Security Lab. “Hackers and developers of malicious software engage, exchange and trade ideas. Their attacks are targeted and stealthy; the name of the game is remaining undetected. Often, when malware is detected we learn that it’s been on the network from one to four years. These facts point to a damning picture of things to come.”
And it’s not just individuals who have a monetary incentive to get malware on machines to steal financial and intellectual data: Entire governments are turning to cybercrime to achieve their political agendas.2
“Computer security is an arms race,” says Brown. “The attacks are increasingly pinpointed and sophisticated.”
With IT infrastructure and data increasingly moving to the cloud, the risk to the enterprise is growing every day. Centralizing IT in the cloud can bring potentially huge savings to enterprises, while also easing management for cloud providers that host the infrastructure. At the same time, however, this approach creates an IT monoculture that makes the cloud an attractive target for adversaries.
In order to achieve economies of scale, cloud service providers host multiple customers on their infrastructures in an effort to use their hardware as efficiently as possible. At the same time, these customers will be running all kinds of unknown and untrusted software. These realities introduce more threats to security.
What can be done to protect cloud providers from the code they host and keep enterprises safe?
Brown and his colleague Patrick Goldsack, a distinguished technologist in HP’s Security and Cloud Laboratory, predict that by the year 2020 there will be a move towards more private internet spaces—“walled gardens” that are already in use at the many companies that rely on virtual private network (VPN) technology.
But while walled gardens may be necessary, they won’t be the only way to stop hackers. The problem with a wall, Goldsack says, is that it’s only as strong as its weakest point.“You can run all the security software known to man,” he says, “but all the adversary needs is one hole or open door to plant some malware that stays in your system undetected.”
The problem is that modern, sophisticated malware can embed itself so deeply into a system that even the security software running on that system can no longer be trusted. “Your security software may tell you that everything is okay, but you have been compromised,” says Goldsack.
Dynamic Defense: A new approach to cloud security
Overcoming this problem is a key motivation behind HP’s Dynamic Defense approach to cloud security. Two breakthrough ideas underpin this new way of thinking. First, enterprises need to understand that a system cannot reliably detect its own compromise because any security or monitoring software running on that system also will have been compromised. Additionally, malware tends to behave differently if it knows it’s being watched.
Brown asserts that systems need to be monitored from the outside, using a technique of introspection through virtualization. Imagine a slew of forensic virtual machines that function like spy satellites or security sensors. Even if adversaries know the technology exists, they never know when or where the satellites are watching.
The second big idea with Dynamic Defense is to build on the fact that most modern malware is more componentized and is developed using toolkits, libraries and shared code/tricks. Instead of looking for signatures of already documented malware, the Dynamic Defense team look for symptoms targeted at these components.
“We program the spy satellites so that each one looks for a particular trick of the hacking trade,” says Brown. The sensors look for evidence that malware behavior is taking place, and any detection will initiate a chain reaction that brings other sensors in quickly to swarm and take mitigating action if necessary. The symptom detection software works in much the same way as the human body fights a virus with white blood cells.
What sort of “tricks” do the forensic virtual machines look for?
- Keywords in application data
- The presence, or absence, of unusually named processes
- Processes that remain in an “initializing” state indefinitely
- Malformation of system tables
- High density of branch/jump instructions and “hooked” routines
“This approach is very flexible and scalable, and if there’s no evidence of wrongdoing, you can run your population of security sensors very lean,” explains Brown. The model is something like police in the real world, who individually might patrol a huge area, but once a crime happens, or if there’s a known high-crime area, converge to contain the situation.
The team at HP Labs have created a proof of concept demonstrator of the Dynamic Defense approach in the lab. When the technology comes to market, it promises to help enterprises identify and prevent attacks, while directing limited resources to the areas that face the greatest security threats.
Forensic virtual machines swarm around an infected host as a symptom of malware is detected.
Learn more about the threats to enterprise security in the Security 20/20 chapter.
About our contributors
Richard Brown, Senior Research Manager Security and Cloud Laboratory, HP Labs Bristol
Richard Brown is a Research Manager in the Security & Cloud Laboratory in Bristol. He’s responsible for shaping the lab’s technology agenda and leading a team of IT security specialists. The lab’s research has a broad focus, covering many aspects of IT security.
Brown received First Class Honours Degree in Mathematics and Computer Science from The University of Birmingham. He went on to work as a software engineer at GEC developing network protocols such as X25 before joining HP Labs in 1987, where he went on to work across a range of technologies prior to focusing on security including network management for LANs/WANs as well as monitoring and surveillance technologies for telecommunications networks.
Patrick Goldsack, Distinguished Technologist, Security and Cloud Lab, HP Labs Bristol
Patrick Goldsack is a senior researcher in the area of flexible and adaptive distributed systems at HP Labs. He currently leads research into the kinds of adaptive infrastructures and platforms required for cloud computing.
Goldsack has 30 years of research and development experience, 20 of those with HP Labs in Bristol. At HP, Goldsack has been the lead researcher on a number of projects around the development of formal methods languages and tools, distributed measurement and monitoring systems for the telecommunications industry, software platforms for the delivery of telecommunications services and, most recently, in the area of very large-scale management systems for data centers.
 For more on the power of nation states as a threat to enterprise security, listen to this interview with HP’s Art Gilliland.